CIA Triad and Zero Trust
Understand security goals and the zero trust model
TL;DR
The CIA Triad defines three security goals: Confidentiality (data secret from unauthorized users), Integrity (data unchanged except by authorized parties), Availability (systems operational and responsive). These often conflict—strong encryption (confidentiality) adds latency (hurts availability). Zero Trust is a paradigm shift: instead of trusting what's inside your network perimeter, verify every request: Who is this? What device? What resource? Where are they from? Zero trust assumes breach is inevitable; it minimizes trust and maximizes verification.
Learning Objectives
- Understand CIA triad and how to balance competing goals
- Recognize traditional perimeter security limitations
- Implement zero trust principles (verify, don't trust)
- Design systems that assume compromise
- Apply zero trust to cloud and hybrid environments
Motivating Scenario
Traditional security: build a castle (firewall), trust everyone inside. An employee's laptop is compromised. Malware spreads freely because internal network is "trusted." The attacker exfiltrates customer data. Weeks pass before detection.
Zero trust: every device, every request authenticated. Employee's laptop requests resources; system checks: Is the device compliant? Has the user just accessed from an unusual location? Is this request anomalous? Suspicious requests blocked immediately. Compromise is contained.
Core Concepts
CIA Triad
Confidentiality: Data secret from unauthorized access. Encryption at rest and in transit. Access control prevents unauthorized viewing.
Integrity: Data accurate and unmodified. Checksums detect tampering. Digital signatures prove authenticity. Audit logs record who changed what.
Availability: Systems operational and responsive. Redundancy, load balancing, disaster recovery prevent outages. DOS protections maintain service.
These conflict:
- Strong encryption (confidentiality) adds latency (hurts availability)
- Distributed systems (availability) harder to secure (hurts confidentiality)
- Frequent security updates (integrity) cause downtime (hurts availability)
Architects balance these based on risk and requirements.
Perimeter Security vs Zero Trust
Traditional (Perimeter Model): Trust inside, distrust outside.
- Firewall blocks external threats
- VPN grants full network access inside
- Internal users trusted by default
Zero Trust: Never trust, always verify.
- Every request authenticated and authorized
- Network microsegmentation limits lateral movement
- Continuous verification, not one-time auth
- Assume breach; minimize damage
Practical Example
- User on VPN → full internal access
- No additional checks for internal requests
- Lateral movement unrestricted
- Breach inside perimeter is catastrophic
- Harder for remote/hybrid work
- VPN just first step; continuous verification
- Every API call authenticated and authorized
- Network policy blocks lateral movement
- Breach contained to affected resource
- Works seamlessly for remote work
Zero Trust Pillars
1. Identity Verification: Every user and device must be verified. Use MFA, device compliance checks, context (location, time, device risk score).
2. Device Trust: Not all devices equally trustworthy. Require MDM (Mobile Device Management), endpoint protection, OS patching. Unmanaged or noncompliant devices get limited access.
3. Network Microsegmentation: Divide network into zones. Workload in zone A can't access zone B without explicit policy. Prevents lateral movement.
4. Continuous Verification: Authentication isn't one-time. Continuous signals monitor for anomalies: unusual location access, privilege escalation, behavioral changes.
5. Least Privilege: Default deny. Only grant access necessary for task. Remove access when no longer needed.
6. Monitoring and Response: Detect breaches early. Automated response (revoke tokens, isolate resources) minimizes dwell time.
CIA Triad in Cloud
Confidentiality:
- Encrypt data at rest (AWS KMS, Azure Key Vault)
- Encrypt data in transit (TLS 1.3)
- Encrypt backups
- Secure key management (don't hardcode secrets)
Integrity:
- Digital signatures on API responses
- Audit logs record all access and changes
- Data validation prevents injection
- Version control for infrastructure (IaC)
Availability:
- Multi-region deployments
- Auto-scaling for traffic spikes
- Regular backups and disaster recovery plans
- DOS protection and rate limiting
Patterns and Pitfalls
Pitfall: Choosing confidentiality over availability. Encrypted systems that are slow or unavailable don't protect users.
Pitfall: Assuming internal network is safe. Internal threats are real (malicious insiders, compromised servers).
Pitfall: One-time authentication. "I logged in once today, I'm trusted forever" is perimeter thinking, not zero trust.
Pattern: Use context-aware access. Request from known device, known location, known time = low trust signal. Request from new location, new device, after hours = require additional verification.
Pattern: Fail open vs fail closed. When in doubt, deny access (fail closed). Exception: avoid cascading failures where auth system outage brings everything down.
Design Review Checklist
- CIA triad goals identified for each asset (What's most important?)
- Trade-offs between C, I, A understood and documented
- Zero trust principles applied (verify, don't trust)
- MFA enabled for all user accounts
- Device compliance required for access
- Network segmentation prevents lateral movement
- Continuous monitoring for anomalies
- Breach assumed; containment strategy in place
- Key management secure (not hardcoded)
- Regular security reviews and updates
Building Your Zero Trust Strategy
Assessment Questions
- Identity: Do you know who every user is, where they are, and what device they use?
- Device Trust: Can you verify that every device accessing your systems is healthy?
- Network: Do you have visibility into all traffic, even internal?
- Applications: Do your applications verify access at every request?
- Data: Is all sensitive data encrypted at rest and in transit?
Implementation Priority
Phase 1 (Foundation): Identity and device trust
- MFA everywhere
- Device inventory
- Mobile device management
Phase 2 (Network): Microsegmentation
- Network boundaries
- Encrypted traffic
- Traffic inspection
Phase 3 (Application): Fine-grained access
- RBAC/ABAC
- Least privilege
- Audit logging
Phase 4 (Continuous): Monitoring and response
- Behavior analytics
- Anomaly detection
- Automated remediation
Success Metrics
Metric 1: Breach Containment
Before: Breach detected after 200 days (average dwell time)
After: Breach detected within 1 hour
Target: < 1 hour dwell time
Metric 2: Lateral Movement Prevention
Before: Attacker can access 50+ systems from compromised workstation
After: Attacker can only access 1-2 resources
Target: Blast radius < 5 resources
Metric 3: Privileged Access
Before: 30% of users have admin access
After: <5% have admin access, with time limits
Target: < 2% privileged users
Metric 4: Security Alert Resolution
Before: 1000 alerts/day, 90% ignored
After: 50 alerts/day, 80% acted on
Target: 100% relevant alerts
Self-Check
- What's the relationship between CIA triad and zero trust?
- Why does perimeter security fail in cloud and hybrid environments?
- How would you apply zero trust to a microservices architecture?
- What are the three pillars of your security program (CIA)?
- Which CI attribute is most important for your business?
- How would you prioritize CIA investments?
- Can you list your critical assets that need maximum CIA?
- Who in your organization owns each pillar?
The CIA triad defines what you're protecting; zero trust defines how to protect it—by verifying constantly, not trusting blindly.
Next Steps
- Read Least Privilege & Separation of Duties for granular access control
- Study Defense in Depth for layered security strategy
- Explore Threat Modeling to identify attack scenarios
Implementing Zero Trust: A Practical Roadmap
Phase 1: Visibility and Assessment (Months 1-3)
class ZeroTrustPhase1:
"""Establish baseline: understand current state."""
def inventory_users(self):
"""Who are all users and service accounts?"""
return {
'human_users': self.get_all_employees(),
'service_accounts': self.get_all_service_principals(),
'contractors': self.get_all_contractors(),
'external_integrations': self.get_all_api_integrations()
}
def inventory_devices(self):
"""What devices access resources?"""
return {
'managed_desktops': self.get_windows_desktops(),
'managed_laptops': self.get_macos_devices(),
'mobile_devices': self.get_mobile_devices(),
'unmanaged_devices': self.get_byod_devices(),
'iot_devices': self.get_iot_devices()
}
def inventory_resources(self):
"""What resources exist and who accesses them?"""
return {
'applications': self.get_all_applications(),
'databases': self.get_all_databases(),
'storage': self.get_all_storage_buckets(),
'infrastructure': self.get_all_infrastructure()
}
def assess_current_access(self):
"""How is access currently controlled?"""
return {
'firewall_rules': self.count_firewall_rules(),
'iam_policies': self.count_iam_policies(),
'vpn_usage': self.count_vpn_connections(),
'mfa_enabled': self.count_mfa_enabled(),
'unencrypted_traffic': self.detect_unencrypted_traffic()
}
Phase 2: Implement Core Controls (Months 4-9)
Zero Trust Core Controls:
1. Identity Verification
- Deploy MFA everywhere
- Implement SSO (Azure AD, Okta)
- Require strong authentication
2. Device Trust
- Deploy Mobile Device Management (MDM)
- Enforce OS patching
- Require antivirus/EDR
3. Network Segmentation
- Implement microsegmentation
- Deploy service mesh
- Enforce encryption TLS 1.3
4. Access Control
- Implement least privilege (RBAC/ABAC)
- Enforce time-based access
- Implement break-glass procedures
5. Monitoring
- SIEM deployment
- Behavioral analytics
- Incident response automation
Phase 3: Continuous Verification (Months 10+)
class ContinuousVerification:
"""Verify every access request continuously."""
def evaluate_access_request(self, user_id, resource_id, context):
"""
Evaluate if user should access resource.
Zero trust: continuous verification, not one-time.
"""
decision = AccessDecision(
user_id=user_id,
resource_id=resource_id,
allow=True,
reason=[]
)
# Factor 1: User legitimacy
if not self.verify_user_identity(user_id):
decision.allow = False
decision.reason.append("identity_unverified")
return decision
# Factor 2: Device trust
device_posture = self.check_device_posture(context['device_id'])
if device_posture['compliance_score'] < 0.7:
decision.allow = False
decision.reason.append(f"device_non_compliant: {device_posture['issues']}")
return decision
# Factor 3: Behavioral analysis
if self.is_anomalous_access(user_id, context):
# Anomalous: new location, new time, new resource type
decision.require_mfa = True
decision.reason.append("anomalous_access_pattern")
# Factor 4: Least privilege
required_permissions = self.get_required_permissions(resource_id)
actual_permissions = self.get_user_permissions(user_id)
if required_permissions not in actual_permissions:
decision.allow = False
decision.reason.append("insufficient_permissions")
return decision
# Factor 5: Risk score
risk_score = self.calculate_risk_score(user_id, context)
if risk_score > 0.8:
decision.allow = False
decision.reason.append(f"high_risk: {risk_score}")
return decision
# All checks passed
return decision
def is_anomalous_access(self, user_id, context):
"""Detect unusual access patterns."""
baseline = self.get_user_baseline(user_id)
anomalies = []
# New location?
if context['ip_geolocation'] != baseline['typical_location']:
anomalies.append('new_location')
# Impossible travel?
last_known_location = self.get_last_location(user_id)
time_diff = context['timestamp'] - last_known_location['timestamp']
distance = self.calculate_distance(last_known_location['location'],
context['ip_geolocation'])
if distance > 900 * (time_diff.total_seconds() / 3600): # 900 km/hour max
anomalies.append('impossible_travel')
# Unusual time?
if context['timestamp'].hour not in baseline['typical_hours']:
anomalies.append('unusual_time')
# Unusual resource?
if context['resource_type'] not in baseline['typical_resources']:
anomalies.append('unusual_resource_type')
return len(anomalies) > 0
CIA Triad in Practice: Real Examples
Example 1: Confidentiality vs Availability
Scenario: A hospital needs patient data encrypted (confidentiality) but accessible immediately (availability).
Solution:
- Encrypt data at rest with transparent encryption
- Decrypt in memory when accessed
- Replicate encrypted data for availability
- Use hardware encryption modules for performance
Example 2: Integrity vs Availability
Scenario: A banking system needs audit trails (integrity) but must process millions of transactions/second (availability).
Solution:
- Write transactions to append-only log (integrity)
- Asynchronously verify/sign transactions (doesn't block processing)
- Use parallel verification pipelines for throughput
Example 3: CIA Trade-offs in E-commerce
┌─────────────────────────────────────────────────────────┐
│ E-Commerce System CIA Trade-offs │
├─────────────────────────────────────────────────────────┤
│ Confidentiality (customer data, passwords) │
│ ├─ Encrypt everything at rest (TLS, AES-256) │
│ ├─ Encrypt in transit (TLS 1.3) │
│ └─ Access control (role-based, least privilege) │
│ │
│ Integrity (orders, payments, inventory) │
│ ├─ Digital signatures on transactions │
│ ├─ Audit logs for every change │
│ ├─ Database constraints (foreign keys) │
│ └─ Checksums on critical data │
│ │
│ Availability (website, checkout, API) │
│ ├─ Multi-region deployment │
│ ├─ Load balancing │
│ ├─ Caching (for performance) │
│ ├─ CDN for static content │
│ └─ Auto-scaling for traffic spikes │
│ │
│ Trade-off points: │
│ - Encryption adds latency (C + A conflict) │
│ - Replication for availability duplicates data (C) │
│ - Audit logging adds I/O (I + A conflict) │
│ │
│ Resolution: │
│ - Use hardware acceleration (encryption) │
│ - Batch audit writes (async logging) │
│ - Replicate encrypted data (encrypted replicas) │
└─────────────────────────────────────────────────────────┘
Zero Trust Maturity Model
Level 1: Traditional Perimeter
├─ Trust: Inside = safe, outside = dangerous
├─ Controls: Firewall, VPN
└─ Monitoring: Basic network logs
Level 2: Enhanced Perimeter
├─ Trust: Some internal verification
├─ Controls: Firewall + WAF, VPN + MFA
└─ Monitoring: Firewall logs + some app logs
Level 3: Zero Trust Foundation
├─ Trust: Verify everything, once
├─ Controls: MFA, RBAC, encryption
└─ Monitoring: Identity logs, access logs
Level 4: Continuous Zero Trust
├─ Trust: Continuously verify every request
├─ Controls: MFA, ABAC, encryption, device trust
└─ Monitoring: Real-time behavior analytics, anomaly detection
Level 5: Adaptive Zero Trust
├─ Trust: Context-aware, risk-adaptive
├─ Controls: Dynamic policies, self-healing
└─ Monitoring: ML-based threat detection, autonomous response
References
- CIA Triad (NIST Cybersecurity Framework)
- Zero Trust Architecture (NIST SP 800-207)
- Forrester Zero Trust Model
- Google BeyondCorp (Zero Trust Implementation)
- "Zero Trust Networks" by Gilman & Barth
- "Building Secure and Reliable Systems" (Google)"