In cybersecurity, the CIA stands for Confidentiality, Integrity and Availability, which in Wesley Chai’s article is a format designed for security policies within an organization in which everything that is performed meets these criteria’s or at the very least close to it. It’s essentially an important but bare minimum format to follow security policies as otherwise intended. However, the article states that regardless it doesn’t always meet the standards necessary and is in need of improvement. Still, these are an important fraction when it comes to meeting security standards.
Confidentiality is a one word term that means to keep data, information and other pieces as private as possible. Being able to access important info like classified data has to be keep within a specific party that only authorized users can gain access to, whether it’s intentional or accidental (Fortinet 2024). In order to ensure that info isn’t accidentally slipped through to an attacker as an example, security measures should be implemented in place and updated to maintain confidentiality. Direct attacks such as a Man in the Middle Attack, or MITD, is when an attacker intercepts the data as it’s in transition (Fortinet 2024). For another more simple example, letting someone know the credentials to get into an account while someone else listens in on the credentials being said which would then grant them unapproved access to someone’s account or sensitive data. Knowing how to keep information as private as possible is however only the first step to triad.
Integrity is the maintaining of data being legitimate and unchangeable should there ever be a breach of confidentiality. However this doesn’t always include just attackers. Washington University in St. Louis states that system malfunctions can interfere with its infrastructure and alter its components as well, or even just simple human error. Further explanation on how integrity can be maintained is to have a backup system like cloud storage readily available as needed to store untampered data. The WUSTL box folder will do this automatically wherever data is shared with authorized users (Washington University of St. Louis 2024). Using private or public key encryption as data is being transferred maintains integrity as it’s using a public or private key to make data into cipher text, meaning that even if there is a direct attack of any kind, the attacker needs a key to decrypt the data they were trying to obtain. Only the person that has the key can decrypt it which would be an authorized user. This then leads into the last third of the triad which is Availability.
Wesley Chai’s article describes availability as making all the necessary information always available whenever needed only for authorized parties. This can tie in with the cloud storage and WUSTL box example said earlier. All infrastructure needs to be secured from the unauthorized parties but events may happen that can prevent authorized experts from getting to their resources. A report written by Luke Irwin on IT Governance provides examples showing events where availability is hindered. Power outages that shut off all systems holding in information, operations will stop until then. If data happens to be encrypted by an attacker through ransomware, information is then once again unavailable to be viewed.
Since cyber security within the CIA triad has to do with a lot of authorization and authentication, it’s important to know their distinctive differences in order to not mix up the actions when sharing sensitive information. Before any systems get accessed it’s important to know the person who is being allowed into messing with the systems, which is where authentication takes place and why it happens first before any actions are done after. SailPoint technologies example provided is in order to let passengers on a plane, they need to first be identified that they are who they say they are. After the passenger has been identified, it’s time to see what the passenger is boarding the plane for which would be information about a destination, first class VIP flight. From these examples, authentication is about the person’s identity whereas authorization is what the person is allowed to access.