Articles

CIA Triad: Crypto, MACs, Redundancy - The Security Pillars

March 15, 2026 5 min read

The CIA Triad isn’t about spies; it’s the bedrock of information security, dictating how we protect digital assets.

Imagine a secure vault. Confidentiality is about making sure only authorized people can peek inside. Integrity is about ensuring that what’s inside hasn’t been tampered with, and Availability means the vault is accessible when you need it.

Let’s see this in action. Consider a simple web application where users can log in and view their profile.

from flask import Flask, request, jsonify
import hashlib

app = Flask(__name__)

# In-memory user store (for demonstration)
users = {
    "alice": {"password_hash": "a1b2c3d4e5f6", "profile_data": {"email": "alice@example.com", "dob": "1990-01-01"}},
    "bob": {"password_hash": "f6e5d4c3b2a1", "profile_data": {"email": "bob@example.com", "dob": "1985-05-10"}}
}

def hash_password(password):
    return hashlib.sha256(password.encode()).hexdigest()

@app.route('/login', methods=['POST'])
def login():
    username = request.json.get('username')
    password = request.json.get('password')

    user_data = users.get(username)
    if user_data and user_data["password_hash"] == hash_password(password):
        return jsonify({"message": "Login successful!"}), 200
    else:
        return jsonify({"message": "Invalid credentials"}), 401

@app.route('/profile/<username>', methods=['GET', 'PUT'])
def profile(username):
    user_data = users.get(username)
    if not user_data:
        return jsonify({"message": "User not found"}), 404

    if request.method == 'GET':
        # Confidentiality: Only authenticated users should see profiles.
        # This is a simplified check; in reality, you'd check session tokens.
        if 'Authorization' not in request.headers or request.headers['Authorization'] != 'Bearer valid_token_for_alice':
             return jsonify({"message": "Unauthorized"}), 403
        return jsonify(user_data["profile_data"]), 200

    elif request.method == 'PUT':
        # Integrity: Ensure profile data isn't corrupted.
        # This example focuses on basic validation.
        new_data = request.json
        if not all(key in new_data for key in ["email", "dob"]):
            return jsonify({"message": "Missing profile fields"}), 400

        # In a real app, you'd also validate data types, formats, etc.
        user_data["profile_data"].update(new_data)
        return jsonify({"message": "Profile updated successfully"}), 200

if __name__ == '__main__':
    # Availability: The server must be running and accessible.
    # In production, this would be handled by WSGI servers (Gunicorn, uWSGI)
    # and load balancers.
    app.run(debug=True, port=5000)

In this example:

  • Confidentiality is touched upon in the GET /profile/<username> endpoint. While this is a simplified demonstration, a real application would ensure that only logged-in users with appropriate permissions can access another user’s profile data. This is often achieved through session management or token-based authentication. If an unauthorized request comes in (e.g., missing or invalid Authorization header), it’s rejected with a 403 Forbidden.

  • Integrity is addressed in the PUT /profile/<username> endpoint. Before updating, the code checks if the required fields (email, dob) are present. This is a basic form of data validation to prevent incomplete or malformed data from corrupting the user’s profile. More robust checks would include data type validation, format validation (e.g., email format, date format), and potentially checksums for critical data.

  • Availability is the underlying principle that the application server is running and accessible on port 5000. If the server crashes or is unreachable due to network issues, the application is unavailable. In production, this is managed by robust deployment strategies, load balancing, and monitoring systems to ensure the service remains online.

The CIA Triad provides a framework for thinking about security requirements. Confidentiality focuses on preventing unauthorized disclosure. Integrity focuses on preventing unauthorized modification or deletion. Availability focuses on ensuring timely and reliable access to data and systems.

What most security professionals don’t explicitly state is that these three pillars are often in tension with each other, and achieving perfect scores on all three simultaneously is usually impossible. For instance, implementing extremely strong encryption for confidentiality might slightly degrade performance, impacting availability. Similarly, overly strict integrity checks might slow down legitimate operations, again affecting availability. The art of information security is finding the right balance for a given context.

Understanding these principles leads to the next logical step: how to implement them in practice, which involves exploring specific security controls and technologies.

Want structured learning?

Take the full Cryptography course →