- #secplus
- #cybersecurity
- #fundamentals
The CIA triad, explained simply
Confidentiality, Integrity, Availability. Three letters that decide your security strategy.
Every security control you'll ever build serves one of three goals. That's it. Three.
Confidentiality: only authorized parties see the data.
- Encryption at rest (disk encryption, encrypted DB columns)
- Encryption in transit (HTTPS/TLS)
- Access control (auth + RBAC + RLS)
Integrity: data hasn't been tampered with.
- Hashes and checksums (SHA-256 on file downloads)
- Digital signatures (signed JWTs, code signing)
- Database constraints (foreign keys, NOT NULL, CHECK)
Availability: the system is reachable when needed.
- Backups + tested restores
- Redundancy (multi-AZ, load balancers)
- DDoS protection (Cloudflare, rate limits)
Why this matters as a developer: Every security decision you make implicitly trades one against the others. Encrypting a column makes it more confidential but harder to query (availability). Adding MFA strengthens auth but adds friction (availability). Forcing a 24-hour delay on password resets adds integrity but irritates users.
The trick is naming the trade-off out loud, not pretending it doesn't exist.
Sec+ exam tip: when a question asks "what control type addresses X?", trace it back to which leg of the triad is at risk.
