The CIA Triad

Posted by bdelo001 on

The CIA triad is a cybersecurity model used all around the world. CIA stands for Confidentiality, integrity, and availability. These three concepts are integral to securing any I.T infrastructure. Referring to these concepts as a triad helps show the relationship and importance they share when implementing security policies. With these three concepts considered, one can make informed decisions based on which of the triad is most important.

Confidentiality

Confidentiality is anything that limits a user’s ability to manipulate or acquire data. Confidentiality is made up of two key concepts, authentication, and authorization.  The process that allows a computer to identify the user is known as authentication. For example, students use usernames and passwords every day to identify themselves on blackboard, zoom, or a student portal. Authorization is the other process of confidentiality that identifies who has permission to access or change specific data. As stated in the Fruhlinger article, just because the system can identify you, it does not mean everything will be accessible.

Integrity

            Maintaining the integrity of data entails that it should be stored properly and no one unauthorized should be able to manipulate it in any way. Integrity and confidentiality overlap in the sense that if one is not authenticated or authorized, that person cannot gain access to the data. A great example of integrity in a modern operating system such as windows would be the ability to grant certain users administrator access or restricted access based on their identification. Of course, there are other ways data integrity can be breached, but as stated in the article, integrity breaches are less common than confidentiality or availability.

Availability

Availability refers to data being easily accessible to authorized users. Availability is an important aspect of the CIA triad because the more safeguards created to protect data, the harder it can be for the people who are authorized to access said data. From what I can gather, one must find a balance between security and availability to meet organizational needs. For example, the ODU student portal has two- factor authentication. This does add another layer of security, but also increases the time it takes to access the portal. What if the student lost access to their phone and could not confirm the authentication?  This extra layer of security could decrease overall availability.

CIA Triad Example

            The ODU portal is a perfect example of the CIA triad in effect. The portal authenticates the user by prompting for a username, password, and two-factor authentication. It determines if the user is a student, administrator, or professor and grants access to different functions based on what the user is authorized to do. Integrity is maintained in such that no one except the authorized user can change the personal information on the portal. The portal remains available to everyone with an internet-connected device and a browser to access the portal.

Conclusion

            The CIA triad is a fundamental information security model designed to protect data. Cybersecurity specialists must take these three concepts into account when considering data security policies. Specialists will have to interpret what part of the triad is most important and implement ways to reach organizational needs. As stated in the Fruhinger article, there is no one policy that fits all information security requirements and each of these concepts can contradict one another if balance is not found in the triad.

Leave a Reply

Your email address will not be published. Required fields are marked *