Information Assurance: Confidentiality, Integrity and Availability

Alex: Hello and welcome back to The Study Podcast. I'm Alex, and today Sam and I are looking at information assurance, which is really the foundational framework for thinking about security in a systematic way. Sam, the CIA triad is at the heart of this, isn't it?

Sam: It is, and it's one of those frameworks that looks simple on the surface but reveals real depth when you dig into it. CIA stands for Confidentiality, Integrity and Availability, and each of those pillars addresses a distinct dimension of what it means for information to be secure.

Alex: Let's take them one at a time. Confidentiality first.

Sam: Confidentiality means that information is accessible only to those who are authorised to see it. A breach of confidentiality is what most people think of when they think about a data breach: sensitive information getting into the hands of people who shouldn't have it. The controls that support confidentiality include encryption, which makes data unreadable to anyone who doesn't have the decryption key; access management, which controls who can see what; and data classification, which allows organisations to apply different levels of control to different categories of information based on their sensitivity.

Alex: And integrity?

Sam: Integrity means that information is accurate and has not been tampered with without authorisation. This is perhaps less intuitive than confidentiality but equally important. If an attacker can modify data without detection, they can change financial records, alter medical information, manipulate audit logs. The controls that support integrity include hashing and checksums, which allow you to detect if data has been modified; digital signatures, which verify the identity of the person who created or sent data; and audit logging, which creates a record of all access and modification events.

Alex: And availability?

Sam: Availability means that authorised users can access information and systems when they need them. This is threatened by things like denial of service attacks that overwhelm a system with traffic, hardware failures, software bugs and power outages. The controls that support availability include redundancy, so that if one component fails another takes over; backup and recovery systems; and resilience architectures that can continue operating even when parts of the system are damaged.

Alex: Are there situations where these three pillars are in tension with each other?

Sam: Frequently. Maximising availability can conflict with confidentiality: the most available system is one with no access controls, but that obviously undermines confidentiality completely. Strong encryption supports confidentiality but can create availability problems if keys are lost. And some integrity controls, like requiring digital signatures on everything, can slow systems down in ways that affect availability. The skill in information assurance is finding the right balance for a given context, which depends on the nature of the information and the consequences of different types of failure.

Alex: And frameworks like ISO 27001 help with that?

Sam: Yes. ISO 27001 is an international standard for information security management systems. It provides a structured approach to identifying information assets, assessing the risks to each one and implementing appropriate controls. NCSC Cyber Essentials is a UK government-backed scheme that sets out five basic controls that protect against the most common cyber attacks. These frameworks don't make the decisions for you, but they provide a rigorous structure that ensures you've thought about the right things.

Alex: Brilliant. A really solid foundation for understanding information security. Thanks, Sam.