CIA Triad: Confidentiality, Integrity & Availability

These days, security is more important to companies than sales. When your company must maximize renewals, you’re not selling your product once — you’re selling it day in, day out. The moment your security breaches or your services go down, guarantee your customers and users are considering your competitor.

Strong cybersecurity helps safeguard your data and your networks from theft, fraud and unauthorized access. To build security into everything you do, let’s look at a foundational security concept: confidentiality, integrity, and availability, known collectively as the CIA triad.

The CIA security triad guides information security strategies to inform areas like security framework implementation and cyber threat intelligence. Security experts I talked with underscored how these concepts are absolutely useful today, though maybe they’re in need of some updates.

Let’s take a look.

The triad TLDR: Confidentiality vs integrity vs availability

This is a comprehensive article, so let's sum it up briefly:

Confidentiality protects information (data) from unauthorized access.
Integrity is the accuracy and consistency of data as well as the completeness and reliability of systems.
Availability is the ability for users to access systems and information when needed, even under duress.

Identifying key attributes of information that every organization must protect, the CIA triad enables security teams to analyze risks effectively and quantitatively. Yes, there’s some discuss in the industry about whether these concepts need some updating, which we’ll get into later.

The role of security

First, you might be wondering why security is so important — or why it’s so difficult to achieve.

Google Trends shows that more people than ever are searching online for “cybersecurity” and “it security”. Those peaks indicate highest search volume. People also are searching for “computer security” less often, probably because we’re all well aware that security affects us anywhere we leave digital footprints: computers, cell phones, streaming TVs, at-home and smart devices.

And sure, it’s not all that hard to protect your own individual stuff, right? Password managers, multi-factor authentication, thumb drives, key fobs, VPNs. Now imagine that you’re chief of information security (CISO) for a large, multinational organization. Security just got a lot more challenging.

Now let’s turn to the foundations of cybersecurity.

Confidentiality in security

Confidentiality is up first, and for good reason, says Larry Kinkaid of BARR Advisory:

“Security strategies tend to place the most focus on protecting data from prying eyes. At its most basic level, this means users are required to authenticate their identities and prove who they are, and then the system determines whether they are authorized to ‘read.’ This is the reason encryption has been around for a long time — to further protect data both at rest and in transit.

So, we can sum up confidentiality as protecting information from unauthorized access. What sorts of information? A lot:

Financial assets
Intellectual property, such as copyrights, patents, trademarks or even repositories of code and software
All forms of communication that might be sensitive, including emails, Slacks and Teams messages, text messages, recorded calls and meetings, and more

The question then becomes, how do you protect confidential data from unauthorized access? Well, let’s first how confidentiality fails, then we can see how to ensure it.

How confidentiality breaches occur

A breach occurs when unauthorized entities have access to your confidential data. This can happen in various ways, including data breaches, insider threats, social engineering attacks and even brute force attacks.

For example, a data breach might occur when an attacker gains access to a database that stores sensitive information like credit card numbers and personally identifiable information (PII). An insider attack happens when an employee, carelessly or intentionally, accesses sensitive information and leaks it.

A social engineering attack is when an attacker tricks an employee into revealing sensitive information like login credentials. Phishing is a common example of this.

In each example, the confidentiality of your sensitive information is now compromised: Unauthorized individuals can access it and potentially use it in harmful ways. Even if it’s not harmful, it’s a vulnerability you must consider.

(Explore vulnerabilities, threats and risk, another foundational security principle.)

How to ensure confidentiality

To ensure confidentiality, businesses can take several steps.

Encrypt sensitive data, such as credit card numbers or personal information, when you transmit it over networks or store it on computers.
Use access controls, such as user authentication and authorization, to limit who can access sensitive data and what they can do with it.
Use physical controls, such as locks and security cameras, to prevent unauthorized access to sensitive data in physical locations, such as data centers or office buildings.
Maintain a clear data protection policy and regularly train employees on security best practices to teach them how to handle sensitive information properly.

Integrity in security

Next up is integrity. Integrity (or data integrity) is the accuracy and consistency of data as well as the completeness and reliability of systems. It means that data is complete and accurate from its original form. For systems, integrity means that systems are free from corruption, tampering or unauthorized modification.

Ensuring the integrity of data and systems allows businesses to make confident and reliable decisions based on their data. Further it helps prevent operating errors, breaches and losses that can damage the business.

How integrity can be compromised

A breach of integrity occurs when there’s a change in data. This can happen in various ways:

Data corruption might occur when a software bug or hardware malfunction causes wrong transmission and storage of data, resulting in errors or inconsistencies.
Malicious software. When an attacker injects malicious software, such as a virus into the system, the virus might change data without the user's knowledge or consent, potentially causing damage or disruption.
Tampering refers to an unauthorized user physically accessing a computer or storage device and changing the data on it, either by deleting or altering the data or by adding false or misleading information.

Ensuring integrity

To ensure integrity, logical access controls like periodic access reviews and the principle of least privilege are great places to start. By authorizing only specific individual in, these controls ensure the integrity of the information. Kinkaid notes that data encryption can be useful when it comes to integrity:

“Often considered a control for confidentiality, encryption is also designed to ensure that data is not modified in transit and enforces the principle of non-reputation.”

Businesses can use checksums or cryptographic hashes to verify that data isn’t changed or corrupted. Additionally, they can use transaction logs or audit trails to track changes to data and systems so they can detect and correct any unauthorized or improper changes.

Finally, implementing policies and procedures for data management, such as regular backups and access controls, can help ensure data and system integrity.

Availability in security

Availability refers to maintaining the ability to access your resources when needed, even under duress (like a natural disaster) or after suffering intentional cyberattacks. And if this definition feels like a moving target, you’re not alone. Indeed, Kinkaid sees that “availability” as a concept has changed the most in recent years.

Today, availability is making its impact in practically every conversation around uptime and availability of services. (Of course, we are experiencing more natural and security disasters, too). Availability plays crucial roles in concepts like:

Business continuity and disaster recovery plans
Business Impact Analysis (BIA)
Recovery Time Objectives (RTO) and Recovery Point Objectives (RPO)
Service Level Agreements (SLAs) for uptime and availability of services

“While these plans have always existed,” Kinkaid points out that “they are much more formalized and mature now, and often created to be essentially customer-facing. A robust security program that addresses availability is a value-add and potential differentiator between an organization and their competition.”

Examples of availability breakdowns

Some common causes of availability breaches include hardware or software failures, network outages, power outages, natural disasters and cyberattacks.

A hardware failure might cause a server to crash, preventing users from accessing its data or services. Network outages might prevent users from accessing data or systems over the internet. Power outages might prevent users from accessing data or systems that rely on electrical power. A natural disaster, such as a flood or earthquake, might cause physical damage to data centers or other critical infrastructure, disrupting access to data and systems. A cyberattack, such as a denial-of-service attack, might overwhelm a system with traffic, preventing legitimate users from accessing it.

Ensuring availability

Ensuring availability must be baked into many areas of network and software development:

Deploy redundant systems such as multiple servers or backup power sources or implement caching. This way, when one system fails, the others can continue to operate and provide the data you need.
Use load balancers, which distribute incoming requests across multiple systems so that no single system becomes overwhelmed and unavailable.
Regularly test and maintain your systems to help identify and address potential availability issues before they cause disruptions.

(Learn more about availability management.)

The CIA triad today

Today, the CIA triad remains foundational and useful. But let’s look at two arguments within the security industry: whether to add more InfoSec properties to the concept, and its practicality when everyone is a digital user.

Additional security properties

Of course, security professionals know that computer security doesn’t stop with the CIA triad. ISO-7498-2 includes two more properties for computer security:

Authentication is your systems’ ability to confirm an identity.
Non-repudiation or accountability is when your systems are able to confirm the validity of something that occurs over the system. It further assures the information’s origins and integrity.

Some folks argue that the CIA triad should add more components, such as non-repudiation or physical security. Walter Haydock, Founder and CEO of StackAware, disagrees, citing redundancy:

“Mission critical and life-sustaining systems such as operational technology in power plants and embedded medical devices rely on data integrity and availability to function correctly, making the protection of life and limb a 'downstream' byproduct. And in military and intelligence contexts, data confidentiality can often mean the difference between survival and death.”

Despite the non-stop evolution of cyber threats as well as technology, Haydock says the CIA triad remains a simple — and effective — framework for InfoSec.

Additional players in cybersecurity

Cybersecurity is no longer relegated only to NOCs and SOCs. It’s baked into every decision we make, deciding which enterprise vendor to onboard on a five-year contract all the way to whether to download an app on our cell phone to track our exercise. This is particularly true when you look at any modern workplace, relying on a wealth of third-party vendors and software.

That means every single person within an enterprise must also take responsibility for security. Andreas Grant, a network security engineer, says that internal threats are “an open secret” making cybersecurity an even bigger issue. Does the CIA triad account for end users, like employees within your organization? Grant argues:

“The CIA triad does not prepare the users in any shape or form to tackle inexperienced end-users. While people with malicious intents are different, there should be a fail-safe for inexperienced people. A cybersecurity infrastructure should also account for its users and their basic understanding of cybersecurity. At least in big companies, there must be some sort of training in organizations to prevent inside attacks. Unfortunately, this is mostly considered as an option after a leak.”

Ultimately, Grant believes that end user behavior must also be accounted for. “I have seen time and time again how a super-strong infrastructure got messed up”, he continues “only because the employees didn’t know better.”

Certainly, if you follow the best practices laid out in this article, including the ongoing education of all players, you’ll be in as strong a spot as possible. Still, every security pro knows that 100% security is never possible.

More data security fundamentals

Cyber Hygiene: Concepts and Best Practices for Cybersecurity
Network Security 101: A Brief Intro to Securing Network

CIA Triad: Confidentiality, Integrity & Availability | Splunk (2024)