up:: Foundations MOC

Security Basics

Security basics is the small set of goals that every security control exists to protect, confidentiality, integrity, and availability, together known as the CIA triad, plus authentication and non-repudiation, the two goals that establish and bind identity. Cryptography is the mathematical toolkit that delivers these goals for digital information, and the quantum transition matters because a future quantum computer attacks two of them, the confidentiality of harvested data and the trust behind authentication and integrity, while leaving availability largely alone. This hub teaches the whole set from zero, so every other note in the Guide has somewhere to stand.

Map of content

A short overview of the security basics, and the index that routes you to every note in this section. Skim it to get oriented, then follow the links to go deep.

The short version:

  1. “Secure” means a set of goals working together, and the core three are confidentiality, integrity, and availability, the CIA triad, defined for all US federal information in FIPS 199.
  2. On top of the triad sit two more goals: authentication (are you really who you claim to be?) and non-repudiation (the signer can’t credibly deny the action).
  3. Cryptography serves these goals directly: encryption delivers confidentiality, hashes and digital signatures deliver integrity, and signatures and certificates deliver authentication and non-repudiation.
  4. The quantum threat attacks two goals in particular, the ones built on public-key math: confidentiality (through Harvest Now, Decrypt Later) and the trust behind integrity and authentication (through signature forgery).
  5. Availability is barely a quantum-cryptography story, which is why the whole transition concentrates on replacing the public-key algorithms behind confidentiality and trust.

Think about a signed, sealed letter carried by a courier. Confidentiality is the sealed envelope that keeps strangers from reading it. Integrity is the wax seal that shows nobody opened and rewrote it in transit. Availability is the courier actually arriving on time so you can read it at all. Authentication is recognizing the sender’s crest, so you know the letter really came from them. Non-repudiation is that the crest is theirs alone, so they can’t later claim they never wrote it. Each one is a different promise, and cryptography is how we make the same five promises about digital information.

What does “secure” actually mean?

“Secure” describes a set of properties that hold true about information and the systems that carry it. When a security professional calls a system secure, they mean it protects a specific list of goals against a specific list of threats. The foundational list, the one nearly every framework, standard, and regulation builds on top of, has three core goals: confidentiality, integrity, and availability. The US government codified exactly these three as the security objectives for all federal information in FIPS 199, drawing the definitions straight from federal law (44 U.S.C. 3542).

Two more goals ride on top of the core three and become essential the moment more than one party is involved: authentication (proving identity) and non-repudiation (binding an action to an identity so it can’t be denied later). Once these five are in your head, almost every control you will ever meet, a password, a firewall, a backup, a TLS certificate, an encrypted tunnel, slots neatly under one or more of them.

Source: NIST, “Standards for Security Categorization of Federal Information and Information Systems,” FIPS 199, February 2004, FIPS 199.

What is the CIA triad?

The CIA triad is the standard name for the three core security goals: Confidentiality, Integrity, and Availability. The letters are just the initials of the three properties and have nothing to do with the intelligence agency. FIPS 199 defines all three precisely, and the definitions are worth reading once in the original, because every downstream control inherits them:

  1. Confidentiality: “Preserving authorized restrictions on information access and disclosure, including means for protecting personal privacy and proprietary information.”
  2. Integrity: “Guarding against improper information modification or destruction, and includes ensuring information non-repudiation and authenticity.”
  3. Availability: “Ensuring timely and reliable access to and use of information.”

A quick way to hold them: confidentiality is about who can read, integrity is about who can change, and availability is about whether it works at all. Every security failure is a failure of at least one of the three. A data breach is a confidentiality failure. A tampered software update is an integrity failure. A ransomware lockout or a denial-of-service outage is an availability failure. The triad is the backbone of FIPS 199, NIST SP 800-53, and ISO 27001, so it’s the lens the entire field looks through.

Source: NIST, “Standards for Security Categorization of Federal Information and Information Systems,” FIPS 199, February 2004, FIPS 199.

What is confidentiality, and how is it protected?

Confidentiality is the guarantee that information is readable only by the people and systems authorized to read it. It’s the goal most people picture first when they think “security”, and it’s the one the quantum threat comes for most urgently. Confidentiality is protected in three overlapping layers:

  1. Access control. Permissions, authentication, and network segmentation decide who can reach the data in the first place.
  2. Encryption. Encryption scrambles the data so that even a party who reaches it can’t read it without the key. This is confidentiality’s cryptographic workhorse.
  3. Data minimization. The data you never collect or retain can’t leak, so scoping and deletion are confidentiality controls too.

The encryption that carries confidentiality comes in two flavors worth keeping separate. Symmetric encryption (AES-256) uses one shared key and does the bulk work fast. Public-key cryptography (RSA, Diffie-Hellman, ECDH) solves the harder problem of two strangers agreeing on that shared key over an open line. This split is the whole reason the quantum threat lands unevenly, and the threat section returns to it.

What is integrity, and how is it protected?

Integrity is the guarantee that information hasn’t been altered, whether by accident or by an attacker, without the change being detectable. Integrity is what lets you trust that a downloaded file, a bank balance, or a firmware image is exactly what it’s supposed to be. Two cryptographic tools do most of the work:

  1. Cryptographic hashes. A hash function like SHA-256 produces a fixed-size fingerprint of any input, so a single changed bit produces a completely different fingerprint. Compare the fingerprints and you detect tampering.
  2. Signatures and MACs. A digital signature or a MAC binds that fingerprint to a key, so the check proves both that the data is internally consistent and that it came from the expected source.

FIPS 199 folds authenticity and non-repudiation into its definition of integrity, which is worth noticing: the standard treats “this wasn’t changed” and “this really came from who it claims” as parts of the same guarantee. In practice, hashing gives you tamper-evidence and signatures give you tamper-evidence plus proof of origin.

What is availability, and how is it protected?

Availability is the guarantee that information and systems are accessible and usable when a legitimate user needs them. A system can keep every secret perfectly and still fail its users if it’s offline, so availability sits alongside confidentiality and integrity as a full member of the triad. It’s protected mostly through architecture and operations:

  1. Redundancy and backups so a single failure or a ransomware event doesn’t take data with it.
  2. Denial-of-service mitigation and capacity planning so a flood of traffic can’t starve legitimate users.
  3. Incident response and recovery so an outage is short and bounded.

Cryptography plays a supporting role here rather than a starring one, and that’s worth stating plainly, because it explains something about the quantum transition. Availability is the one core goal a quantum computer doesn’t meaningfully threaten through cryptography, which is part of why the whole post-quantum effort concentrates on the other two.

What is authentication?

Authentication is the process of verifying that a user, process, or device really is who or what it claims to be, usually as the gate before any access is granted. NIST defines it as verifying the identity of a user, process, or device, often as a prerequisite to allowing access to resources. Authentication classically rests on one or more of three factors:

  1. Something you know, like a password or PIN.
  2. Something you have, like a security key or a phone.
  3. Something you are, like a fingerprint or face.

Authentication underpins the rest of the goals, because you can’t enforce “authorized” access for confidentiality, or attribute a change for integrity, until you’ve first established identity. In cryptography, authentication is delivered by digital signatures and the certificate system: a TLS certificate is a signed statement that authenticates a server to your browser, and the public-key infrastructure is the machinery that makes those statements trustworthy at internet scale. One distinction to hold: authentication establishes who you are, while authorization decides what you’re allowed to do once you’re known. They’re separate steps, and authentication always comes first.

Source: NIST, “Security and Privacy Controls for Information Systems and Organizations,” SP 800-53 Rev. 5, September 2020, SP 800-53 Rev. 5.

What is non-repudiation?

Non-repudiation is the guarantee that a party can’t credibly deny having taken an action, such as sending a message or signing a document. It’s the property that turns a technical proof into something that holds up as evidence, which is what makes signed contracts, audit logs, and code-signing meaningful. NIST frames it as protection against an individual falsely denying having performed a particular action.

Non-repudiation is delivered almost entirely by digital signatures. Because only the holder of a private key can produce a valid signature, a valid signature binds the action to that specific key holder in a way a shared-secret MAC can’t, since a MAC’s secret is held by both parties and either could have produced it. FIPS 199 lists non-repudiation as part of integrity, and in cryptographic practice it’s the specific property that lets a verifier say both “this wasn’t changed” and “you, and only you, produced it.”

Source: NIST, “Security and Privacy Controls for Information Systems and Organizations,” SP 800-53 Rev. 5, September 2020, SP 800-53 Rev. 5.

How does cryptography serve each security goal?

Cryptography is the mathematical toolkit that delivers these goals for digital information, and each goal maps to specific primitives. Here’s the map:

Security goalWhat it guaranteesThe threat it stopsCryptography that delivers it
ConfidentialityOnly authorized parties can read the informationEavesdropping, data theft, disclosureEncryption: symmetric AES-256 for bulk data, public-key (RSA, ECDH) to establish the keys
IntegrityThe information wasn’t altered without detectionTampering, corruption, forged updatesHashes (SHA-256), MACs, digital signatures
AvailabilitySystems and data are usable when neededOutages, ransomware, denial-of-serviceMostly architecture (redundancy, backups); cryptography plays a supporting role
AuthenticationThe party is who it claims to beImpersonation, spoofingDigital signatures, certificates, the PKI
Non-repudiationThe signer can’t credibly deny the actionDenial of a sent message or a signed documentDigital signatures, bound to a private key one party holds

The pattern worth noticing: confidentiality leans on encryption (symmetric for bulk, public-key to set up the keys), while integrity, authentication, and non-repudiation all lean on the same trust machinery of hashes, signatures, and certificates. That division is exactly the fault line the quantum threat runs along.

Which security goals does the quantum threat attack?

A large quantum computer threatens two of these goals in particular, the ones built on public-key cryptography, and leaves the rest largely intact. Two goals are exposed:

  1. Confidentiality, through harvesting. An adversary records encrypted traffic today and decrypts it years later once a quantum computer running Shor’s algorithm breaks the public-key key exchange (RSA, DH, ECDH) that set up the session. This is Harvest Now, Decrypt Later, and the exposure is live right now, because the harvesting happens now even though the decryption waits.
  2. Integrity and authentication, through forgery. Once Shor’s algorithm can recover a private key from its public key, an attacker can forge digital signatures, mint fake certificates, and impersonate trusted parties. The worst case is PKI collapse, where breaking a single root key makes a whole tree of certificates forgeable. This is a Non-HNDL trust threat, and it bites once the machine actually exists rather than today.

Availability rests on architecture, so the cryptographic threat leaves it largely alone. And the symmetric world holds up: AES-256 and SHA-256 only lose a manageable margin to Grover’s algorithm, so the confidentiality and integrity that rest on symmetric primitives stay strong. The entire post-quantum transition is therefore a project to rescue the two goals that rest on public-key math, the confidentiality of long-lived data and the trust behind authentication and integrity.

Security goalAttacked by the quantum threat?HowThe fix
ConfidentialityYes, and live todayHNDL: harvested traffic decrypted once Shor’s breaks public-key key exchangeML-KEM, usually reached through a hybrid step
Integrity and AuthenticationYes, once a quantum computer existsSignature forgery: Shor’s recovers private keys, enabling fake certificates and PKI collapseML-DSA and SLH-DSA
Non-repudiationYes, wherever signatures carry itForged signatures break the private-key binding that non-repudiation depends onPost-quantum signatures (ML-DSA)
AvailabilityLargely noRests on redundancy and operations, outside the public-key cryptography the quantum threat targetsStandard resilience engineering

This mapping is the reason the rest of the Guide is shaped the way it is. Everything in The Threat aims at the public-key locks behind confidentiality and trust, and everything in The Transition is about replacing them before the machine arrives.

Common misconceptions

  1. “Security means encryption.” Encryption serves one goal, confidentiality. Integrity, availability, authentication, and non-repudiation need different tools, and a system can be perfectly encrypted yet fail on any of the others.
  2. “The C in CIA is the intelligence agency.” It stands for confidentiality. The triad has nothing to do with the agency; the letters are just the initials of the three goals.
  3. “Authentication and authorization are the same thing.” Authentication proves who you are; authorization decides what you may do. A system can authenticate you correctly and still deny you access.
  4. “Quantum computing breaks all security.” It attacks the confidentiality and trust that rest on public-key cryptography. Availability and symmetric-based protections stay largely intact.
  5. “A digital signature keeps a message secret.” A signature proves integrity, authentication, and non-repudiation while leaving the message fully readable. Secrecy is encryption’s separate job.
  6. “Availability is a networking problem, not a security one.” Availability is one of the three core security goals, which is exactly why ransomware and denial-of-service count as security failures.

Questions people ask

What does CIA stand for in cybersecurity? Confidentiality, Integrity, and Availability, the three core security goals defined in FIPS 199. The name predates and has nothing to do with the intelligence agency.

Is the CIA triad still relevant? Yes. It’s the backbone of FIPS 199, NIST SP 800-53, ISO 27001, and essentially every modern security framework. Authentication and non-repudiation extend the triad rather than replace it.

What’s the difference between authentication and authorization? Authentication verifies identity, who you are, while authorization grants permissions, what you’re allowed to do. Authentication always comes first, and a correct login can still be followed by a denied action.

Which CIA goal does the quantum threat attack? Primarily confidentiality, through HNDL harvesting, and the integrity and authentication trust layer, through signature forgery. Availability stays largely unaffected by the cryptographic threat.

What’s the difference between integrity and non-repudiation? Integrity proves the data wasn’t changed; non-repudiation proves who produced it and stops them denying it. FIPS 199 groups them together, and a digital signature delivers both at once.

Do I need to understand the CIA triad to plan a migration? It helps a lot, because a post-quantum migration is really a project to protect confidentiality and trust. Knowing which goal a given system serves tells you how urgent its migration is.

Is availability part of security or IT operations? Both. It’s a core security goal and an operations discipline, and ransomware made availability a front-line security concern rather than a back-office one.

How does cryptography actually deliver these goals? Encryption delivers confidentiality, hashes and MACs and signatures deliver integrity, and signatures and certificates deliver authentication and non-repudiation. Availability is mostly architecture rather than cryptography.

Go deeper

The core goals (CIA triad): Confidentiality · Integrity · Availability

The trust goals: Authentication · Non-repudiation

The cryptography that serves them: Encryption · hashing · digital signatures · PKI

A common question answered: Passwords in a Quantum World (why password hashing largely survives quantum, how Grover only halves the search, and why bcrypt, Argon2, PBKDF2, and scrypt carry forward).

Where this leads: the actual locks are in Classical Cryptography, and what a quantum computer does to these goals is The Threat. This section sits under Foundations.


Everything here is the map, given freely. When your team needs these goals turned into a defensible quantum-migration plan for your own systems, that’s the work I do, and there’s an alignment briefing for it.

Last verified 2026-07-09 · Maintained by Addie LaMarr, LaMarr Labs.