The CIA triad isn’t just a catchy acronym. It’s the backbone of security. We’ll break down confidentiality, integrity, and availability, and see how they shape the way we think about protecting systems and data.
Every action that you perform on the Web, whether it’s placing an online order, checking your bank account, or signing up for a new social media platform generates data. However, the problem with data is that it needs to be stored somewhere. And not just that it needs to be stored, but it also must be secured. This may sound easy, but in fact, companies struggle to offer high-quality online services while maintaining data security and ethicality. This lesson aims to explain the basic requirements that makes information or a system secure. Let’s get started.
Over time, computer engineers defined a set of three fundamental principles of information security: Confidentiality, Integrity, and Availability. These principles describe the core threat areas for information systems and provide the mandatory requirements for a system to be considered secure. Together, they are known as the “CIA Triad”.
CIA Triad
This framework is so comprehensive that anytime a data breach is announced, a system is attacked, a website is taken down, or any other security incident occurs, there is a violation of one or more CIA triad principles.
In the previous lesson, we introduced the concept of vulnerability. Now, we can extend that definition and say that a vulnerability is a violation of the CIA Triad. Also, we talked about risk. Security professionals evaluate the risk of a vulnerability based on its impact over these three principles: Confidentiality, Integrity, and Availability. The more affected principles are, the more dangerous a vulnerability becomes.
In the next section, we will discuss each security principle and then explore several real-world applications of the CIA Triad. Let’s start with Confidentiality.
Confidentiality
From ancient times, people understood that information is power, but only if kept private. This first principle of information security, called confidentiality, says that information that should stay secret stays secret, and only authorised people may be able to access it. Considering the nature of the information collected and handled by most companies nowadays, confidentiality is a very important aspect. Moreover, some organisations working in finances, health, or e-commerce are obliged by law to protect the privacy of customers’ data.
The two mechanisms that allow us to keep the information confidential are access controls and cryptography. We’ll discuss them in-depth in the next blog posts.
Integrity
The second principle, called Integrity, is concerned with the correctness, completeness, and trustworthiness of the information. Simply put, this principle says that information must be protected from being unauthorized changed, whether by human error or intentional tampering. User data travels across many systems while being processed, thus ensuring the integrity of the information both on-transit and on-rest is a crucial step from a security point of view. In most of the cases, attacks targeting the integrity are hard to detect and can cause significant damage. A confidentiality breach in your car means someone learns your driving habits. An integrity breach means they could take over your brakes.
Availabily
The third, but not the least important principle of information security is availability. For information to be secure, it first must be available to the users when they need it. After all, how useful are encryption and access controls if the server is shutdown?
A system that is not fault-tolerant may allow an attacker to prevent legitimate users from having access to their data through a Denial-of-Service (DoS) attack. However, intentional interruption is not the only concern when we talk about availability. Natural disasters or human errors can also affect data availability.
Recap
So, for a system to be considered secure, it must meet all three fundamental attributes of information security. Let’s quickly recap their definition:
- Confidentiality refers to keeping the information free from being exposed to unauthorised parties.
- Integrity refers to keeping the information free from the danger of being unauthorised changed in any way.
- Availability refers to keeping the information free from loss.
Without a strong understanding of these three principles, you will near-miss tons of vulnerabilities that are not so obvious.
Disambiguing the ambiguous
I know, all these new concepts may sound a bit too academic, so let’s take a simple example to illustrate the principles.
When you send data over the Internet (e.g., a message to a friend from a different country), it doesn’t go straight to your friend’s computer since you are miles away from him. Instead, your message travels across multiple other systems before reaching its destination, as illustrated in Figure 2.
This is quite similar to kids passing notes during classes, isn’t it? So let’s suppose Tom, a six-grade student, wants to send a secret note to his colleague, Alice. Unfortunately, Tom is too far to deliver the message himself, so he needs to pass it to Mike, who is closer to Alice. Next, Mike should pass the note to someone else and so on, until the note reaches Alice.
From an information security perspective, this scenario violates all the three principles described above. First, any of Tom’s colleagues along the path can read the message. Thus, the information is no longer confidential.
Second, any of Tom’s colleagues along the path can alter the content of the message. Thus, the information losses its integrity.
Last, any of Tom’s colleagues along the path can destroy the note, resulting in loss of availability.
Why understanding CIA Triad is essential?
A question that comes up a lot in security communities: “I found this endpoint / this file / this error. Is it a vulnerability? Should I report it?”
The answer almost always depends on whether confidentiality, integrity, or availability is actually impacted. Without that framework, you’re guessing. You’ll report things that aren’t vulnerabilities and miss things that are, because the subtle ones don’t announce themselves with a stack trace or an error message. They look like normal behavior until you understand what shouldn’t be happening.
Understanding the CIA triad might seem basic, and in some ways it is. But it’s the kind of basic that separates someone who can identify a vulnerability from someone who just stumbles into one. In the next post, we’ll look at two concepts that sit right on top of this foundation: authentication and authorization. They’re how applications enforce confidentiality and integrity, and they’re where many vulnerabilities live.