Day 16 - The Three Pillars of Security - Confidentiality, Integrity, and Availability

Juni 10, 2025

Day 16 - The Three Pillars of Security - Confidentiality, Integrity, and Availability

So far in my bootcamp journey, I've been deep in the trenches, getting my hands dirty with exploits, RSA challenges, and various CTFs. I've been collecting a lot of tools and techniques, but I started to feel like I was learning how to use a hammer and a saw without having the blueprint for the house. I needed to understand the "why" behind it all. What are the fundamental goals we're trying to achieve with these tools?

Today, I took a step back from the command line to learn about a foundational concept in all of information security: The CIA Triad. And no, it has nothing to do with intelligence agencies! It's a model that stands for Confidentiality, Integrity, and Availability, and it provides a framework for everything we do in security.

CIA Triad

Pillar 1: Confidentiality — Keeping Secrets Secret

Confidentiality is about preventing the unauthorized disclosure of information. It’s about ensuring that only the right people can see the data. For me, this was the most intuitive part of cybersecurity. It's the first thing that comes to mind when you think of "hacking" or "spying" — someone trying to read something they're not supposed to.

I like to think of it like a sealed letter. Anyone can see the envelope, but only the person it's addressed to has the right "key" (in this case, a letter opener) to access the contents. To everyone else, the message inside is a secret.

How Cryptography Helps: The primary tool for achieving confidentiality is, of course, encryption. Whether it’s symmetric encryption like AES or asymmetric like RSA, the goal is the same: to make data unintelligible to anyone without the correct key.

This is the "magic" of cryptography that first drew me in. The idea of turning a clear message into complete gibberish that only a specific person can unlock is fascinating. During the RSA challenges, seeing ciphertext finally unravel into a readable flag after cracking a key was like watching a locked chest burst open. It wasn’t just cool — it was empowering.

Confidentiality also comes into play in everyday life more than we realize — messaging apps like WhatsApp and Signal implement end-to-end encryption, ensuring that even the service provider can’t read our chats. That means the conversation between you and your friend is truly your conversation.

Pillar 2: Integrity — Keeping Data Pure and Untampered

If confidentiality is about keeping secrets, integrity is about keeping trust. It's about ensuring that information hasn't been altered or corrupted — whether maliciously or accidentally — between the sender and receiver.

Imagine you’re transferring ₿0.5 Bitcoin, and somehow it turns into ₿50. That’s not a windfall; that’s a data integrity nightmare. Or think of a medical record — if one digit in a dosage is modified, the consequences could be fatal.

How Cryptography Helps: This is where hash functions and digital signatures shine. A hash is like a digital fingerprint — if even one character of a file changes, the hash output changes entirely. Digital signatures use private keys to “sign” this fingerprint, providing both integrity and authenticity.

What amazed me was how invisible these systems are in everyday use. For instance, every time I update an app on my phone and it says “Verifying update...”, that’s not a gimmick — it’s integrity verification. It’s checking to make sure the update hasn’t been tampered with and is truly from the developer.

During the bootcamp, I saw this in action when validating downloaded tools from GitHub. Some of them came with SHA256 checksums. At first, it felt tedious to verify them manually, but now I understand it’s like checking a product’s seal — if the hash doesn’t match, don’t trust it.

Pillar 3: Availability — Ready When You Need It

Availability is perhaps the most underestimated pillar until something breaks. It means ensuring that systems and data are accessible when they’re needed, especially by authorized users.

In theory, it sounds easy: just keep things online. In practice, it’s a battle. Downtime can cause chaos — from halting emergency services, to disrupting financial transactions, to crashing a student’s hopes during an exam submission.

How Cryptography Relates: Initially, it felt counterintuitive. Isn’t cryptography about locking things down? But it turns out, cryptography has a double-edged relationship with availability.

Negative Impact: Ransomware weaponizes encryption. Attackers encrypt your files and hold them hostage, crippling access. This is an attack on availability, using tools meant for confidentiality.
Positive Impact: Secure authentication systems, which rely on cryptographic tokens or certificates, enhance availability by ensuring only legitimate users can make critical changes, preventing sabotage or accidents.

What truly hit home was reading real-world incidents like the WannaCry attack, which paralyzed hospitals. Patients couldn’t be treated because data was encrypted. That wasn’t just a breach — that was real human risk from a failure in the availability pillar.

Finding the Balance

Here’s the hard truth: you can’t max out all three pillars at once. Security is a constant trade-off. Sometimes, boosting confidentiality may hurt availability. Think of military-grade encryption on a slow device — your data is safe, but you can’t access it when seconds matter.

It’s like a tightrope walk. You have to ask:

Who are the users?
What are the risks?
What’s the impact of failure?

And based on those answers, you make architectural choices. That’s what makes cybersecurity an engineering problem, not just a technical one. It’s about designing secure systems that are also usable and resilient.

Conclusion: A New Way to See the Battlefield

The CIA Triad isn’t just a theory to memorize, it’s a mindset. Now, when I’m solving a CTF or analyzing a system, I’m no longer just thinking in terms of “how to break it.” I’m thinking:

What am I protecting?
What happens if it’s exposed, altered, or taken offline?
Which pillar is most critical in this context?

Having this framework feels like finally getting the blueprint for the house I've been learning to build. It connects all the individual tools and techniques into a coherent, purposeful whole. And more importantly, it reminds me that cybersecurity isn’t just about commands or code — it’s about protecting people, trust, and access in a digital world.

On to the next challenge. This time, with a clearer map.

#IDNCyberBootcamp

Cari Blog Ini

From Zero to Cyber: My 30-Day IDN Bootcamp Challenge