According to Chai (2022), “Confidentiality, integrity and availability, also known as the CIA triad, is a model designed to guide policies for information security within an organization. In this context, confidentiality is a set of rules that limits access to information, integrity is the assurance that the information is trustworthy and accurate, and availability is a guarantee of reliable access to the information by authorized people” (p.1) . The CIA Triad is the foundation for what constitutes good cybersecurity. Having confidentiality, integrity and availability means our data and information have excellent security. “If our security system loses either confidentiality, integrity or availability, that becomes a vulnerability and an attacker can exploit it” (Dion, n.d.).
Further elaborating on Chai’s definition of the CIA triad, confidentiality is just making sure that information has not been disclosed to unauthorized people. Say for example that I had a daily diary. Some of my best kept secrets that I don’t want people to see are in that book. How I would protect that book would be to buy a journal with a lock on it. Then if I leave the journal under my bed, I would know even if my wife comes into the room and finds the book, she would not be able to open it without a key. In cyber security you do have the ability to lock server rooms that you don’t want people poking around. Also we can lock the data itself with encryption. According to Chai (2022), “Data encryption is another common method of ensuring confidentiality. User IDs and passwords constitute a standard procedure; two-factor authentication (2FA) is becoming the norm” (p.3).
Another explanation for integrity is that, “Information has not been modified or altered without proper authorization” (Dion, n.d.). What this means to me is only people allowed to edit data should be able to. For example as an Old Dominion University student I am allowed to log onto canvas and participate in the class and submit assignments. I can see the grades that I have received but I shouldn’t be able to go in and alter or change grades. That would be a breach of integrity.
The third and final pillar is availability. According to Chai (2022), “Availability means information should be consistently and readily accessible for authorized parties” (p.2). So going back to my ODU canvas example, what if I go to canvas.odu.edu and it says the webpage isn’t available or can not be found? That means we have lost availability. I can’t access the data and what good is it for the information to be secure, if I can’t even access the data.
According to Wickramasinghe (2023), “Authentication and authorization are two key processes that ensure only trustworthy and verified users can gain access to authorized system resources and data”. “Authentication is when a person’s identity is established with proof and confirmed by a system. Authorization Occurs when a user is given access to a certain piece of data or certain areas of a building” (Dion, n.d.). They both sound very familiar but mean totally different things. In most organizations authorization comes first. You have to be given access to the material or data by someone else. Then to access that data you have to authenticate that you are who you say you are. That can be with knowledge, ownership, characteristic location or action. For example when I was previously in the military, to get on base past the military police I had to have been granted access to enter which is authorization. Then when I drive up to the gate guards I would have to authenticate who I am, which would be a CAC card that has been issued to me or a set of orders depending on the base.
I personally think that every cyber security analyst should be very aware of the CIA triad. Our main goal is to protect and maintain data and information. The CIA triad Specifically lists out what is most important to prioritize. It is like sitting on a three legged chair, if one leg breaks then we will fall with it.
References
Dion, J. (n.d.). Overview of Security. Udemy.com. Retrieved September 13, 2023, from https://www.udemy.com/course/securityplus/learn/lecture/12823205?start=270#overview.
Chai, W. (2023, February 10). What is the CIA triad? definition, explanation, examples:TechTarget. WhatIs.com. https://www.techtarget.com/whatis/definition/Confidentiality- integrity-and-availability-CIA
Wickramasinghe, S. (2023, June 9). Authentication vs. authorization. Splunk.https://www.splunk. com/en_us/blog/learn/authentication-vs-authorization.html