Friday Basics: the CIA Triad

In information security (INFOSEC), there several foundational concepts and principles. One of the ones that’s introduced almost immediately is called the CIA triad or the Information Security Triad. While it may look like a version of the Triforce, this triad has nothing to do with a video game.

The three elements are defined as:

• Confidentiality – Read access is restricted only to authorized personnel.
• Integrity – Write (Add/Change/Delete) access is restricted only to authorized personnel.
• Availability – The system or platform is available to authorized personnel when needed.

I usually expand “authorized personnel” with “authorized personnel via authorized processes.” This covers the case of service accounts and accounts acting on behalf of a user and it covers the situations like when a database is intended to be accessed only through an app but permissions allow a user to connect via Excel. The addition of “via authorized processes,” indicates that a user accessing via Excel would be in violation of the CIA triad. With respect to data we’re used to CRUD (Create, Read, Update, and Delete) operations. Confidentiality covers the R of CRUD while Integrity covers the C, U, and D.

One of the things I talk about with other security professionals is about ensuring Availability is met. I have been the over zealous security engineer who tightened down a system where Availability was broken. That does the business no good. If I can’t access the system like I need to do so when I should be doing so, I might as well not have the system at all. And that’s why Availability is a key part of this security concept.

So if you ever hear anyone talking about CIA or the CIA triad with respect to security, this is what it means.