Confidentiality, Integrity, and Availability. These are the three core components of the CIA triad, an information security model meant to guide an organization’s security procedures and policies.
While people outside the information security community might hear the phrase CIA Triad and think “conspiracy theory,” those in the cybersecurity field know that the CIA Triad has absolutely nothing to do with the Central Intelligence Agency and everything to do with keeping your organization's data, networks, and devices safe and secure.
What is the CIA Triad?
The CIA triad is widely accepted as a model in information security. It’s not a singular doctrine and there was no one author. Rather the model appears to have developed over time, with roots as old as modern computing, pulling concepts from various sources. Ben Miller, vice president for Dragos, seems to be one of the few people who has done any digging on the origins of the triad. He wrote a blog post 11 years ago about its roots and was unable to find a single source. Instead, the concepts seem to be pulled from a few different documents: a 1976 paper for the U.S. Air Force, for example, and a paper written in the 1980s about the difference between commercial and military computer systems.
Whatever the source, the CIA triad has three components:
- Confidentiality: Confidentiality has to do with keeping an organization’s data private. This often means that only authorized users and processes should be able to access or modify data.
- Integrity: Integrity means that data can be trusted. It should be maintained in a correct state, kept so that it may not be tampered with, and should be correct, authentic, and reliable.
- Availability: Just as it is important that unauthorized users are kept out of an organization’s data, data should be available to authorized users whenever they require it. This means keeping systems, networks, and devices up and running.
All of these concepts are important on their own to security professionals of all kinds. The reason these three concepts are grouped into a triad is so information security professionals can think of the relationship between them, how they overlap, and how they oppose one another. Looking at the tension between the three legs of the triad can help security professionals determine their infosec priorities and processes.
An example of the CIA triad in practice
Think of logging into an e-commerce site to check your orders and make an additional purpose. The e-commerce site uses the three principles of the CIA triad in the following ways:
- Confidentiality: When you log in, you’re asked for a password. If it’s been a while since your last log-in, you may be asked to input a code that’s been sent to you or some other form of two-factor authentication.
- Integrity: Data integrity is provided by making sure your purchases are reflected in your account and allowing you to contact a representative if there’s a discrepancy.
- Availability: You can log into your account whenever you want, and you may even be able to contact customer support at any time of the day or night.
This is just one example of how the triad can be practically applied. There are several, more specific examples for each leg of the CIA stool.
For example, examples of Confidentiality can be found in various access control methods, like two-factor authentication, passwordless sign-on, and other access controls, but it’s not just about letting authorized users in, it's also about keeping certain files inaccessible. Encryption helps organizations secure information from both accidental disclosure and malicious attacks.
Integrity can be maintained with access control and encryption as well, but there are many other ways to protect data integrity, both from attacks and corruption. Sometimes it’s as simple as a read-only file. Sometimes, it involves hashing or data checksums, which allow data to be audited to ensure the data hasn’t been compromised. In other cases, integrity might be protected physically from outside sources that might corrupt it.
Availability is really about making sure your systems are up and running so that business can continue, even in the face of an attack. DDoS (Distributed Denial of Service) attacks rely on limited availability, for example. For this reason, creating a DDoS response plan and redundancy in your systems is a way of ensuring availability. However, when there’s no attack, systems can still fail and become unavailable, so load balancing and fault tolerance are a way to keep systems from failing.
How can SecurityScorecard help?
The CIA triad alone is not enough to keep your data secure. You also need to be aware of where your risks are.
SecurityScorecard can help you monitor your information security across 10 groups of risk factors with our easy-to-understand security ratings. Our ratings continuously monitor every part of your security operation.
We monitor your information security by keeping an eye on your data and the systems and networks you have in place to protect it, and we also monitor your cybersecurity by making sure your organization’s systems are patched when they need to be, and that there’s no hacker chatter about your organization on the dark web. Once your score drops, you’ll know that something has changed, and our platform will then offer remediations to help you fix the problem before there’s a breach.