person Tute World Team

The CIA Triad

Every security decision — whether it's choosing an encryption algorithm, setting access controls, or planning a backup strategy — can be evaluated against three fundamental principles. Together they form the CIA Triad: Confidentiality, Integrity, and Availability.

What is the CIA Triad?

The CIA Triad is the foundational model for thinking about information security. It's not an organization — it stands for three properties that every secure system must provide:

C

Confidentiality

Only authorized people can read the data.

I

Integrity

The data hasn't been tampered with.

A

Availability

The data is accessible when you need it.

Why does this matter? When a system is attacked, the attacker is always targeting one or more of these three properties. Understanding which is threatened helps you choose the right defense.

Confidentiality: Keeping Secrets Secret

Confidentiality means that information is only accessible to those who are authorized to see it. Think of it as privacy at a systems level.

What threatens confidentiality?

  • Data breaches where stolen credentials let attackers read private records
  • Man-in-the-middle attacks where communications are intercepted
  • Misconfigured cloud storage buckets left open to the public
  • Shoulder surfing — someone literally reading your screen

How we protect confidentiality:

  • Encryption — scramble data so only someone with the key can read it (the main topic of this roadmap)
  • Access controls — only give access to those who need it (principle of least privilege)
  • Authentication — verify identity before granting access
  • Data classification — label data by sensitivity and apply appropriate protections

Real-world example

When you submit your credit card number online, the browser encrypts it using TLS before sending. This ensures only you and the merchant's server can read it — even if an attacker intercepts the network traffic, they see only scrambled noise. That's confidentiality in action.

Integrity: Ensuring Data Isn't Tampered With

Integrity means that data is accurate, complete, and hasn't been modified without authorization. It's the assurance that what you receive is what was actually sent.

What threatens integrity?

  • Man-in-the-middle attacks that modify data in transit
  • Malware that corrupts or alters files
  • Unauthorized database modifications
  • Software supply chain attacks (malicious code injected into legitimate software)

How we protect integrity:

  • Cryptographic hash functions — a unique "fingerprint" of data that changes if a single byte is modified
  • Digital signatures — prove that data came from who it claims to and wasn't changed
  • Checksums — lightweight verification that a file transferred correctly
  • Audit logs — immutable records of who changed what and when
Integrity in cryptography: This is why hash functions and digital signatures are critical — they're the primary tools for verifying data integrity. We'll cover these in detail in Phase 2.

Availability: Keeping Systems Up and Running

Availability means that systems and data are accessible to authorized users when they need them. A system that's completely secure but never works is useless.

What threatens availability?

  • DDoS attacks — flooding a server with traffic until it crashes
  • Ransomware — encrypting files and demanding payment to restore access
  • Hardware failures — drives crashing, power outages
  • Natural disasters — data centers affected by floods, fires, or earthquakes

How we protect availability:

  • Redundancy — multiple copies, multiple servers, multiple regions
  • Backups — regular, tested, and stored separately from the primary system
  • DDoS mitigation — traffic filtering and content delivery networks (CDNs)
  • Disaster recovery plans — documented procedures for restoring service

The Triad Creates Tradeoffs

Here's the nuance that makes security hard: the three properties often pull against each other.

Confidentiality vs. Availability

The more strictly you control access (confidentiality), the harder it can be for legitimate users to get in quickly (availability). Two-factor authentication improves security but adds friction.

Integrity vs. Availability

Requiring cryptographic verification of every piece of data adds latency. High-integrity systems are sometimes slower or less available during verification failures.

Confidentiality vs. Integrity

Encrypting everything is great for confidentiality, but can make it harder to verify integrity without decrypting first — creating performance tradeoffs.

The security professional's job is to find the right balance for the specific context. A hospital needs high availability (doctors need data now). A government secret needs maximum confidentiality. A financial ledger needs iron-clad integrity.

Frequently Asked Questions

Is there a fourth principle beyond CIA?

Yes — some models add Non-repudiation: the guarantee that someone cannot deny having sent or received a message. Digital signatures provide non-repudiation. Some extended models also include Authenticity (confirming the source of data) and Accountability (tracing actions back to individuals). But CIA covers ~90% of security reasoning.

Which of the three is most important?

It depends entirely on the context. For a password database, confidentiality is paramount. For a financial transaction log, integrity is critical. For an emergency services dispatch system, availability is the priority. Good security thinking applies all three and understands the tradeoffs for the specific use case.

How does post-quantum cryptography relate to the CIA Triad?

Post-quantum cryptography primarily protects confidentiality (by keeping encrypted data unreadable even to quantum computers) and integrity (through quantum-safe digital signatures). The threat from quantum computers is specifically to the cryptographic mechanisms that underpin those two properties.

← What is Cybersecurity? Next: Types of Threats →

Frequently Asked Questions

What will I learn here?

This page covers the core concepts and techniques you need to understand the topic and progress confidently to the next lesson.

How should I use this page?

Start with the overview, then follow the section links to deepen your understanding. Use the table of contents on the right to jump to specific sections.

What should I read next?

Use the navigation below to continue to the next lesson or explore related topics.