The CIA triad is the result of combining three principles of security into an overlapping model of information security. The triad is based on three security principles, Confidentiality, Integrity and availability. Applying these principles can help develop security policies and priorities when considering information security. When utilizing the triad for assessing security, each principle is weighed against the other. If a new policy would affect and improve the confidentiality of data on a network, then what would the result be for the integrity and availability? In this case increasing confidentiality would likely reduce availability and may or may not have an impact on integrity. The triad sets the basis for this type of interaction between balancing the three principles so that organizations or people understand the impact changes will have and enable them to make better policies.
Confidentiality is the process of “preserving authorized restrictions on information access and disclosure, including means for protecting personal privacy and proprietary information” (Cawthra, 2020). Confidentiality is maintained by the implementation of two processes, authentication and authorization. Authentication is a form of verification for allowing access to resources. Common implementations of Authentication can include, logins, passwords, biometric scanners, security keys, keycards and many others. A commonly used authentication procedure is called two-factor authentication. This type of authentication combines the use of two forms of verification such as a password and also a biometric input before the user can gain access to resources. Authorization is the process of allocating privileges to the resources, or who can access what. Once a user has been authenticated, they are given access to an environment that only allows them to access what they need. Authorization based security is usually accomplished with the least privilege concept in mind, giving users the least amount of access and privileges as possible to complete their tasks. This can be controlled and monitored by giving temporary access and requiring re-authentication to enhance security and monitoring abilities.
Integrity concerns the “guarding against improper information modification or destruction and ensuring information non-repudiation and authenticity” (Cawthra, 2020). Data integrity can be accomplished by proper logging and backup procedures. Utilizing logs to identify when data has changed and keeping a proper backup schedule and system to restore or identify if data has been altered.
Availability is about providing the access and resources needed for users to complete their tasks. This can involve hardware and software to make sure resources are available. A certain business may require more bandwidth to accommodate their users which would require the hardware to provide this. Another situation would be providing network or cloud-based software services to users such as data hosting or email servers.
I found it very important to understand when using the CIA triad each step complements the other and overlaps. As a business provides availability for its services, it must consider and implement policies concerning the confidentiality of the systems and how to maintain its integrity while also reevaluating what services it makes available. This shows how the triad system is a continuous effort to try and balance security and productivity by planning and thinking about the impacts changes can have on the three principles, the CIA.
References
Fruhlinger, Josh (2020). The CIA triad: Definition, components and examples
Cawthra, Jennifer (2020). NIST SPECIAL PUBLICATION 1800-25, Data Integrity: Identifying and Protecting Assets against Ransomware and Other destructive Events.
https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.1800.25.pdf
https://www.csoonline.com/article/3519908/the-cia-triad-definition-components-and-examples.html