Confidentiality, Integrity, Availability

Let’s talk about the CIA. The CIA is such an incredibly important part of security, and it should always be talked about. You’re probably thinking to yourself “but wait, I came here to read about NASA!”- and you’re right. While the CIA is a pretty cool organization too, I’ll be talking about the CIA triad – and what it means to NASA.

The CIA triad, not to be confused with the Central Intelligence Agency, is a concept model used for information security. CIA stands for confidentiality, integrity, and availability. It is common practice within any industry to make these three ideas the foundation of security.  

When we consider what the future of work looks like, some people will ambitiously say “flying cars” and “robots taking over”. More realistically, this means teleworking, or working from home. When you’re at home, you need access to your data. How can an employer securely share all that data? That’s the million dollar question that, if I had an answer to, security companies globally would be trying to hire me.

How does the workforce ensure it is prepared to shift to this future mindset, and where does the CIA triad come into the picture?

Every company is a technology company. Even NASA. Especially NASA!  In fact, NASA relies on technology to complete their vision to “reach for new heights and reveal the unknown for the benefit of humankind”. Imagine doing that without a computer. That would be a little ridiculous, right? Furthering knowledge and humankind requires data!

One of NASA’s technology related missions is “to enable the secure use of data to accomplish NASA’s Mission”. Let’s break that mission down using none other than the CIA triad.

C – Confidentiality. Confidentiality essentially means privacy. Making sure only the people who require access to data have access, while also making sure that everyone who needs the data is able to access it. In a NASA example: we need to make sure software developer Joe can access his important work regarding the International Space Station from home, while janitor Dave is never allowed to access this data.

I – Integrity. Is this data the correct data? That’s what integrity means. Making sure no bits were lost, making sure no web address was changed, and even making sure that unauthorized people cannot change your data. Another NASA example: software developer Joe asked his friend, janitor Dave, to save his code for him. In the process, Dave maliciously saved some other piece of code with the name of what Joe needed. The next time Joe opened his “code”, he was locked out of his computer.

A – Availability. This one seems pretty self-explanatory; making sure your data is available. Remember last week when YouTube went offline and caused mass panic for about an hour? In a perfect iteration of the CIA triad, that wouldn’t happen. Things like having the correct firewall settings, updating your system regularly, backups of your data, documenting changes, and not having a single point of failure in your network are all things that can be done to promote availability. A last NASA example: software developer Joe really wants to eat lunch on his center, but he cannot access the website that tells him what food options there are. He is frustrated by the lack of availability of this data.

NASA (and any other organization) has to ensure that the CIA triad is established within their organization. Whether it’s a small business personally implementing their policies or it is a global network of many IT employees, data is crucial. Without data, humankind would never be the same. Imagine a world without computers. No more gas pumps, cash registers, ATMs, calculators, cell phones, GPS systems… even our entire infrastructure would soon falter. Electricity, plumbing, hospitals, and air travel all rely on a computer- even many cars do! Without data, or with data in the wrong hands, society and culture would change so drastically that you and I would never be able to recognize it.

This is why designing for sharing and security is such a paramount concept. The data needs to exist; there is no question. Data must be shared. But if data falls into the wrong hands, janitor Dave might just steal your data and crash the International Space Station… in your name.

About the Authors

Emma Kanning is an intern at NASA’s Johnson Space Center working in the Avionic Systems Division focused on Wireless Communication; specifically the integration of IoT devices with LTE.  Emma attends Kent State University and will graduate in 2021 with a degree in Digital Sciences. Emma is passionate about STEM education and cyber security. She participates in Civil Air Patrol and FIRST Robotics, and loves photography and writing.

Nick Skytland | Nick has pioneered new ways of doing business in both government and industry for nearly two decades. He leads the Future of Work initiative at NASA and is the Agency Talent and Technology Strategist in the Talent Strategy and Engagement Division within the Office of the Chief Human Capital Officer (OCHCO).

 

Valuing Sharing and Security

At the intersection of the forces of technology and place is NASA’s need to architect and implement secure sharing in a data-first organization. The ability of organizations to leverage data to drive insights to action is the fuel of the future. And yet data access is often extremely limited due to underlying tensions between sharing and security, role-defined versus open data, and a decentralized operating model. As more work is conducted anywhere and anytime, protecting sensitive data and keeping systems secure is critical. At the same time, ensuring the ability to share information via dashboards, portals, and online reports, as well as offering self-service options, are just as vital.

INSIGHTS

As the Presidential Management Agenda observed, the use of data is transforming society, business, and the economy. As more work is conducted virtually, keeping sensitive data and systems secure, sharing information, and offering self-service options will be critical to ushering in a modern government. Technology modernization initiatives and data access are the backbone to improving accountability to taxpayers and achieving mission results.

Further, there is a well-known tension in government: the requirement for protection and security competes with the mandate for openness and accessibility. For the emerging generation of knowledge workers, this tension manifests itself when these workers are challenged to access the data needed to inform decision-making. As a consequence, relevant information is siloed in highly insulated systems that only few can access and usable self-service options for sharing data securely do not exist or are not ace universally available.

CHALLENGES

Striking a balance between data sharing and security remains an organizational strain and is particularly difficult for NASA. The Agency requires an integrated approach to using data to deliver on mission goals, serve customers, and steward resources. The tension between sharing and secure solutions, combined with increasing self-service demands, creates a unique challenge in government, where budgets and expertise are often more limited than in the private sector.

OPPORTUNITIES

As NASA seeks to manage tensions and steer toward more self-service options, the Agency must design and implement an integrated workforce data management strategy that defines a common data architecture to allow for the secure integration and sharing of data, inclusive of “data-first” standards and practices. The strategy requires the development of shared standards and policies around basic issues like password strength, multi-factor authentication, social engineering, and network security to inform its workforce of cybersecurity risks. NASA may consider moving towards a risk-based approach for securing systems that places emphasis on data-level protections and that fully leverages modern virtualized technologies (President’s Report on Federal IT Modernization NASA, 2018). This approach requires a modern data architecture as well as an aligned management structure to balance risk and security.

Along with risk come the element of trust: erasing boundaries within and beyond the information technology sector means that cybersecurity risk must become the concern of everyone. A baseline level of training regarding effective IT security, data security, and systems management must not only be offered, but embraced by users at all levels.

As NASA prepares for the Future of Work, the Agency must intentionally design for increased self-service. A self-service approach provides previously unavailable direct access to data and platforms that employees can use to more efficiently deliver government services anywhere at any time. Online self-service capabilities will provide the workforce round-the-clock access to real-time information, reducing the time employees need to navigate siloed systems and refocusing time saved to pursue mission objectives.

About the Authors

Nick Skytland | Nick has pioneered new ways of doing business in both government and industry for nearly two decades. He leads the Future of Work initiative at NASA and is the Agency Talent and Technology Strategist in the Talent Strategy and Engagement Division within the Office of the Chief Human Capital Officer (OCHCO).