What is the CIA Triad

Typically when a company is setting security policies or performing risk assessments it can be fairly confusing to determine priorities, objectives and other measurements for assessing security postures.

The CIA triad is intended to address this by helping people/companies model and design policies around important objectives. The CIA triad is centered around what are considered the most critical goals or objectives for a company to ensure. These are confidentiality, integrity and availability. Although not frequently seen with the triad, ISO 7489-2 does define two additional objectives: authentication and accountability (or non-repudiation).

These objectives appear frequently in security discussions and policies. In addition by modeling a policy or assessment procedure around these objectives, companies are better positioned to ensure they cover what are considered the most critical areas of information security.

Confidentiality

Confidentiality focuses on ensuring that a given system allows data (or assets more specifically) to only be accessed/viewed by authorized parties. A convenient way to think about this is that confidentiality ensures privacy within a system.

When ensuring confidentiality, companies should seek to lock down data (or asset) access to only authorized individuals. This also includes data or communications being sent between systems. That is, eavesdroppers should not be able to view any information if they’re “listening in” on a “conversation” between two machines or systems.

Although there are a number of ways to ensure confidentiality the most common ways are as follows: encryption, access control lists, file permissions or access permissions in general, and authentication/authorization schemes.

Integrity

Integrity focuses on ensuring that an asset can only be modified by authorized parties. Note that although this sounds similar to confidentiality in that it focuses on authorized access to assets, it differs in that integrity wants to make sure that assets can’t be changed by unauthorized people.

To see the importance of integrity consider an example where a website sells parts online. A legitimate customer might order 16 gears to 555 Fake Street, however, if the system does not guarantee integrity of data, an attacker might change the address to 555 Attacker Lane. In this way the customer is stuck footing the bill while the attacker gets the parts.

Just as with confidentiality, ensuring integrity means not only protecting assets at-rest, but also communications between systems or assets as well.

The most common ways of ensuring integrity are: encryption, message authentication codes (MACs), digital signatures, file permissions, and access control lists.

Availability

Availability focuses on ensuring that systems and data are available when needed. This doesn’t necessarily mean that they have to be available 24/7 though. If a company only needs to be able to access data from 9-5 than they would focus on ensuring availability within that time frame.

Note that threats to availability don’t necessarily have to be denial of service based. Things like the only web server going down or a tornado wiping out your only data center would also affect availability.

The most common ways of ensuring availability are: redundancy and fault tolerance, disaster recovery procedures, RAID, firewalls with DDoS mitigation capabilities and so on.