JACOB-WILLIS.COM

ABOUT | LEARNING | NOTES | READING LIST



The CIA Triad

The CIA triad is a common acronym in information security; it is made up of Confidentiality, Integrity, and Availability. Each of these concepts represents an aspect of organizational assets that needs to be protected. Each concept does not necessarily apply to every type of asset, but the three of them do cover the critical components of security.

Confidentiality means that the information or asset being provided is only being provided to the proper users. The typical examples of confidential data include your bank account numbers and your social security number- you don’t want just anyone to be able to access this data. The implementation of the concept tends to come through identity and access management (IAM); this is a process of identity validation and authorization verification- basically that you are who you say you are and you are allowed to access the requested data.

Integrity means that the asset being provided has not been tampered with. Information ceases to be valuable once its integrity has been compromised. If a hacker broke into a retailer’s customer payment database and changed all the credit card numbers, then that data would stop being useful to the company- they wouldn’t be able to properly charge customers for the goods they purchased. For a physical system, integrity would be compromised if it were permanently damaged or otherwise rendered unusable in perpetuity; the reason why the damage must be permanent has to do with availability- if the asset is only damaged enough to take it offline for a short period, then it is just unavailable.

Availability means that an asset will be accessible to users whenever they expect it. What good is an asset if you can’t access it? A common attack against data availability is a denial of service attack (DoS)- in this attack a service or feature, typically a website, will be taken offline by the attacker as a means of hurting an organization; for online retailers this could mean millions of dollars in lost revenue as they are unable to fulfill purchases. As mentioned earlier, physical damage to a system could also represent an issue with availability- as long as the asset can be brought back into use, its integrity is not compromised, it is merely unavailable.

All three members of this triad must be protected, though attacks against confidentiality and availability may be more frequent. The reason for this is because these attacks are more easily monetized- if you make an asset unavailable then you are able to extort the user into paying you to return access to them. Confidential information itself brings a premium price, there is no shortage of potential buyers of payment card industry information (PCI) and as such this type of information has its own set of laws governing its protection.