What is CIA?
A model used for designing and evaluating security controls. Think of this as your
foundation in which everything else gets built off of. The Chai article describes the triad as a model
that guides organizational InfoSec policies.
Confidentiality
This is to prevent the unauthorized disclosure of data. Examples include role-based
permissions, file or folder permissions, encryption, or the principle of least privilege.
Integrity
To prevent unauthorized alteration. Ensure the data was sent how it was sent. My favorite
are cryptographic hashes, but others exist like digital signatures or input validation.
Availability
verifies authorized users have access to data or systems when needed. An example would
be DDOS mitigation and how the customer doesn’t have to suffer from preventable things. NIST
defines availability as being accessible upon demand by an authorized entity.
Authentication vs. Authorization
I’m going to break this down in a very simple way because in the beginning it took me a
while to grasp. Authentication is who are you? And authorization is what are you allowed to do.
Authentication can be managed with biometrics, smartcards, tokens or even passwords while
authorization are you basic read, write, execute level accesses.

Sources

• Chai, Wesley. “What is the CIA triad (confidentiality, integrity and availability)?”
  (TechTarget). Defines CIA and its use in org policy; also notes the AIC alias. TechTarget
  • NIST (CSRC & SP 800 series). Formal definitions of confidentiality, integrity,
  availability; digital identity and authentication guidelines (SP 800-63).