INFOSEC Foundations - The CIA Triad

Overview

The “CIA Triad” – Confidentiality, Integrity, and Availability – is a foundational concept in information security. In reality, it’s three separate concepts, but for the purpose of this post, we’ll look at all three together, since that’s how it’s likely to be expressed on exams like the CompTIA Security+. The CIA Triad serves as a model for thinking about security issues. In some cases, you may also see references to a “DAD Triad”; this is the negative form of the CIA Triad – Disclosure, Alteration, and Denial. It may be slightly confusing for beginners to think of these as two separate concepts, but it becomes easier when you realize that it’s just two sides of one coin.

Definition of Terms

Let’s jump in and discuss these concepts! For the purpose of this example, let’s say you run a food truck selling the best hamburgers and hot dogs in the northeast. You have a secret recipe that you use for your burger seasoning that you keep on a laptop in your truck…what could go wrong?!

Confidentiality

Confidentiality refers to the idea of protecting our data from unauthorized disclosure. In other words, only those with permission to view our data CAN view the data.

Now, there are many ways in which confidentiality can be compromised, or to put it another way, ways in which sensitive data may be disclosed to unauthorized parties. Since you’re keeping your famous burger seasoning recipe on a laptop in your truck, the laptop could be stolen. If the data isn’t encrypted, or if you’re using a weak password to secure the recipe, whoever stole your computer may be able to steal your recipe and open up a competing food truck.

If you leave the laptop open and unattended in the truck, someone may be able to look in and snag your recipe that way. If you decide it’s not safe to keep the recipe on a laptop in your truck and set up a server somewhere else, an attacker may still be able to breach your systems if the appropriate defenses aren’t in place.

Integrity

Integrity refers to being able to prevent the unauthorized alteration of data. Let’s say your food truck is doing so well that you’ve been able to hire some new workers; however, your success has also gained you some enemies who are jealous of your superior burgers.

One of those rivals was able to sneak in one night, gain access to your laptop, and make some pretty gnarly changes to the burger seasoning recipe. Your new employee, not realizing that the recipe was incorrect, ends up serving some really gross food to your customers.

If you didn’t have the appropriate permissions set on your recipe file, and you don’t have a backup or another way of restoring the proper recipe, then you have a security issue.

Availability

This is probably the easiest of the three concepts to wrap your head around. Simply, Availability refers to data being accessible when it’s needed…preventing a Denial-of-Service condition.

In our scenario, availability could be impacted in a number of ways…some of which we’ve already discussed in the other examples. If the laptop is stolen, it’s obviously not accessible. If the laptop battery dies and you don’t have a power cord, then the data isn’t available either. If the recipe is stored on another network without adequate protections, a jealous rival may attempt to overwhelm your server with junk traffic; this is commonly referred to as a “Denial-of-Service” attack.

Impact

Depending on the incident, a breach of any one of the “CIA” areas could have significant impacts on a business. In our example, your food truck business may face the following issues:

• Financial impact. The loss, theft, or compromise of your secret burger seasoning recipe has allowed a rival to open up another food truck using your recipe. Some of your customers may go over to them, causing you to lose money.
• Reputation damage. When your recipe got changed without permission, some of your customers may have felt that your food quality had just gone down, and they make a point to tell their friends about it. That kind of negative word-of-mouth can be deadly in the food truck business!¹

There could be other impacts as well. Your business may run afoul of compliance frameworks (your recipe gets modified to include hazardous ingredients that violate the health code); your day-to-day operations may be affected (no recipe means no food means no customers means no money).

Summary

Remember at the beginning of this post, I highlighted how the “CIA Triad” and the “DAD Triad” were two sides of the same coin? I’ve tried to highlight that throughout this post, but here is a quick summary of those concepts:

Confidentiality/Disclosure

Refers to our ability to prevent unauthorized personnel from accessing our data. Unauthorized disclosure would constitute a breach of confidentiality.

Integrity/Alteration

Refers to our ability to protect our data from unauthorized changes or modification. Unauthorized alteration would constitute a breach of integrity.

Availability/Denial

Refers to our ability to ensure that our data is accessible when it’s needed. The denial of access to our data would constitute a breach of availability.

The CIA Triad provides an easy model to think about security issues. The purpose of this post was just to provide an easy to understand introduction to the CIA Triad, rather than go into extreme depth on all the possible ways in which each component could be breached. Specific controls do warrant further discussion, however; in a future article, I’ll go more into controls that network defenders can put in place to ensure the confidentiality, integrity, and availability of data.

Thanks for reading! Feel free to drop any questions or comments below!

1. At least I assume it is…I don’t own a food truck though, so just take the example for what it’s worth. ↩︎