The CIA Triad

The CIA Triad is a venerable, well-known model for security policy development, used to identify problem areas and necessary solutions for information security. Read on for an introduction to the CIA Triad's strengths and weaknesses.

In "Knowing the superficial side of security is important, too," I mentioned the CIA Triad as an example of the sort of "industry standard" terms that the user should know. You could go look it up elsewhere yourself, of course, but I'll help you get started.

Central Intelligence Agency?

The meaning of CIA that is probably most familiar to my readers is the Central Intelligence Agency — "an independent US Government agency responsible for providing national security intelligence to senior US policymakers." In this case, however, the CIA in CIA Triad stands for something else: Confidentiality, Integrity, and Availability.

The CIA Triad is a security model developed to help people think about important aspects of IT security — or maybe to give someone a way to make money on another buzzword. I don't know enough about the origins of the term to know for sure. Let's just go with the optimistic interpretation that it was created with the best of intentions.


In "Privacy is security," I discussed the importance of protecting your most sensitive information from unauthorized access. Roughly synonymous with privacy as a security concern is the Confidentiality part of the CIA Triad.

Protecting confidentiality hinges upon defining and enforcing appropriate access levels for information. Doing so often involves separating information into discrete collections organized by who should have access to it and how sensitive it is (i.e., how much and what type of damage you would suffer if confidentiality was breached).

Some of the most commonly used means of managing confidientiality on individual systems include traditional Unix file permissions, access control lists, and both file and volume encryption.


The I in CIA stands for Integrity — specifically, data integrity. The key to this component of the CIA Triad is protecting data from modification or deletion by unauthorized parties, and ensuring that when authorized people make changes that shouldn't have been made the damage can be undone.

Some data should not be inappropriately modifiable at all, such as user account controls, because even a momentary change can lead to significant service interruptions and confidentiality breaches. Other data must be much more available for modification than such strict control would allow, such as user files — but should be reversible as much as reasonably possible in case of changes that may later be regretted (as in the case of accidentally deleting the wrong files). For circumstances where changes should be easy for authorized personnel, but easily undone, version control systems and more traditional backups are among the most common measures used to ensure integrity. Traditional Unix file permissions, and even more limited file permissions systems like the read-only file flag in MS Windows 98, can also be an important factor in single system measures for protecting data integrity.


The last component in the CIA Triad refers to the Availability of your data. Systems, access channels, and authentication mechanisms must all be working properly for the information they provide and protect to be available when needed.

High Availability systems are those computing resources whose architectures are specifically oriented toward improving availability. Depending on the specific HA system design, it might target power outages, upgrades, and hardware failures to improve availability, it might manage multiple network connections to route around network outages, or it might be designed to deal with potential availability problems such as Denial of Service attacks.

Many approaches to availability improvements exist, such as HA clusters, failover redundancy systems, and rapid disaster recovery capabilities as in the case of image-based network boot systems. If your business models or other needs require maximum effective uptime, such options should be investigated in depth.

A limited model

You may be noticing a trend here: the CIA Triad is entirely concerned with information. While this is the core factor of most IT security, it promotes a limited view of security that tends to ignore some additional, important factors. For instance, while Availability might serve to ensure that you do not lose access to resources you need to provide information when it is needed, thinking about information security in and of itself in no way guarantees that someone else isn't making unauthorized use of your hardware resources.

You should know about the CIA Triad and how it is often used to plan and implement good security policy, and understand the principles behind it. You should also understand its limitations, that it is not the the sum total of good security policy requirements and should not be used as a checklist for security matters without realizing it's only a starting point. Like any formalized framework, it gives the appearance of a tempting holistic security model, and it might even be very helpful as a beginning to security policy development, but it should never be treated as the end.


Chad Perrin is an IT consultant, developer, and freelance professional writer. He holds both Microsoft and CompTIA certifications and is a graduate of two IT industry trade schools.

Editor's Picks