Confidentiality, integrity and availability (the CIA triad) is a security model that guides information security policies within organizations. To avoid confusion with the Central Intelligence Agency, the model is also referred to as the AIC triad.
There is a debate whether or not the CIA triad is sufficient to address rapidly changing technology and business requirements with recommendations to consider expanding the interactions between availability and confidentiality, as well as the relationship between security and privacy.
Regardless of where you fall in the debate, the CIA triad is a great place to start.
Why is the CIA Triad Important?
The CIA triad is an important security concept because the majority of security controls, mechanisms and safeguards are designed to ensure one or more of confidentiality, integrity or availability principles.
This means cyber threats, vulnerabilities and cyber attacks can be measured against their ability to compromise one or more of the CIA triad principles.
The triad forms the basis of any organization's information security program and any time there is a data leak, data breach or other security incident you can be certain one or more of these principles has been violated.
What is Confidentiality?
Confidentiality is concerned with ensuring unauthorized parties and processes cannot access personal information, psychographics, PHI and sensitive data.
IT security measures that ensure confidentiality are designed to prevent unauthorized access to sensitive information or financial information while providing unencumbered access to authorized users.
It's common for information security professionals to classify data into different buckets according to the amount and type of damage caused if exposed in a data breach or data leak.
The most sensitive information will employ IT security measures like access control, data security and data encryption to protect against and minimize the impact of unauthorized access.
Other examples of technical security controls include access control lists, strong password requirements, biometric authentication, third-party data breach protection and data leak detection.
Beyond technical controls, organizations employ cybersecurity awareness training to educate authorized people on key cybersecurity risks, such as malware, spyware, phishing, spear phishing, social engineering, man-in-the-middle attacks and email spoofing.
Due to increasing regulatory requirements globally, such as GDPR, APRA CPS 234, FISMA, GLBA, PIPEDA and the NIST Cybersecurity Framework, confidentiality is becoming an increasingly important part of InfoSec.
What is Integrity?
Integrity is concerned with ensuring data is not tampered with and can be trusted. Data should be consistent, accurate, authentic and trustworthy over its lifecycle.
For example, banks and their customers need to be able to trust that bank balances are accurate and cannot be tampered with.
Ensuring integrity involves protecting data in use, in transit and at rest.
As with confidentiality, integrity can be compromised directly via an attack vector, zero-day exploit, vulnerability or unintentionally through human error, lack of care, inadequate security policies, procedures and protection mechanisms.
Countermeasures designed to protect data integrity include encryption, hashing, digital signatures, digital certifications, intrusion detection systems, auditing, version control, authentication, file permissions and access control.
Integrity goes hand-in-hand with non-repudiation: the inability to deny something. Non-repudiation assists in ensuring integrity.
What is Availability?
For any information system to be useful, it must be available when needed.
Computer systems that store and process sensitive information must have security controls to protect them, their data and their communications channels.
Organizations and their customers are becoming more reliant on real-time high availability systems.
This means information security professionals are increasingly concerned with ensuring availability by preventing power outages, hardware failure and distributed denial of service (DDoS) attacks.
Availability is best ensured by maintaining, repairing and replacing hardware where necessary and by keeping systems up-to-date.
Adequate communication bandwidth is equally important for preventing bottlenecks and redundancy, failover and geographically-isolated systems should be used to prevent downtime caused by unavoidable events like natural disasters or fires.
For worst case situations, a comprehensive incident response and disaster recovery plan can quickly bring systems back online and minimize damages.
Availability is important for every organization, especially those who sell SaaS products or services that are relied on by their customers.
What is Non-Repudiation?
Non-repudiation implies one's intention to fulfill their obligations in a contract and their inability to deny having received or having sent a message or request.
What are the Issues With the CIA Triad?
There is an ongoing debate about whether the CIA triad is sufficient to address the rapidly changing technology and business landscape, with recommendations to expand the intersection between availability and confidentiality, as well as the relationship between security and privacy.
Other principles such as accountability and responsibility have been proposed, which are increasingly required by regulators worldwide.
The widespread introduction of cheap, Internet of Things (IoT) devices are also a concern because they go unpatched and are often configured with weak or default passwords, providing an attack vector into even the most secure organizations.
A key concept to understand is that prioritizing one or more principles can result in tradeoffs of others, which is why defense in depth is important.
For example, an information system that requires high confidentiality and integrity may sacrifice availability.
This isn't necessarily a bad thing but tradeoffs must be conscious choices.
Organizations must have a robust risk assessment methodology and cybersecurity risk assessment process that outlines how they apply these principles given their risk appetite, regulatory requirements and customer expectations.
How UpGuard Can Improve Your Information Security
Companies like Intercontinental Exchange, Taylor Fry, The New York Stock Exchange, IAG, First State Super, Akamai, Morningstar and NASA use UpGuard to protect their data, prevent data breaches, monitor for vulnerabilities and avoid malware.
We're experts in data breaches and data leaks, our research has been featured in the New York Times, Wall Street Journal, Bloomberg, Washington Post, Forbes, Reuters and Techcrunch.
UpGuard Vendor Risk can minimize the amount of time your organization spends managing third-party relationships by automating vendor questionnaires and continuously monitoring your vendors' security posture over time while benchmarking them against their industry.
Each vendor is rated against 50+ criteria such as presence of SSL and DNSSEC, as well as risk of domain hijacking, man-in-the-middle attacks and email spoofing for phishing.
Each day, our platform scores your vendors with a Cyber Security Rating out of 950. We'll alert you if their score drops.
UpGuard BreachSight can help monitor for DMARC, combat typosquatting, prevent data breaches and data leaks, avoiding regulatory fines and protecting your customer's trust through cyber security ratings and continuous exposure detection.
