This chapter covers the foundational CIA triad: Confidentiality, Integrity, and Availability — the core principles that underpin all security controls and policies. For SY0-701, this maps directly to Objective 1.1: Compare and contrast various types of controls. Understanding the triad is essential because every security control you implement will support one or more of these principles. The exam expects you to identify which principle is being protected or violated in a given scenario, and to recognize that the triad forms the basis of security objectives.
Jump to a section
Imagine a bank vault with three separate locks, each controlled by a different person: the bank manager, the head teller, and the security guard. Confidentiality is like the lock that only the intended recipient can open. If the wrong person tries to open it, the lock jams and an alarm sounds. Integrity is like a tamper-evident seal on a deposit bag. If anyone opens the bag, the seal breaks, leaving visible evidence that the contents may have been altered. Availability is like the vault's opening hours and backup power generator. Even during a power outage, the vault remains accessible to authorized personnel. Now, think of an attacker trying to steal cash. They could try to pick the confidentiality lock, but that triggers an alarm. They could try to replace the deposit bag with a fake one, but the broken seal reveals the tampering. Or they could cut the power to prevent access, but the backup generator kicks in. The three locks work together: you need all three to maintain trust in the bank. If any lock fails, the entire system is compromised. This mirrors the CIA triad in cybersecurity: confidentiality ensures data is not read by unauthorized parties, integrity ensures data is not altered without detection, and availability ensures data is accessible when needed. Each is a separate control, but they are interdependent. For example, encrypting data (confidentiality) doesn't prevent an attacker from deleting it (availability). A robust security program must balance all three.
What Is the CIA Triad?
The CIA triad is a model designed to guide policies for information security within an organization. It stands for Confidentiality, Integrity, and Availability. These three principles are considered the most crucial components of security. In the context of SY0-701, you must be able to define each, give examples of threats to each, and identify controls that protect each.
Confidentiality: Protecting Data from Unauthorized Access
Confidentiality ensures that data is not disclosed to unauthorized individuals, entities, or processes. It is often enforced through encryption, access controls, and data classification. The primary threat to confidentiality is unauthorized access, which can occur through eavesdropping, man-in-the-middle attacks, or insiders. For example, an attacker using Wireshark to capture unencrypted HTTP traffic violates confidentiality. Controls include encryption (AES-256, RSA-2048), access control lists (ACLs), and multi-factor authentication (MFA). The principle of least privilege is a key strategy: users should only have access to the data necessary for their job. In the exam, be ready to identify that a breach of confidentiality occurs when sensitive data is read by an unauthorized party. Common wrong answer: confusing confidentiality with privacy. Privacy is about controlling personal data, while confidentiality is about restricting access regardless of the data type.
Integrity: Ensuring Data Has Not Been Tampered With
Integrity ensures that data remains accurate and unaltered from its original state, unless modified by authorized parties. It protects against unauthorized modification or destruction. Threats include data corruption, malware that modifies files, and man-in-the-middle attacks that alter data in transit. Controls include hashing (SHA-256, SHA-3), digital signatures, checksums, and version control. For example, a file integrity monitor (FIM) like Tripwire uses hashes to detect changes. In the exam, you might see a scenario where an attacker intercepts a financial transaction and changes the amount — that's an integrity violation. Common wrong answer: thinking integrity only applies to data at rest. Integrity applies to data in transit and in use as well. Also, note that integrity can be provided by cryptographic controls like digital signatures, which also provide non-repudiation.
Availability: Ensuring Data Is Accessible When Needed
Availability ensures that systems, networks, and data are accessible to authorized users when required. Threats include denial-of-service (DoS) attacks, hardware failures, power outages, and natural disasters. Controls include redundancy (RAID, failover clusters), backups, disaster recovery plans, and load balancers. For example, a DDoS attack flooding a web server with traffic makes the site unavailable. Common wrong answer: thinking availability is only about uptime. Availability also includes the ability to access data in a timely manner. The exam may ask which control supports availability — look for options like redundant power supplies, offsite backups, or failover systems.
Balancing the Triad
In practice, you cannot maximize all three simultaneously; trade-offs exist. For example, strong encryption (confidentiality) can slow down access (availability). Strict access controls (confidentiality) might prevent authorized users from getting data quickly (availability). The exam may present scenarios where you must choose which principle is most at risk or which control best addresses a specific threat. Always map the scenario to the core threat: unauthorized reading = confidentiality; unauthorized modification = integrity; inability to access = availability.
Key Standards and Frameworks
NIST SP 800-53: Provides controls mapped to CIA.
ISO 27001: Information security management system based on CIA.
FIPS 140-2/140-3: Cryptographic standards for confidentiality and integrity.
Real Command/Tool Examples
Confidentiality: gpg -c file.txt (encrypts file with symmetric cipher)
Integrity: sha256sum file.txt (computes hash)
Availability: ping -c 4 server (checks if server is reachable)
How Attackers Exploit Each
Confidentiality: Eavesdropping on unencrypted Wi-Fi (WEP vs WPA2)
Integrity: SQL injection that modifies database records
Availability: SYN flood attack that exhausts server resources
How Defenders Deploy Controls
Confidentiality: Implement TLS 1.3 for web traffic
Integrity: Enable audit logging and file integrity monitoring
Availability: Use redundant network paths and automatic failover
Identify the Security Objective
When presented with a scenario, first determine which CIA principle is primarily affected. Ask: Is someone reading data without permission? That's confidentiality. Is data being changed improperly? That's integrity. Is data or service unavailable? That's availability. For example, if a user's email password is stolen and an attacker reads their emails, the primary violation is confidentiality. The exam often gives a mix; focus on the most direct impact.
Classify the Threat Type
Next, categorize the threat. Common threat types: eavesdropping (confidentiality), tampering (integrity), denial of service (availability). Use the CIA triad as a filter. For instance, a ransomware attack encrypts files and demands payment. It primarily affects availability (files are inaccessible) and integrity (files are modified). The exam might ask which is the primary impact — usually availability, because the immediate effect is loss of access. However, note that ransomware also affects integrity because the encryption alters the file content.
Select Appropriate Control
Based on the objective and threat, choose the control that directly addresses it. For confidentiality: encryption, access controls, MFA. For integrity: hashing, digital signatures, version control. For availability: redundancy, backups, failover. Example: To protect against a man-in-the-middle attack that alters data, use a digital signature (integrity). The wrong answer might be encryption (confidentiality) because encryption hides the data but doesn't prevent alteration if the ciphertext is modified.
Evaluate Trade-offs
Recognize that controls can conflict. For example, implementing strict access control (confidentiality) may reduce availability if users can't access data quickly. The exam may ask which principle is weakened by a particular control. For instance, adding encryption may slow down data retrieval, impacting availability. Another example: frequent integrity checks (e.g., hashing every file read) can degrade performance, affecting availability. Always consider the secondary effect.
Apply to Scenario Questions
In the exam, scenario questions will describe an incident or requirement. Your job is to identify the principle at stake or the best control. Decision rule: If the scenario mentions 'unauthorized access' or 'data breach', think confidentiality. If it says 'data tampering' or 'accuracy', think integrity. If it says 'downtime' or 'unavailable', think availability. Avoid overthinking; the most obvious match is usually correct. For example, a scenario about a database transaction being rolled back due to corruption is an integrity issue, not availability.
Scenario 1: SOC Analyst Responding to a Data Exfiltration Alert A SOC analyst receives an alert from a DLP (Data Loss Prevention) tool indicating that a large amount of sensitive customer data is being uploaded to an external cloud storage service. The analyst sees that the upload is coming from an internal IP address belonging to a finance department employee. The employee had recently been granted access to the customer database as part of a project. The analyst must determine the impact. The primary CIA principle violated is confidentiality, because data is being accessed and transmitted to an unauthorized location. The correct response is to block the outbound connection, revoke the employee's access, and initiate an incident response process to assess the scope. A common mistake is to focus on integrity (worrying about data modification) when the immediate concern is data leakage. The analyst should use tools like Wireshark to capture the traffic (though encrypted) and check logs from the firewall and proxy server. The DLP tool should also provide details of the data types. The incident report would note a breach of confidentiality.
Scenario 2: System Administrator Handling a Ransomware Attack A hospital's IT team discovers that all patient records on the file server have been encrypted and a ransom note demands payment. The files are inaccessible. The primary CIA impact is availability (data is not accessible) and integrity (data has been modified). The correct response is to isolate the infected systems from the network, restore data from backups (if available), and investigate the entry vector. A common mistake is to treat this as a confidentiality breach (thinking patient data was stolen) when the immediate operational impact is lack of access. The administrator should check backup integrity by verifying hashes of restored files. Tools like Veeam or Windows Server Backup can restore from offsite backups. The incident would be reported as an availability incident, with integrity as a secondary concern.
Scenario 3: Security Engineer Implementing Integrity Monitoring
A security engineer is tasked with ensuring that critical configuration files on Linux servers are not tampered with. They deploy a file integrity monitoring tool like AIDE (Advanced Intrusion Detection Environment). The tool creates a baseline database of cryptographic hashes for each file. Periodically, the tool scans the files and compares current hashes to the baseline. If a hash mismatch is detected, an alert is triggered. The engineer must ensure the baseline itself is stored securely (e.g., on a read-only medium) to prevent tampering. A common mistake is to store the baseline on the same server, allowing an attacker to modify both the file and the baseline. The correct approach is to store baselines on a separate, hardened system. This scenario focuses on integrity. The engineer would use commands like aide --init to create the baseline and aide --check to run integrity checks.
SY0-701 tests the CIA triad primarily in Objective 1.1, but it appears as a foundational concept throughout the exam. You must be able to define each term and identify which principle is at risk in a given scenario. The exam will not ask 'What does CIA stand for?' directly, but will use the terms in questions. The most common wrong answers: 1. Confusing confidentiality with privacy: Privacy is about controlling personal data, while confidentiality is about restricting access. The exam may use 'privacy' in a distracter, but the correct answer will be confidentiality if the scenario is about unauthorized access. 2. Thinking integrity only applies to data at rest: Integrity applies to data in transit and in use. For example, a man-in-the-middle attack that modifies a packet is an integrity violation. 3. Assuming availability is only about uptime: Availability includes timeliness. A slow server that is technically up but unusable may be considered unavailable. 4. Overlooking trade-offs: A question might ask 'Which principle is most affected by implementing full-disk encryption?' The answer could be availability (if decryption slows access) or confidentiality (it protects data). You must read the scenario carefully.
Specific terms that appear verbatim: 'confidentiality,' 'integrity,' 'availability,' 'least privilege,' 'encryption,' 'hashing,' 'digital signature,' 'redundancy,' 'failover,' 'backup.' Know that hashing provides integrity, not confidentiality.
Common trick questions: A scenario describes a DDoS attack that makes a website slow. The question asks 'Which principle is affected?' The answer is availability, even though the site is still up. Another trick: A scenario where an employee accidentally deletes a file. This is an integrity issue (unauthorized modification) because the file is altered (deleted). Some might think it's availability, but deletion is a form of modification.
Decision rule for eliminating wrong answers: If the scenario involves unauthorized reading, eliminate integrity and availability. If it involves unauthorized changes, eliminate confidentiality and availability. If it involves inaccessibility, eliminate confidentiality and integrity. If two principles seem plausible, pick the one that is directly violated first. For example, ransomware: the immediate impact is loss of access (availability), even though files are also modified (integrity). The exam typically asks for the primary impact.
CIA stands for Confidentiality, Integrity, and Availability — the three core security principles.
Confidentiality is protected by encryption (e.g., AES-256) and access controls (e.g., least privilege).
Integrity is protected by hashing (e.g., SHA-256) and digital signatures (e.g., RSA).
Availability is protected by redundancy (e.g., RAID 1), backups, and failover systems.
The exam expects you to identify which principle is affected in a scenario: unauthorized reading = confidentiality, unauthorized modification = integrity, inaccessibility = availability.
Trade-offs exist: strong encryption can impact availability; strict access controls can reduce availability.
Common wrong answer: confusing confidentiality with privacy — privacy is a subset of confidentiality related to personal data.
Know that integrity applies to data in transit, at rest, and in use — not just at rest.
Ransomware primarily impacts availability (data inaccessible) but also affects integrity (data modified).
NIST SP 800-53 and ISO 27001 are frameworks that map controls to CIA principles.
These come up on the exam all the time. Here's how to tell them apart.
Confidentiality
Prevents unauthorized reading
Enforced via encryption, access controls
Threats: eavesdropping, data breach
Controls: AES, RBAC, MFA
Example: Encrypting a file
Integrity
Prevents unauthorized modification
Enforced via hashing, digital signatures
Threats: tampering, man-in-the-middle
Controls: SHA-256, digital signature, FIM
Example: Verifying a file hash
Integrity
Focuses on data accuracy and consistency
Violation: data altered without authorization
Controls: checksums, version control
Recovery: restore from backup
Example: Database transaction log
Availability
Focuses on system and data accessibility
Violation: system down or too slow
Controls: redundancy, failover, backups
Recovery: failover to secondary site
Example: Load-balanced web servers
Mistake
Confidentiality and privacy are the same thing.
Correct
Confidentiality is about restricting access to data to authorized parties; privacy is about controlling how personal data is collected, used, and shared. Privacy often requires confidentiality, but they are not interchangeable.
Mistake
Integrity only applies to data at rest.
Correct
Integrity applies to data in all states: at rest, in transit, and in use. For example, a man-in-the-middle attack that alters network packets violates integrity of data in transit.
Mistake
Availability means the system is always up.
Correct
Availability includes both uptime and the ability to access data in a timely manner. A system that is up but too slow to respond may be considered unavailable.
Mistake
Encryption provides integrity.
Correct
Encryption primarily provides confidentiality. It does not prevent tampering; an attacker can modify ciphertext, which when decrypted will produce garbage but may go undetected. Integrity is provided by hashing or digital signatures.
Mistake
The CIA triad is only for data security.
Correct
The CIA triad applies to information and systems. It covers data, applications, hardware, and even physical assets. For example, restricting physical access to a server room supports confidentiality of the data on those servers.
The CIA triad is a model that guides information security policies. It stands for Confidentiality (data not disclosed to unauthorized parties), Integrity (data not altered without authorization), and Availability (data and systems accessible when needed). It is foundational for Security+ and appears in many exam questions. For example, if a hacker reads your email, that's a breach of confidentiality. If they change the email content, that's an integrity breach. If the email server is down, that's an availability issue. The exam often asks you to identify which principle is at risk in a given scenario.
A DDoS (Distributed Denial of Service) attack primarily affects Availability. The goal is to overwhelm a system with traffic, making it slow or completely inaccessible to legitimate users. Even if the system is still technically up, if users cannot access it in a reasonable time, availability is compromised. For example, a SYN flood attack exhausts server resources, preventing new connections. In the exam, questions about DDoS always relate to availability. Do not confuse with confidentiality (data is not read) or integrity (data is not modified).
No, encryption provides confidentiality, not integrity. Encryption transforms plaintext into ciphertext to prevent unauthorized reading, but it does not prevent tampering. An attacker can modify the ciphertext, and when decrypted, the result will be corrupted but the receiver may not detect the modification. To provide integrity, you need a separate mechanism like a hash or digital signature. For example, using AES encryption alone does not guarantee that the data hasn't been altered. In practice, many protocols combine encryption with integrity (e.g., AES-GCM provides both confidentiality and integrity via an authentication tag).
Integrity ensures that data has not been altered without authorization. Non-repudiation ensures that a party cannot deny having performed an action, such as sending a message or signing a document. While integrity can be provided by a hash, non-repudiation typically requires a digital signature, which also provides integrity. For example, a digital signature on an email proves both that the email hasn't been altered (integrity) and that it came from the claimed sender (non-repudiation). In the exam, non-repudiation is often linked to digital signatures and public key infrastructure (PKI).
The principle of least privilege grants users only the minimum permissions necessary to perform their job. This primarily supports Confidentiality by limiting access to sensitive data, reducing the risk of unauthorized disclosure. It also supports Integrity by preventing unauthorized modifications (only authorized users can change data). Least privilege can indirectly support Availability by reducing the chance of accidental or malicious changes that could disrupt services. For example, a database administrator should have read-only access to logs unless they need to modify them. This control is a key concept in Security+.
A digital signature supports both Integrity and Non-repudiation (which is related to integrity). It does not provide confidentiality. Another example is a backup: it supports Availability (data can be restored) and Integrity (if the backup is verified with hashes, it ensures the restored data is correct). Full-disk encryption primarily supports Confidentiality but can also support Integrity if the encryption mode includes authentication (e.g., AES-GCM). In the exam, look for controls that have multiple benefits, but be careful not to overstate — for instance, a firewall primarily supports confidentiality and availability, not integrity.
The CIA triad is a conceptual model that describes the goals of information security. It is not a prescriptive standard with specific requirements like ISO 27001 or NIST SP 800-53. Instead, it provides a high-level framework for thinking about security. Organizations use the triad to guide their security policies and to evaluate risks. For example, a company might decide that for their customer database, confidentiality is the highest priority, while for a public website, availability is most important. The exam tests your understanding of the definitions and application of the triad, not specific implementation details.
You've just covered CIA Triad — Confidentiality, Integrity, Availability — now see how well it sticks with free SY0-701 practice questions. Full explanations included, no account needed.
Done with this chapter?