What is the CIA Triad
The CIA Triad is the foundational model of information security. It defines three properties that every system should guarantee:
- Confidentiality — only authorized people can see the information
- Integrity — information cannot be altered by unauthorized people and must always be correct
- Availability — you can access the information when you need it
Every vulnerability, every attack, and every defense can be classified based on which of these pillars is being violated or protected. If you understand the CIA Triad, you have a mental framework for evaluating any security decision.
Confidentiality
Confidentiality means that only authorized people can access the information. If someone without permission manages to read data they shouldn’t, confidentiality has been violated.
Examples of violation
Web Cache Deception — an attack that exploits discrepancies between how the server and the intermediary cache interpret URLs. The flow:
- The attacker identifies an endpoint with sensitive information (e.g.,
/account/profile) - They find a difference in URL parsing between the cache and the origin server
- They craft a malicious URL like
/account/profile/logo.jpgand send it to the victim - The server interprets it as
/account/profileand returns the sensitive data. The cache sees the.jpgextension and stores the response as static content (cache hit) - The attacker accesses the same URL and receives the victim’s data directly from the cache
The difference between a cache hit (response served from cache) and a cache miss (response fetched from the origin server) is central here. The attacker forces a cache miss on the victim’s first request, which then becomes a cache hit for them.
Data leaks and reconnaissance — before an attack, there is the reconnaissance (recon) phase. Tools like WhoisDomainTools and Netcraft allow gathering IP addresses, domain information, technologies in use, DNS records, and even unlisted files and subdirectories. This information, if unnecessarily exposed, facilitates targeted attacks.
WPA/WPA2 cracking — Wi-Fi networks protected by WPA/WPA2 can have their confidentiality compromised. The WPS feature, for example, uses a PIN of only 8 digits that can be brute-forced. Another vector is capturing the 4-packet handshake that occurs when a client connects, enabling offline dictionary attacks against the password.
How to protect
- Encryption — data in transit (TLS/HTTPS) and at rest (AES-256) ensure that, even if intercepted, data is useless without the key
- Access control — define who can read, write, or execute each resource (RBAC, ACLs)
- HTTPS everywhere — never serve authenticated pages over plain HTTP
- Correct cache headers — use
Cache-Control: no-storefor dynamic responses with sensitive data - Minimize attack surface — do not expose unnecessary information (server version, stack traces, directories)
Integrity
Integrity ensures that information cannot be altered or corrupted by unauthorized people. Data must always be correct and reliable.
Examples of violation
SQL Injection — when an attacker manages to inject SQL commands through unvalidated inputs, they can alter, delete, or corrupt data in the database. A simple '; DROP TABLE users; -- in a login field can destroy critical data if the application concatenates strings to build queries.
Man-in-the-Middle (MITM) — an attacker positioned between the client and the server can intercept and modify data in transit. Without TLS, an attacker on a public Wi-Fi network can alter HTTP responses, inject malicious scripts, or modify financial transactions before they reach their destination.
How to protect
- Checksums and hashes — algorithms like SHA-256 generate a “fingerprint” of data to detect any alteration
- Digital signatures — combine hashing with asymmetric cryptography to guarantee authorship and integrity
- Input validation — never trust data from the client; validate type, format, and limits on the backend
- Prepared statements — use parameterized queries instead of string concatenation to prevent SQL injection
- TLS/HTTPS — beyond encrypting, TLS ensures data is not altered in transit (integrity via MAC)
Availability
Availability means you can access information and systems when you need them. There is no point in having secure and intact data if the system is down.
Examples of violation
DDoS (Distributed Denial of Service) — an attack that floods the server with a massive volume of requests from multiple sources, exhausting resources (CPU, memory, bandwidth) and making the service inaccessible to legitimate users.
Infrastructure failures — a single point of failure in the architecture can bring down the entire system. A database without a replica, a server without failover, or a cloud provider without multi-region redundancy are recipes for downtime.
Ransomware — malware that encrypts the system’s data and demands payment to release access. Even if the data is not stolen (confidentiality maintained) and not altered (integrity maintained), the system becomes completely unavailable.
How to protect
- Redundancy — multiple service instances in different regions, databases with replicas
- Backups — regular copies with periodic restoration tests (a backup that has never been tested is not a backup)
- Rate limiting — limit the number of requests per IP/user to mitigate abuse and DDoS attacks
- CDN and load balancing — distribute load and content geographically
- Circuit breakers — isolate failures in dependent services to prevent cascading (see the post on Circuit Breaker)
- Monitoring and alerts — detect degradation before it becomes total unavailability
Summary table
| Pillar | Key question | Threats | Defenses |
|---|---|---|---|
| Confidentiality | Who can see it? | Web Cache Deception, data leaks, network sniffing, Wi-Fi cracking | Encryption, access control, HTTPS, cache headers |
| Integrity | Is the data correct? | SQL injection, MITM, data corruption | Checksums, digital signatures, input validation, prepared statements |
| Availability | Can I access it? | DDoS, infrastructure failures, ransomware | Redundancy, backups, rate limiting, circuit breakers, monitoring |
Conclusion
The CIA Triad is not a theoretical concept that only concerns security teams. Every technical decision a developer makes — from how to store a password to how to configure HTTP headers — directly impacts one or more of these pillars.
The three pillars are complementary and interdependent. Excessive encryption without redundancy can compromise availability. High availability without access control compromises confidentiality. The goal is to find the right balance for your application’s context.