What is the CIA TRIAD?

In the context of cybersecurity, ‘CIA’ doesn’t have anything to do with the well-known US intelligence agency. Put simply, the CIA triad is a model designed to guide policies for the information security of an organization. It combines the three principles that should form the security infrastructure of any organization:

• Confidentiality
• Integrity
• Availability

We can think of the CIA triad as the foundation of information security. When data gets leaked, a system is hacked, an account gets hijacked, or a website is attacked, we can be certain that one or more principles of the CIA triad have been violated – leaving the data owner at risk.

1. Confidentiality

Confidentiality is the first pillar of the CIA TRIAD and is concerned with controlling access to critical data and preventing any unauthorized disclosure of it. In other words, confidentiality is the process of keeping an organization or individual’s data private and ensuring only authorized people can access it.

For example, in an organization only authorized payroll employees should get access to the database of employees’ payroll. And, within that group of authorized users, additional limitations are implemented so that only certain users can perform particular tasks.

Another example: when we shop online, we expect that the personal information we submit through the website, such as credit card and shipping details, stay protected and don’t get into the hands of any unauthorized person. The principle of confidentiality helps to achieve this.

How Might Confidentiality/Integrity/Availability Be Breached?

It’s possible to violate data confidentiality through direct attacks like MITM (Man-In-The-Middle) are designed to get access to unauthorized data, databases, and applications. Because there are many attack vectors, preventive measures to protect confidentiality have to be robust.

What Can We Do About It?

Measures should include sensible data labeling and classification, tight access controls and authentications, proper encryption of data in storage, process, and transit, a remote wipe feature, and most importantly education and training for all the employees who have access to data.

2. Integrity

In cybersecurity, integrity refers to data that hasn’t been tampered with. Data that has been tampered with or compromised has lost its integrity.

For example, e-commerce customers expect the information and pricing of products listed in a store to be accurate and unaltered. Similarly, banking customers should be able to trust information related to their accounts and balance. If these details can be altered by an unauthorized person, they have no integrity. Integrity ensures the protection of data in transit, use, and storage.

Like confidentiality, integrity can be compromised through various attack vectors. Therefore, the use of preventive measures like encryption, digital signatures, hashing, security certificates,  and robust authentication mechanisms is vital.

3. Availability

Authorization ensures that the certain users can get timely and reliable access to the required resources whenever they need to. Applications, systems, or data are of no use to an organization or its customers if they are not accessible as and when required – as in the case of a denial-of-service attack.

Threats to data availability such as denial-of-service attacks can affect the performance of web applications websites, and web-based services. Preventive measures must be taken – such as regular software patching, system upgrades, backups, and the implementation of comprehensive disaster recovery strategies.

Cyberattacks, data thefts, and breaches are becoming increasingly common. Remember the Facebook/Cambridge Analytica scandal?  This had serious impacts on Facebook’s businesses because lost user trust triggered government investigations, lost advertising revenue, as well as many users leaving the platform.

Data breaches happen because of poor security policies within an organization. As well as user data being compromised, these breaches can lead to massive penalties for the organization when GDPR (General Data Protection Regulation) is violated. To overcome these problems, an organization should employ the CIA triad to enhance its cybersecurity policies.

Why Should You Use the CIA Triad?

The CIA triad offers a simple yet comprehensive checklist to evaluate your cybersecurity measures and tools. An effective security system provides all three components – confidentiality, integrity and availability. An information security system that doesn’t encompass all three aspects of the CIA triad is insufficient.

The CIA triad is also helpful after an attack to find out what went wrong and what, if anything, worked well. For instance, availability may be compromised after a ransomware attack, but the systems might still maintain other important information. Such data can be used for addressing weak points and replacing them with more effective measures and policies.