What Is Information Security (CIA Triad)
Information security protects data from unauthorized access, improper modification, and unavailability. Every security decision revolves around three fundamental properties known as the CIA triad.
Confidentiality
Ensures that information is accessible only to those with authorization.
Threats: network interception, leaked credentials, social engineering.
Controls:
- Encryption in transit (TLS) and at rest (AES-256)
- Strong authentication (MFA)
- Role-based access control (RBAC)
Sensitive data → encrypted with key → only key holder can read itIntegrity
Ensures that information has not been altered in an unauthorized way.
Threats: man-in-the-middle attacks, data injection, accidental corruption.
Controls:
- Digital signatures
- Hashes (SHA-256) to verify file integrity
- Immutable audit logs
# Verify file integrity
sha256sum file.iso
# Compare with the hash published by the vendorAvailability
Ensures that systems and data are accessible when needed.
Threats: DDoS, hardware failure, ransomware, human error.
Controls:
- Redundancy and failover
- Regular and tested backups
- Disaster recovery plans (DRP)
Trade-offs Between Pillars
Strengthening one pillar can weaken another. Example: heavy encryption increases confidentiality but may impact availability (latency). Every decision requires a conscious balance.
High security → more friction for the user
High usability → larger attack surfacePractical Application
When evaluating an asset, ask:
- Who can see it? (Confidentiality)
- Who can modify it? (Integrity)
- When does it need to be available? (Availability)
These answers guide which controls to implement.