The CIA Triad & Core Principles
The CIA Triad — Foundation of Information Security
The CIA Triad is the most fundamental model in information security. Every security control, policy, and mechanism can be evaluated against these three pillars:
Confidentiality
Ensuring that information is accessible only to those authorized to access it. Breached by unauthorized disclosure, eavesdropping, or data theft.
Tools: Encryption, Access Control, Data Classification
Integrity
Maintaining the accuracy and completeness of data. Ensures data has not been tampered with by unauthorized parties during storage or transit.
Tools: Hash functions (SHA-256), Digital Signatures, Checksums
Availability
Ensuring authorized users can access information and systems when needed. Breached by DDoS attacks, hardware failure, or ransomware.
Tools: Redundancy, Backups, Load Balancers, DDoS Protection
Extended Model: The Parkerian Hexad
Beyond CIA, Donn Parker proposed three additional elements:
- Possession/Control — Control over physical media containing data
- Authenticity — Verifying identity is genuine (non-repudiation)
- Utility — Data must be in a usable format
Non-Repudiation
Non-repudiation ensures that a party cannot deny the authenticity of their signature on a document or sending a message. This is critical in:
- Digital contracts and e-commerce
- Legal and forensic investigations
- Financial transaction auditing
Defense in Depth
A layered security approach where multiple independent security controls protect the same asset. If one layer fails, others remain to prevent a breach.
🛡️ Layers of Defense in Depth
Physical → Perimeter → Network → Host → Application → Data → User
Think of it like a medieval castle: moat (perimeter), walls (network), guards (host), locked rooms (application), and a vault (data).