Bryce Cooper
This document both describes and reviews the acronyms that form the CIA Triad, and the distinction between Authentication and Authorization.
Describing the CIA Triad
The CIA Triad is a guiding model in information security used to guide cybersecurity policies and practices within a respected organization. The model is also referred to as the AIC Triad to avoid confusion with the Central Intelligence Agency (Chai). When used, they identify vulnerabilities and create methods for solutions. When all three of the standards are met, the security profile of the respected organization is stronger and better equipped to handle threat incidents as discussed in, “What is the CIA Triad and Why is it important?” The acronyms used to for the CIA triad are as follows:
1. Confidentiality – Ensuring that the information is only accessible to those who are authorized to view it. This helps prevent unauthorized access to sensitive data, examples being encryption, or access control mechanisms.
2. Integrity – Ensuring the data is unaltered, accurate, and complete during processing, transmission, and storage. Integrity meaning the data are trustworthy and have not been modified or accidentally altered by unauthorized users.
3. Availability – Assure the resources and information are only accessible and used when needed by authorized users. This involves mitigating risks, for example denial-of-service attacks, and ensuring system uptime.
Confidentiality
Confidentiality is privacy, to ensure the data that is being handled is kept secret or private. To maintain confidentiality, the people without proper authorization cannot by any means access important assets that the company has. Contrarily, a system can be installed to make sure that the people who need proper authorization have access when met with the necessary privileges. However, there are several ways confidentiality can be compromised. Either by direct attacks aiming to gain access to systems that unauthorized users can’t see, or by a direct attempt to penetrate a database or application to alter or steal data. There are several ways to fight against breaches, you can encrypt data, use multi-factor authentication (MFA) systems, and enable access control policies.
Integrity
Making sure the data is trustworthy, accurate, and reliable. For example, if a company provides information on a website and the information is inaccurate, those who visit the website may feel as though the company is not trustworthy, leading to a damage in reputation. There are situations where the information is correct by someone could hack the website and alter the information, but it would lead to the same outcome. To protect the integrity of the data, you can use encryptions, digital signatures, and hastings.
Availability
Information resources must be accessible when they are needed. This means that the systems, networks, and applications must be functioning as they should when they should as discussed in, “What is the CIA Triad and Why is it important?” Getting the data should not take a large amount of time. For example, if there is a large power outage and there is no recovery system in place to help gain control, the availability will be compromised. Getting those systems back up could take an inordinate amount of time, which the company might not have. In order to ensure availability, the organization can use redundant servers, networks, and applications. When the primary system is broken or disrupted, these servers can be used as a backup. Updating the software packages and the security systems will also help as it would stop malfunctions from occurring and would stop threats from happening.
When should you use the CIA Triad?
The CIA Triad should be used in majority of security situations, since each component is critical. Moreover, it is specifically helpful when developing systems around data classification and managing permissions and access privileges as discussed in, “What is the CIA Triad and Why is it important?” It can be an immensely powerful tool when disrupting the Cyber Kill Chain, being the process of targeting and executing cyberattacks. The security triad can be used to hone in on what hackers may be after, one can then implement tools and policies to sufficiently protect those assets. The CIA triad can also be used to train employees regarding cybersecurity by using real-life case studies or hypothetical scenarios.
Authentication & Authorization
As stated in “Understanding Authentication, Authorization, and Encryption,” authentication is used by a server when the server needs to know exactly who is accessing their information or site. For example., multi-factor authentication, a process that requires more than one factor to access information. The user or computer must prove its identity to the server or client. Also stated in “Understanding Authentication, Authorization, and Encryption,” Authorization is a process by which a server determines if the client has permission to use a resource or access a file. For example, A bank account holder, once logged in the user is authorized to view their account balance and recent transactions. Authorization is usually coupled with authentication so that the servers have some concept of who the client is that is requesting access.
Conclusion
The information above explains the CIA Triad and what it means to the field of cybersecurity. The triad can be used to protect important information against attackers who are trying to cease specific assets. It is an instrument that is fundamental to information security and is valuable in understanding a security plan. It will set you on the path to finding answers, though not all the answers.
References
“Understanding Authentication, Authorization, and Encryption.” TechWeb, https://www.bu.edu/tech/about/security-resources/bestpractice/auth/ Accessed 30 Jan. 2025
“What is the CIA Triad and Why is it important?” Fortinet, https://www.fortinet.com/resources/cyberglossary/cia-triad Accessed 30 Jan. 2025
“Confidentiality, Integrity, and Availability: The CIA Triad.” Washington University in St. Louis, https://informationsecurity.wustl.edu/items/confidentiality-integrity-and-availability-the-ciatriad/ Accessed 30 Jan. 2025
Chai, Wesley. What is the CIA Triad? Definition, Explanation, Examples. TechTarget, 2022, https://drive.google.com/file/d/1898r4pGpKHN6bmKcwlxPdVZpCC6Moy8l/view Accessed 30 Jan.2025