411.1 The CIA triad

The CIA triad—confidentiality, integrity, and availability—is the cornerstone of secure software development. These three goals ensure that sensitive data remains private, trustworthy, and accessible to those who need it. In this lesson, you’ll explore how each principle protects systems from different threats and how developers balance these goals in real-world applications.

Targets

You will learn to:

• Define confidentiality, integrity, and availability in the context of software security

• Provide practical examples of how each principle applies in real-world systems

• Evaluate how different threats and attacks target specific aspects of the CIA triad

• Identify potential trade-offs between CIA principles in system design

• Apply the CIA model when assessing and improving system security

Syllabus references

Understanding the CIA triad

The CIA triad is a widely accepted model in cybersecurity that helps developers and architects design secure systems.

Each letter in the acronym represents a key goal that software must meet to be considered secure:

• Confidentiality – Keep data private and restricted to authorised users

• Integrity – Ensure data is accurate, consistent, and trustworthy

• Availability – Ensure systems and services are accessible when needed

Together, these principles form a balanced approach to security. Weakness in one area can undermine the system's overall security posture.

Confidentiality

Confidentiality is about preventing unauthorised access to information. This means that data is only accessible to people who are allowed to see it.

In software systems, confidentiality can be protected through:

• User authentication (e.g. login systems)

• Role-based access controls (RBAC)

• Encryption of data at rest and in transit

• Obfuscation of sensitive values in logs or interfaces

Example

An online health portal uses HTTPS to encrypt communications between the browser and the server, preventing eavesdropping on sensitive medical information.

Threats to confidentiality

• Data breaches through phishing or malware

• Insecure APIs that expose private data

• Poor access control configuration

Integrity

Integrity refers to the trustworthiness and accuracy of data. A secure system must ensure that data is not altered accidentally or maliciously.

To protect integrity, systems often use:

• Hashing techniques to verify data consistency

• Digital signatures to authenticate sources

• Version control and audit trails

• Input validation to prevent tampering

Example

When downloading software updates, integrity is verified using a digital signature. The file may have been altered or corrupted if the signature doesn't match.

Threats to integrity:

• Man-in-the-middle attacks that modify transmitted data

• SQL injection altering stored database values

• Users bypassing input validation to insert invalid data

Availability

Availability ensures that systems and data are accessible when they are needed. Even secure data becomes unusable if a system is down during critical times.

To maintain availability, systems rely on:

• Redundant servers and infrastructure

• Load balancing and autoscaling

• DDoS (Distributed Denial of Service) protection

• Regular software patching and hardware maintenance

Example

An online payment system uses multiple servers across different regions to remain accessible during traffic spikes, such as Black Friday sales.

Threats to availability

• DDoS attacks overwhelm servers with traffic

• Hardware failures with no failover plan

• Software crashes due to unhandled exceptions

Summary