The CIA triad is a foundational model in information security that identifies the three core objectives of any security program: Confidentiality (ensuring information is accessible only to authorized parties), Integrity (ensuring information remains accurate and unaltered), and Availability (ensuring information and systems are accessible when needed). Every security control, vulnerability, and risk can be evaluated against these three principles.
How It Works
Confidentiality prevents unauthorized access to sensitive information. Encryption protects data in transit and at rest. Access controls restrict who can view specific resources. Data classification policies define how different categories of information should be handled. A breach of confidentiality means that sensitive data has been exposed to unauthorized parties, such as in a data leak or unauthorized database access.
Integrity ensures that data has not been tampered with by unauthorized parties. Hash functions verify that files have not been modified. Digital signatures confirm the authenticity and integrity of messages. Database constraints and input validation prevent unauthorized data modification. A breach of integrity means that data has been altered without authorization, which could mean a modified financial record, a tampered configuration file, or injected content on a webpage.
Availability ensures that systems and data are accessible to authorized users when they need them. Redundant infrastructure, load balancing, backup systems, and disaster recovery plans all support availability. Distributed denial-of-service (DDoS) attacks specifically target availability by overwhelming systems with traffic until they become unresponsive. A breach of availability means that legitimate users cannot access the services or data they need.
Why It Matters
The CIA triad provides a framework for evaluating the impact of any security vulnerability. A cross-site scripting vulnerability might compromise confidentiality (stealing session tokens) and integrity (modifying page content). A SQL injection might compromise all three: confidentiality (reading data), integrity (modifying data), and availability (deleting data). Security assessments evaluate how well an application protects each dimension of the triad.
Need your application tested? Get in touch.