What is the CIA Triad and Why You Should Care

Chris Doucette
Nov 30, 2018 · 4 min read

Introduction

Every day we see on the news of a new data breach or a new ransomware attack plaguing our society. With the rapid adoption of technology in all sectors it is becoming increasingly difficult to protect and secure it properly. According to the Ponemon Institute’s 2017 State of Cybersecurity in Small & Medium-Sized Businesses report, the percentage of small businesses that have experienced a cyber attack increased from 55% in 2016 to 61% in 2017 and small businesses that experienced a data breach increased from 50% in 2016 to 54% in 2017. With an ever growing danger to small businesses everyone should be familiar with a fundamental part of cyber security, the CIA Triad.

CIA Triad

The CIA Triad is a model used to design policies for cyber security in an organization. As the name suggests the CIA Triad is built around three factors, Confidentiality, Integrity, and Availability. Each one of these factors is a pillar to create an effective and secure cyber security policy for your organization.

Confidentiality

The definition of confidentiality is the state of keeping or being kept secret or private. In cyber security, confidentiality is used to prevent sensitive information from being accessed by the wrong people, while also being accessible for the right people.

One technology that supports this is authentication. Authentication allows you to be able to identify someone online. An example of this is that your bank asks you for your username and password when you go to their site. This information is something only you should know which allows the bank to identify that it is you.

When you have authenticated someone, you are then able to identify what they should be able to access using authorization. Authorization is the action of allowing or preventing someone from accessing something. Back to the bank example, they use authorization to make sure that you only have access to your bank account and no one else’s. They are able to accomplish this once they have authenticated you since they are able to identify you.

But what happens if someone doesn’t need to log in and go right to the computer to access the data. This is prevented using a technology called encryption. Encryption allows data at rest or data in transit to be unreadable to anyone except the intended recipient.

Other technologies are being explored and implemented to uphold confidentiality such as biometric verification, authenticator apps, and key fobs.

Integrity

Integrity is the second pillar of the CIA Triad. Integrity is verifying the accuracy and trustworthiness of data. When you are downloading a file or accessing a website it is import to verify that what you are receiving has been unaltered. This is accomplished through access controls such as authorization and encryption. As you remember, these topics we already spoke about in Confidentiality. You will notice that many security practices do not fall under just one of the pillars of the CIA Triad.

Another way to verify the integrity of data is through hashing. Hashing a file means feeding the data through a specific algorithm which spits out a unique value for that data. The most important factor of hashing is that the value is unique for the data that is provided and if any of the data is changed the algorithm will provide a completely different value. Some popular hashing algorithms are MD5 and SHA1.

Availability

Last but certainly not least is availability. Availability is important since it allows the data that is being protected by confidentiality and integrity to be accessible for the right people as much as possible.

This is accomplished partially with a practice called redundancy. Redundancy is when you include extra components that are not necessary for functionality, but in case of failure. An example of this would be a generator for a house. A generator is not needed to power the house at all times since we have utility companies so it redundant. However when the power goes out, you are able to use the generator to power your house still. This idea should be implemented for all critical services so that in case of a failure, they are still able to operate.

Another practice that ensures availability are backups. Backups are the process of consistently copying data from one location to another so you still have the data in case the original location fails. Backups are probably one of the most beneficial and easiest practices to implement to ensure availability.

Conclusion

I’m sure by now you are wondering why all of this even matters. Who really cares about a CIA Triad its all just fancy terminology and computer jargon. It matters since these three ideas are the foundation for a secure organization. If you have an IT member or team working with these ideas in mind your organization is above the rest in terms of security.

I believe that the more people that focus on implementing these ideas and educating others on them will eventually allow us reduce that 61% of cyber attacks affecting businesses.

Thanks for reading!

— Chris

EdibleSec

Easily consumable information security stories :: https://ediblesec.com

Chris Doucette

Written by

Security Engineer | ediblesec.com | Follow me on Twitter: @thegrumpyape

EdibleSec

EdibleSec

Easily consumable information security stories :: https://ediblesec.com

Welcome to a place where words matter. On Medium, smart voices and original ideas take center stage - with no ads in sight. Watch
Follow all the topics you care about, and we’ll deliver the best stories for you to your homepage and inbox. Explore
Get unlimited access to the best stories on Medium — and support writers while you’re at it. Just $5/month. Upgrade