The CIA triad describes the foundational goals of IT security. In this video, you’ll learn more about confidentiality, integrity, and availability.
The CIA Triad is an easy way to remember the fundamentals of IT security. Sometimes you’ll see this referred to as the AIC Triad to differentiate it from the federal organization in the US called the Central Intelligence Agency. But since it’s so easy to remember CIA, we often refer to the CIA Triad instead of the AIC Triad. But keep in mind that the CIA Triad has nothing to do with the CIA being the Central Intelligence Agency.
The C in the CIA Triad is Confidentiality. If we want to prevent someone from gaining access to private information, we need to provide that information in a confidential way. The I in CIA is the Integrity, where if we’re sending information from one person to another, we want to be sure that the recipient really is receiving exactly what was sent from the origination.
And lastly, the A in the CIA Triad refers to Availability. Obviously, we want to be sure that all of our systems remain up and running at all times, even if we’re implementing some type of IT security. You’ll often see the triad written as a triangle. And each leg of the triangle has the confidentiality, the availability, and the integrity listed as the security objectives associated with the triad.
One of the biggest challenges we have in IT security is making data available to others but making sure that availability is only to the right people. We refer to this as confidentiality. One way that we provide this confidentiality is through encryption. We can have one person encrypt data, send it to someone else, and that other person can then decrypt that data to be able to see the original plaintext.
Obviously, anyone in the middle who happens to get access to that encrypted data has no idea what’s on the inside. And if they were to look at that data, they would not be able to discern anything important from that information. Another common way to provide confidentiality is to set limits on what someone may have access to. We commonly do this with access controls. We can limit who might have access to certain types of information.
For example, this might allow someone in the marketing department to be able to see all of the marketing presentations and be able to make changes to those. But it would prevent all access to any of the accounting information of the organization. And if you’ve ever had to provide additional authentication factors when logging into a system, that’s another type of confidentiality. Someone would not be able to access an account unless they had the proper authentication credentials. And adding those additional factors provides more confidentiality.
When we’re receiving data from a third party, we’d like to be able to verify that the data that we have received is exactly the same data that was sent and that nobody has made changes to that data while it was traversing the network. We’re able to do that by using methods of integrity. One way to provide integrity is by hashing. The person sending the data will create a hash of the data and send you both the data and the hash at the same time.
When you receive the data, you’ll perform the same hashing function. And if your hash matches the sender’s hash, then you know the data that you’ve received is exactly the same as the data that was sent. We can enhance this integrity by including a digital signature when we’re sending data, which takes a hash and encrypts it with an asymmetric encryption algorithm. This means that we can check to make sure that none of the data has changed. And we can confirm the person who sent the data. That provides an additional level of integrity that could be important if you’re sending very sensitive data.
It’s also common to use certificates to be able to identify devices or people and provide additional factors of integrity, especially when you’re transferring data from one device to another. And lastly, we have the concept of nonrepudiation. This means that we have proof of integrity, and we can confirm without a doubt that the information that we’ve received really did come from the originating party.
If you’ve done any work in information technology, you know how important it is for your systems to be available. Availability is that leg of the CIA Triad that ensures that people have access to the data that they’d like to view. One way to provide this availability is to have systems that are designed to always be up and running. We might combine this with a system that has fault tolerance, where we have multiple components. And if one of those components fails, the other component can pick up and continue to operate normally.
And of course, if you’re concerned about systems being available, you’ll constantly need to make sure that they are managed and updated by patching those systems. This ensures that the systems are always as stable as possible and that we can close any existing security holes, preventing someone from gaining access through some type of exploit.