The CIA Triad is a foundational concept in cybersecurity that represents the three core principles for securing information systems:
Contents
🔐 1. Confidentiality
What it means:
Only authorised individuals or systems should have access to sensitive data.
Purpose:
To prevent unauthorised disclosure of information—whether intentional (e.g. hacking) or accidental (e.g. misdelivery).
Examples:
- Encryption of emails and files
- Access control policies (e.g. MFA, RBAC)
- Data classification and labelling
🧾 2. Integrity
What it means:
Information must be accurate and unaltered unless modified by authorised users in authorised ways.
Purpose:
To protect data from unauthorised changes—whether malicious or accidental—and to ensure it’s trustworthy.
Examples:
- Checksums and hashing (e.g. SHA-256)
- Digital signatures
- Version control and logging of changes
🔄 3. Availability
What it means:
Information and systems must be accessible to authorised users when needed.
Purpose:
To ensure business continuity and prevent disruptions caused by attacks (e.g. DDoS), system failures, or disasters.
Examples:
- Redundant systems and failover strategies
- Regular backups
- DDoS protection and load balancing
🎯 Why It Matters
The CIA Triad helps organisations evaluate and prioritise security measures. Every security control you implement typically supports one or more elements of the triad.
For instance:
- Firewalls support confidentiality and availability
- Backup systems support availability and integrity
- Access control lists (ACLs) support confidentiality
Here’s a realistic example of applying the CIA Triad (Confidentiality, Integrity, Availability) in an IT environment, using a scenario involving employee access to payroll records:
🏢 Scenario: Securing Payroll Data in a Company
🔐 Confidentiality
Goal: Prevent unauthorised access to sensitive payroll records.
Implementation:
- Only HR staff are granted access to the payroll system through role-based access controls (RBAC).
- Multi-Factor Authentication (MFA) is required for all HR logins.
- All payroll data is stored encrypted at rest (e.g. using AES-256) and in transit (TLS 1.2+).
- Audit logs track access attempts to payroll records.
Result: Employees outside of HR cannot view or tamper with salary data.
🧾 Integrity
Goal: Ensure payroll records remain accurate and are not tampered with.
Implementation:
- All data entry changes to payroll records are logged and time-stamped.
- Hashing (e.g. SHA-256) is used to verify the integrity of backup files.
- Digital signatures verify that payroll exports come from the trusted payroll system.
- Automatic validation rules prevent invalid salary entries (e.g. negative amounts).
Result: If a record is altered accidentally or maliciously, it’s detectable and reversible.
🔄 Availability
Goal: Ensure payroll services are accessible when needed—especially during pay runs.
Implementation:
- The payroll system is hosted on redundant infrastructure with failover support.
- Regular, automated backups are stored offsite and tested monthly.
- A DDoS mitigation service protects the HR portal from downtime.
- SLA monitoring alerts IT if service availability drops below threshold.
Result: HR can access the system any time, and payroll is processed on time without disruption.
✅ Summary
In this example:
- Confidentiality protects who can see the data.
- Integrity ensures the data isn’t changed inappropriately.
- Availability ensures the system is up and running when needed.
This approach scales to nearly every cybersecurity domain—whether you’re protecting financial systems, healthcare records, or customer data.