The CIA (or IAC) triad is a foundation of IT security. In this video, you’ll learn about the confidentiality, integrity, and availability of the CIA triad.
When we refer to the fundamentals of IT security, one common description is the CIA triad. Sometimes you’ll see this referred to as the AIC triad so that there’s no confusion between this set of fundamentals and the US federal government’s Central Intelligence Agency.
The three different arms of the CIA triad refer to confidentiality, integrity, and availability. Confidentiality ensures that information that we’re exchanging is confidential or private between the recipients. This is often combined with integrity, which ensures that the information that we’re sending to someone else will not be changed along the way. And availability is a fundamental part of IT because we want to be sure that all of our systems and networks remain up and running.
Confidentiality is about making sure that data remains private. We want to be sure that only certain information is available to certain people. We often use encryption to be able to do this. If we can encrypt data and send it to a third party, we know that no one in between will be able to read or understand the information that we’re sending.
We can also use access controls to provide confidentiality. We can make sure that certain people have read access to data and other people may have no access to the same data. This is a common method to provide confidentiality on a server or an operating system. And if you really wanted to stretch the idea of confidentiality, you can look to something like steganography. Steganography is hiding information within another type of media.
So for example, you could hide data within an image, send the image to a third party, and then they could extract the data from that image. Anyone else who sees this image just sees a picture. But if you know how to pull the data out of the image, you can take advantage of this confidentiality.
The concept of integrity allows us to identify when data may have been changed. This is especially important if you’re sending data to a third party because you want to be sure that they’re receiving exactly the information that you’re sending and then no one in between is changing any of those details.
One way to provide integrity is through the use of hashing. We can create a hash based on data that effectively is a fingerprint of all of that information that we’re hashing. If someone changes this data in transit, then the hash that we create at the end of the conversation will be different than the hash that we created at the beginning.
If you’re familiar with asymmetric encryption, then you’re probably also familiar with digital signatures. Digital signatures take this idea of hashing to the next step by encrypting that hash with a private key. This allows the recipient to be able to not only confirm that the data has not changed, but the person who sent the data is the original sender.
Another common implementation of data integrity is using certificates. We can use certificates to ensure the integrity of a particular server or particular data. And you often see one method of integrity defined as non-repudiation, which means that everyone can look at the conversation and ensure that not only has the data been sent without any changes, but the data really was sent by the originating person.
Availability is probably one of the most well known and expected legs of the CIA triad because we always want to have our systems and our networks up and running. This means that we would use some type of redundancy to ensure that these systems would remain available.
For example, we might want to have redundant firewalls. And if one firewall was to fail, we have another firewall that we could install to provide this redundancy. Or this might be in more real time using fault tolerance. This is commonly done with RAID arrays, the Redundant Array of Independent Disks, where you can have multiple drives running, and if one drive happens to fail, all of the data is still available on other drives.
And of course patching is another form of availability. By patching we can provide additional stability and close any security holes that may be in a system, thereby keeping those systems up and running.