The CIA and Email Security

If you have spent any time learning about information security then you are familiar with the attributes of information security, often referred to as the CIA triad.

However this concept is usually familiar to those who spent a great deal of their day working strictly with IT security. For the small IT department the jargon associated with any subset of the industry may not be a part of everyday speech.

CIA, for those unfamiliar with the acronym, stands for:

Confidentiality – preventing the disclosure of private information to unauthorized people or computers.

Integrity – making sure that information is accurate and has not been modified in any way.

Availability – making sure that people have access when they need it.

Do these concepts apply to email security?

When it comes to data and trade secrets, the CIA triad is blatantly relevant. However it is often not at the forefront of an email security plan. People often think of email security in an entirely different light. But when you think about it, email is really nothing more than data that needs to be protected in everyway mentioned above. Not sure, consider the following:

An email sent to specific executives contains the strategy for a new product line that will move your company ahead of your competitors. This instance is a great example of how the maintaining the confidentiality of your email systems is important. From the end user to the mail server, and all the data transport mediums in between, need to be secured in order to protect against threats designed to steal data and information from the use of email.

An example of how the maintaining the integrity of your email messages can also be used to highlight the need to understand these security attributes. Take, for instance, a situation where your organization is required to produce email records under subpoena. An inside, or outside, threat may be able to alter the dates, times or even content of specific emails for any number of reasons. Should this revealed it would certainly hurt your organization’s chances to prevail in court; it would also do serious damage to your organization’s reputation when the media finds out about the lax security as well.

Finally we come to availability. When speaking in regards to network security we often address availability as the one facet of security meant as a check and balance. We want systems to be secure, but at the same time we want people to be able to access what they need to get their job done. We want resources to be available.

Making things available is a two-pronged approach. We need to first ensure that our systems, including our email systems, are protected against outside threats that can take them offline; like a denial of service attack or a malware outbreak that renders our mail servers or clients inoperable. However, in addition to outside threats we need to make sure that the security we have in place does not prevent our users from accessing the tools and resources they need for their daily jobs. The recent turmoil that Howard Jordan, chief of police in Oakland, CA,  is a prime example of what can happen if your security is so tight that you can’t access emails. In his case, he filtered emails related to the Occupy movement. Emails related to a court case he was involved with where an Occupy protestor was injured went unanswered putting him at risk of losing his job as a result.

Like any security solution, email security needs to have a plan in place; and that plan should have the goal of making sure that everything associated with your organization’s email system protects its confidentiality and integrity and ensures that it is always available.

Using the CIA triad as the foundation of your email security solution isn’t comparing apples to oranges or using something that is completely unrelated as a basis, applying these principles actually just makes good sense.

Written by Jeff


  1. Grayson Walker · November 26, 2012

    Oh, I really thought this article is all about the recent case of CIA director—ex, to be exact—General Petraeus. In fact, that story is timely, as it also involves leak of information via e-mail. Now back to the topic, in the ideal world, yes, these three things will and should go hand in hand. That’s how e-mails should be: as accurate or as truthful as possible, and definitely uncompromised. In the real world, though, it’s a completely different scenario. We have phishing and now spoofing, which can surely question any e-mail’s integrity. That’s why businesses, even small ones, should learn to invest in IT security.

  2. Andy Miller · November 28, 2012

    I thought the same too, Grayson, which is the initial reason why I opened the blog post. Nevertheless, I was greatly informed by this. It provides an excellent analogy between CIA beliefs and processes, as well as e-mail use. The writer is right. One of the core ideas why e-mails should be secured is because we want the message to remain truthful, unblemished, or untouched. We want it to be as real as possible, completely not manipulated, because this is how we try to establish our trustworthiness or credibility on other people. For this reason alone, investing in security programs is ideal.

  3. Jeff Orloff · November 29, 2012

    Great point at the end Andy, Investing in security programs is ideal. All too often people forget about email when they are devising their security strategy. The CIA framework was used to get people to think of email the same way they would endpoint and network security. Looks like it worked!

  4. Clarence · December 1, 2012

    The issue on security reminds me of BYOD. It’s the trend these days; companies no longer issue business phones. Instead, they allow their staff to use their own mobile devices for work. This means they access their e-mails even when they’re at home. I thought about security because it’s one of the common apprehensions among some people when it comes to BYOD. The fact that the employee carries it anywhere makes corporate data prone to hacking or theft. I know some companies are already implementing policies, but the subject still remains quite unclear and touchy.

  5. Carlo · December 3, 2012

    I truly believe that the best course of action in order to preserve the integrity of an e-mail system is to invest in a security program, as what Andy and Jeff mentioned. But that also leads me to a question: how can small businesses afford it? I think it’s safe to say that the regular antivirus and antimalware programs may not be sufficient, as not all of them are scalable. They can also opt for enterprise-level programs, but they are costly as well, which may scare off small businesses. They’d rather spend the money on something “more important” such as administration and marketing.

Leave A Reply