The CIA Triad is a model used by organizations to compartmentalize and secure information. The model focuses on three pillars: Confidentiality, Integrity, and Availability. As with the NIST Cybersecurity Framework, the CIA Triad can be used to evaluate an organization’s ability to evaluate and respond to threats.
The Triad Explained
Although the individual components were researched and used previously, the CIA Triad was formally introduced in 1998 (Chai, 2022). Each piece was created out of necessity and in a very chaotic time for our country. Tension between the United States and Soviet Union were increasing daily. Espionage was being used by both sides to gain the upper hand. Information was, and still is, king. So how do we protect it and ensure its authenticity?
Confidentiality is ensuring information stays private. Access controls, encryption, and classification systems can be used to ensure confidentiality (Fortinet, 2023). Just as an organization needs to restrict unauthorized users from accessing secure data, confidentiality practices must also work the other way. Authorized users must be able to access data to perform their job successfully.
Integrity is ensuring the data being protected remains intact and unaltered. Hazards to data integrity can come from both human or environmental causes. An organization can implement measures such as hashing, encryption, and digital certificates to ensure their data hasn’t been tampered with or altered (Fortinet, 2023). An example would be the practice of hashing data periodically or whenever it is used. A hash is simply the conversion of data into a string of numbers. If the string of numbers do not match between the sender and receiver, the data has been compromised.
Availability is the assurance that our data is accessible when needed. Loss of power, electrical surges, or natural disasters can all cause disruptions to our information chain. Having RAID backups in place or backup servers at a separate location are just two ways to ensure redundancy (Chai, 2022). Another thing to consider when assessing data availability is software updates. Ensuring software has the latest patches is crucial as patches are distributed to correct known defects.
Authentication vs Authorization
Authentication is proving that we are the person that we claim to be. The most effective way to do this is through having multiple steps for a user to complete (Siddiqui, 2018). A good example is using a debit card to withdraw money from an ATM. The user has a debit card issued to them by the bank. The card alone isn’t good enough because anybody could simply take the card from the owner. To fully authenticate, the user must also know their PIN. By inserting their card (something they have) and then inputting their PIN (something they know), they have just proved to the bank they are in fact the person they claim to be.
Authorization determines if a user is cleared to access certain information after they have proven they are themselves (authentication). After a user authenticates, an access list is used to ensure the authenticated user is allowed to access the requested information (Siddiqui, 2018). An example would be attempting to access a ship on base where I am not a crew member. I authenticate myself at the base gate by showing my ID and matching my face to the ID picture. However, just because I’m on base doesn’t mean I can go wherever I want. If I attempt to board a vessel, the gangway watch will check my ID against their access list. I will not be on the access list and therefore, I am not authorized to be on the ship.
Conclusion
The CIA Triad is a rough template used to highlight areas of focus for an organization to ensure information security. By addressing each of the three pillars, an organization is prepared to handle most threats they are presented with.
References
Chai, Wesley. 2022, June 28. What is the CIA Triad? Definition, Explanation, Examples.
Retrieved from: https://drive.google.com/file/d/1898r4pGpKHN6bmKcwlxPdVZpCC6Moy8l/view
Siddiqui, Anum. 2018, September 30. Authentication vs Authorization.
Retrieved from: https://medium.datadriveninvestor.com/authentication-vs-authorization-716fea914d55
What is the CIA Triad?. 2023. Fortinet.
Retrieved from: https://www.fortinet.com/resources/cyberglossary/cia-triad