What is the CIA Triad?

Continuing in our key security concept series, this blog will look at the CIA Triad. If you haven’t been following, check out the other blogs in this series on nonrepudiation and dual control. The CIA Triad is one of the most important concepts in information security, as it should drive the actions we take. This model helps us to understand the ramifications for a particular vulnerability and, as such, can help us understand what are the appropriate resources to prevent or lower the risk of that impact. So let’s take a look at this model:

The CIA Triad
The CIA Triad

CIA Triad Definition

Essentially, in everything we are trying to protect, we are trying to achieve at least one of the three goals listed above. It is possible that we need more than one, or even all three, but there will always be at least one of these goals. Let’s look at these goals more closely.

  • Confidentiality – This is making sure that the sensitive information stays with the few people who need that information. For example, when you are speaking with your doctor, that information needs to be treated with a high degree of confidentiality. Similarly, if you are trying to buy a car, and they need your social security number to check your credit, you are hoping that the application used for the credit checks is prioritizing confidentiality. You would be OK if the system was down every once in awhile (e.g. availability concerns) as long as it was prioritizing confidentiality.
  • Integrity – This is the assurance that the information has not been modified or changed. The most common example of this is bank wire transfers. One zero gets added to the end of that, it is a big deal. Or maybe a 1 gets changed to a 2 in the destination bank account, someone is getting fired. That information may or may not be confidential. It may be public record that David Tepper bought the Panthers for $2.2 billion, and so someone eavesdropping on that wire transfer, while not advisable, isn’t the chief concern. However, if that 2.2 billion dollars ends up in a different bank account (let’s hope it’s mine), that is a problem.
  • Availability – The third corner of the CIA Triad is availability. Simply put, it means that when this system is needed it is up and running. The best example of a system that requires a tremendous level of availability is 911. When you are having an emergency, you are counting on someone picking up when you dial 911. As a result, when cities create these emergency call centers, there are all sorts of redundancies in place. Such that if one or even two of them fail, that call still gets through.

A Brief History of the Triad

Interestingly enough, not much is known about the origination of the term “CIA Triad”, but most experts agree that the first reference to it was in NIST SP 500-19, published in 1977. While this paper was not directly published on the topic of the CIA Triad and pre-dates modern computer security, it does reference the three pillars of the triad in security: confidentiality, integrity, and availability. Beyond the initial coining of the term, many standards and certification bodies continue to use the theory today, including mainstream certification providers like ISC2 (creators of the Certified Information Systems Security Professional, or CISSP, certification). Over the last couple decades, different groups and individuals have been more outspoken about developing alternatives or extensions to the CIA triad, however. Some claim there should be 6 core tenants or 8 principles, etc. Others feel non-repudiation doesn’t completely fit into any of the three, but is important enough to stand on its own (which probably has some merit). In any case, it’s important to understand this is not a new concept and is not all-encompassing, when it comes to information security.

Impact of the CIA Triad

Whether it is discussed overtly or not, the CIA Triad impacts every decision you make in information security. Are you considering a new tool or product? Great, does it impact confidentiality? Integrity? Availability? Let’s say you are presented with a vulnerability on one of your systems. What is that system used for and what is the impact of this vulnerability? If it is a denial of service concern affecting its availability, maybe that is an acceptable risk rather than spending thousands of dollars on a redundant system.

As you can see, the CIA Triad is simply a model that helps us to categorize the 3 goals of information security. It is unlikely you will ever be quizzed on the different components, but unless you are familiar with these three goals and can prioritize them in different scenarios, it is going to be very difficult for you to optimize your resources to meet the needs. Interested in learning more? Speak with one of our cybersecurity experts today!