What Is the Confidentiality, Integrity, and Availability (CIA) Triad?
The CIA triad is a well-known cybersecurity model. It helps an organization think through the various layers of security that are needed to protect the IT infrastructure.
Figure 1-1 depicts the CIA key concepts as follows:
Confidentiality—To ensure only authorized users and processes can read the data
-
Integrity—To ensure only authorized users and processes can modify the data
-
Availability—To ensure the data are readily available to authorized users and processes
FIGURE 1-1 The CIA Triad
The CIA triad is a very powerful model because it can be used to understand the different layers of controls that exist within an IT infrastructure. Let’s explore several scenarios in which a company collects, stores, and processes customer personal information:
-
Scenario 1: How do we maintain confidentiality over the customer data? While the data are stored, we could encrypt the data. That would limit access to authorized users and processes with the encryption key. In essence, no one can read the data without the encryption key.
-
Scenario 2: How do we maintain integrity over the customer data? We could limit access to authorized users through the use of IDs and passwords, i.e., allowing selected authenticated users with limited authorization to modify the data.
-
Scenario 3: How do we maintain availability over the customer data? During a server hardware failure, we could failover to back up the server. The failover to servers in high availability environments are often performed in real time and may not be noticeable to the customer trying to access their account,
In each of the above scenarios different IT infrastructure technologies are used. This is very typical in a complex IT environment. The CIA triad allows us to quickly scope audits and assessments into manageable chunks of work. This is important because we want to assess the most amount of risk in the shortest amount of time. A good example is auditing and assessing access management controls. The use of authentication and authorization controls (typically in the form of IDs and passwords) can cover risks related to both confidentiality and integrity of data.