In 2017, Equifax lost 147 million Social Security numbers because they failed to patch a known Apache Struts vulnerability. At its core, that single failure violated confidentiality. But the breach also exposed integrity failures (executives traded stock before disclosure) and availability failures (their response site crashed under load). Every major cybersecurity incident — from ransomware to insider threats — maps directly to a breakdown of one or more pillars of the CIA triad. These three principles are not academic abstractions; they are the triage lens every defender uses first.
Confidentiality ensures that data is only accessible to those authorized to see it. This applies to data at rest (stored on disk), data in transit (moving across networks), and data in use (actively processed in memory). Encryption is the primary technical control — AES-256 for storage, TLS 1.3 for transport — but administrative controls like data classification policies and need-to-know access are equally critical. A system administrator with root access to a healthcare database but no clinical need to view patient records represents a confidentiality risk, even if no malicious action occurs.
Confidentiality is not binary. It exists on a spectrum from public information to top-secret classified data. Effective security programs define classification levels (Public, Internal, Confidential, Restricted) and enforce controls proportionally. Over-classification leads to productivity friction; under-classification leads to leaks.
The OpenSSL command above demonstrates symmetric encryption for confidentiality at rest. The `-salt` flag adds random data to prevent identical plaintexts from producing identical ciphertexts — a critical defense against rainbow table attacks. However, the warning about PBKDF2 is not cosmetic; deprecated key derivation functions are weaker against brute-force attacks. In production, always use `-pbkdf2` with a high iteration count. The passphrase itself must be managed through a secrets vault like HashiCorp Vault, never hardcoded in scripts.
Integrity guarantees that data remains accurate and unaltered from its authorized state — whether by malicious actors, system errors, or transmission glitches. The 2020 SolarWinds attack was fundamentally an integrity failure: attackers injected malicious code into legitimate software updates, and customers trusted the compromised binaries because they appeared to come from a verified source. Hashing algorithms (SHA-256, SHA-3) and digital signatures are the primary technical controls for integrity verification.
💡 Integrity is not the same as authenticity. A file might have perfect integrity (unchanged since creation) but still be malicious if the original source was compromised. Always pair integrity checks with authentication of the source.
Availability ensures that systems and data are accessible when needed by authorized users. This pillar is often underweighted by junior security professionals who focus exclusively on preventing breaches. But ask any hospital CISO what keeps them awake at night — it's ransomware encrypting electronic health record systems and preventing life-saving care. DDoS attacks, power outages, hardware failures, and even misconfigured cloud auto-scaling groups all threaten availability. Redundancy, failover, backups, and capacity planning are the primary availability controls.
| CIA Pillar | Primary Threat | Technical Control | Business Impact If Failed |
|---|---|---|---|
| Confidentiality | Data exfiltration | Encryption (AES-256, TLS 1.3) | Regulatory fines, IP theft, reputation loss |
| Integrity | Unauthorized modification | Hashing (SHA-256), digital signatures | Fraudulent transactions, corrupted records, poisoned updates |
| Availability | Denial of service / ransomware | Redundancy, failover, offline backups | Operational paralysis, revenue loss, life-safety risk |
⚠️ The classic beginner mistake: encrypting everything for confidentiality but forgetting to test backup restoration, thereby destroying availability when a real incident occurs. Balance the triad — never optimize for one pillar in isolation.
Verify exercises to earn ★ 100 XP and unlock next lab level.