The CIA Triad

The CIA Triad is a common, respected model for the development of security policies used in identifying problem areas, along with necessary solutions in the arena of information security. The three letters in “CIA” stand for confidentiality, integrity, and availability. These three letters represent the tenants that need to be satisfied in order to successfully secure information. This model is used when you need to structure your security efforts. 

Confidentiality is when only authorized users can view information. ( Encryption, Password, Two-factor authentication, Biometric Security etc). An example of this is a computer file that requires you to enter the correct password and SMS code sent to unlock and enter. 

Integrity is when Only authorized users can change information. (Encryption, Hashing, User Access Controls, Checksums, Version Control, Backups etc.) An example of this is when a  database has columns and rows. In order to have accurate data in the system with no mistakes, every column should be different from each other and none of them can be null.

Availability is when Information is accessible by authorized users whenever they request the information. (Off-site backups, Disaster recovery, Redundancy, Failover, High-availability clusters etc.) An example of this is Youtube having backup system upgrades, regular software patching, comprehensive disaster recovery plans, backups, etc. to ensure availability in case of a disaster or firewall attack. 

The triad is a way of thinking, planning, and, and setting priorities. Three words make up the CIA triad. If we look more closely in the first word, “confidentiality”, the common meaning we know for it, is the state of keeping something private. When we look at the meaning of confidentiality in more IT jargon, it describes the aim of preventing or minimizing unauthorized access to protected data. Within the confidentiality concept of the triad, there are two big components. They are labeled under authentication and authorization. Authentication means confirmation of your identity, while authorization means allowing access to the system.  Authentication is a certain operation which proves that somebody is who they claim they are. While authorization refers to a set of rules that assist to determine who should be allowed to do what. 

Authentication is where credentials are checked like password and username. Authentication comes in different types like passwords, biometrics, cryptographic keys, etc. Biometrics are the physical/behavioral characteristics that can be used to identify a person digitally in order to allow access to software. Examples of this are Face ID or Touch ID on an Iphone. Cryptographic keys are private and public keys that are connected mathematically through a key extracting process. Every key is a number.  In the process of authentication, the data moves through ID tokens for maintaining security. If a hacker figures out what your private key is then they could access all of my information, and possibly make signatures for me.  Authorization on the other hand is a certain operation which proves that somebody is who they claim they are. Authorization validates the privileges and permissions granted to the user for accessing the system. Authorization must follow authentication in a security system when allowing access. An example of this is if I was the person authorized for creating and deleting databases, but Professor Kirk is assigned only for reading. Another example would be if Professor Kirk wanted to take $50,000 out of the bank. The bank teller would have to get approval from their higher-up. After consent is granted, Professor Kirk would then have to sign his signature and show forms of identity.