The classic model for information security: ConfidentialityIntegrityAvailability
Overview
The CIA Triad is a concise way to remember the fundamentals of IT security. You may also see it called the
AIC Triad (to avoid confusion with the U.S. federal agency, the Central Intelligence Agency). In security,
CIA refers only to the three core objectives below and has nothing to do with the government agency.
You’ll often see the triad depicted as a triangle: each side represents one objective—Confidentiality, Integrity, and Availability.
Model
Security Objectives
Design Trade-offs
Each leg supports overall security; strengthening one can affect the others.
Confidentiality (the “C”)
Confidentiality ensures that only authorized people can view sensitive information. We protect data from
unauthorized disclosure so private information stays private.
Common Methods
Encryption: The sender encrypts data; the receiver decrypts it to recover the original plaintext. Interceptors see only unreadable ciphertext.
Access Controls: Limit who can view or modify data (e.g., marketing can edit slides, but cannot see accounting records).
Multi-Factor Authentication (MFA): Adds extra authentication factors so an account can’t be accessed without proper credentials.
Goal: Make data available only to the right people.
Integrity (the “I”)
Integrity guarantees that data is accurate and unaltered from the time it is sent to the time it is received.
We want recipients to receive exactly what the sender originated.
Common Methods
Hashing: Sender computes a hash of the data and sends both data and hash. The receiver recomputes the hash; if both match, the data hasn’t changed.
Digital Signatures: A hash that is cryptographically signed (with asymmetric keys) lets the receiver verify integrity and confirm the sender’s identity.
Certificates: Bind identities to keys to authenticate devices or people and strengthen integrity checks during transfers.
Nonrepudiation: With signatures and proper logging, the sender cannot credibly deny having sent the data.
Goal: Detect (and ideally prevent) unauthorized changes and confirm the true sender.
Availability (the “A”)
Availability ensures that systems and data are accessible when needed. Security controls must not prevent
legitimate use.
Common Methods
Redundancy & Fault Tolerance: Duplicate components and failover paths keep services running if something breaks.
Maintenance & Patching: Proactive updates improve stability and close vulnerabilities that could be used to disrupt service.
Monitoring & Response: Detect performance or security issues early and remediate quickly to minimize downtime.
Goal: Keep legitimate users online and productive, even under failure or attack.
Putting It Together
The CIA (AIC) Triad provides a simple, memorable framework for designing and evaluating security controls. Real-world systems must
balance all three objectives—Confidentiality, Integrity, and Availability—to meet business and
user needs without creating unnecessary risk.