How PCI compliance is the first step in achieving the “CIA Triad”

By Marco Borza | 16 May 2017

Marco Borza, CEO, Advantio

When it comes to PCI DSS compliance, most organizations consider it as a one-off task, something to complete – often only after the Acquiring Banks ask to do so – and forget about once the compliance has been validated. The problem is that compliance audits only prove best-practice during a snapshot in time, and most organizations fail to maintain best-practice after they have passed the audit. It has been found that most, if not all, organizations that were supposedly PCI DSS compliant were found to no longer be compliant at the moment they were compromised.

One explanation of this could be costs – an organizations’ priority is to keep costs to a minimum to maximize profits. Being compliant with legal regulations or industry standards on an ongoing basis adds cost to the business, so businesses only do what they have to do and keep their financial status in balance.

This perspective, however, should not be applied when it comes to cyber resilience. Doing just enough, is never enough. Cyber threats and attacks are growing every day, and the financial damages from a cyberattack can bring down even the largest of businesses. One of the most expensive breaches to date cost the email communications firm Epsilon nearly $4 billion. Could your business afford that?

It is therefore in the business’s best interests to do everything they can to protect the business, maintaining compliance at all times and going beyond the minimum counter-measures necessary for compliance. At the same time threats emerge quickly and regulations and standards are slow to evolve and catch up. It pays to be one step ahead at all times, and the only way to do that is to always apply best practice to cyber resilience related activities.

What is the CIA Triad?

The “CIA Triad” is a model which many organizations follow to stay ahead of the evolving cyber threat. It is designed to guide information security policies within an organization by providing guidance on three areas of the business - confidentiality, integrity and availability. The CIA Triad is broadly regarded as the gold standard for cyber resilience. At a high level, the three corners of the triad work as follows; confidentiality is about setting rules that limit access to information to only those authorized, integrity is the assurance that the information is trustworthy and accurate, and availability is the guarantee that authorized people will still have reliable access to the information they need.

PCI compliance can be considered as the 1st step in the CIA Triad

If you work hard to achieve, monitor and maintain PCI compliance at all time, you are already on your way to applying the principles of the CIA Triad. Any business that accepts card payments must be PCI compliant. It has no option. While technically, anything beyond PCI compliance is optional, since when has cyber security been a “nice to have”?

PCI DSS defines a baseline of technical and operational controls that work together to provide a “defense-in-depth” approach to the protection of cardholder data specifically. Some organizations however take PCI DSS further and use the principles of PCI DSS as a baseline of measures to protect all information assets in the business (with the standard aiming to protect only cardholder data). But why stop there? Since PCI DSS has a strong focus on confidentiality - the 1st part of the CIA Triad - it therefore creates the perfect foundation on which organizations can add integrity and availability to complete the Triad and build a fully cyber resilient business.

PCI DSS = Confidentiality assured

A major focus of the confidentiality aspect of the Cyber Resilience Triad concerns insecure protocols. This is because cyber resilience risks can come in the form of an insecure protocol or service, that introduces security concerns due to the lack of controls over confidentiality and/or integrity. These security concerns include services/protocols/ports that transmit data or authentication credentials in clear-text over the Internet, such as a password or passphrase. Examples of insecure services/protocols/ports include FTP, Telnet, POP3, IMAP, and SNMP v1 and v2 together with older, compromised versions of secure protocols like SSLv1 and the likes who only give a false sense of security. They can also include any malicious software or malware designed to infiltrate or damage a computer system without the owner's knowledge or consent, with the intent of compromising the confidentiality, integrity, or availability of the owner’s data, applications, or operating system. Examples include viruses, worms, Trojans, spyware, adware, and rootkits. The challenge for organizations is that such software typically enters a network during business-approved activities (such as opening an infected email).

Addressing insecure protocols is also a major focus of PCI DSS, so it stands to reason that PCI DSS compliance is a major 1st step in addressing the confidence pillar of the Cyber Resilience Triad.

If any major changes are made to your business IT environment, in particular those that rely on any of the major protocols (FTP, IMAP etc.) then you must follow the PCI DSS checklist of security measures to ensure no new vulnerabilities have been introduced, such as conducting a new penetration test and performing internal and external scans to ensure no obvious, critical vulnerabilities are present.

PCI DSS = Proof of Concept for Cyber Resilience Triad

If your business is considering implementing a sound security programme based on the Cyber Resilience Triad but does not know where to begin, or is unclear of its value, then why not use your existing PCI DSS compliance efforts as a Proof of Concept (PoC) for how the Triad would work in your organization? Bearing in mind PCI DSS is a very narrowly focused standard (it is only concerned with cardholder confidentiality after all, which is only a small part of an organization’s overall cyber security risk), its principles can be applied to all information assets beyond payment cards. If you are already doing this then you are automatically addressing the confidentiality pillar of the Cyber Resilience Triad. Your PCI DSS implementation is therefore already an unofficial pilot for your broader cyber resilience efforts and security policies. Why not make it official?

Complete the Triad

As we have established in this article, if you are PCI compliant, it is highly likely you have already completed step 1 in completing the Cyber Resilience Triad (confidence). Why not leverage the investment and experience of implementing PCI DSS to address the integrity and availability aspects of the triad?

Remember, when it comes to cyber resilience, just enough is never good enough. Best practice is a minimum requirement to keep your organization safe, so why not implement the best practice in cyber resilience and adopt the CIA Triad. After all, you’re nearly half way there already.