An explanation of CIA triad

By

In this video, TechTarget editor Michaela Goss talks about the mechanisms of the CIA triad in cybersecurity.

It's not the CIA you're thinking of.

The CIA triad -- in information security, this means confidentiality, integrity and availability. It's an organizational model designed to guide policy around storing data and information. And because of the inevitable confusion with the federal government's CIA, you might also see it as the AIC triad.

What's important is that each letter represents a foundational principle in cybersecurity -- confidentiality, integrity and availability.

Let's break down each component of the triad.

Confidentiality is a set of rules that limit access to information. It's comparable to privacy -- ensuring confidentiality means the right people can access sensitive information, while the wrong people cannot. This can be accomplished through methods like data encryption, multifactor authentication and biometric verification.

Integrity is the assurance that the information is trustworthy and accurate. It involves maintaining data consistency and accuracy over its entire lifecycle. Measures like file permissions and user access controls ensure that unauthorized people can't change data, while checksums and backups safeguard data from nonhuman threats, such as an electromagnetic pulse or a server crash.

And availability is a guarantee of reliable access to the information. It's best ensured by rigorously maintaining all hardware, staying up to date with system upgrades, providing bandwidth, preventing bottlenecks and supporting fast disaster recovery.

But like with many things in the security space, easier said than done. Big data poses extra challenges to CIA simply because of the sheer volume of information, its sources and format variety.

The ever-expanding internet of things also challenges the CIA triad. Unpatched IoT devices and weak passwords can easily be exploited by bad actors. Even something like a light bulb with enabled Wi-Fi could be exploited and used as an attack vector.

Many experts think the triad needs an upgrade. One researcher adds in authenticity, possession and utility, making the Parkerian Hexad. Others think the CIA triad is too abstract and should be replaced entirely with the DIE triad -- distributed, immutable and ephemeral.

How does your organization embrace the CIA triad -- or any variation of it? Let us know in the comments below and remember to like and subscribe.

Sabrina Polin is a managing editor of video content for the Learning Content team. She plans and develops video content for TechTarget's editorial YouTube channel, Eye on Tech. Previously, Sabrina was a reporter for the Products Content team.