All parts of the IT field are full of acronyms and cybersecurity is no exception. Among the many, two important ones are CIA and AAA, standing for “confidentiality, integrity, and availability”, and “authentication, authorization, and accounting”. They address different sections of the IT process. CIA is concerned with the entire process from software and hardware procurement to disposal, while AAA concentrates on the usage of a single information system.
CIA
CIA addresses all parts of the IT process from the beginning to the end. To begin with, confidentiality is “a set of rules that limits access to information” (Chai 1). It’s what we most commonly think of as security, keeping secrets from an adversary. Confidentiality can have implications for procurement of hardware and software. Considering that many electronics are currently made in China, there’s a greater possibility for the insertion of backdoors into firmware. Huge numbers of security cameras are made in China, introducing the possibility of backdoors and spying. Similarly, the Kaspersky antivirus software is made by a company in Russia. With the United States’ current tensions with Russia, using software made there is an unacceptable risk.
Integrity means “maintaining the consistency, accuracy and trustworthiness of data over its entire lifecycle” (Chai 1). Unintentional changes can come from hardware errors or human errors; intentional changes can be caused by cyberattacks. An example of an intentional unauthorized change would be alteration of log entries to cover up malicious activity. Controls to maintain data integrity can include access controls to prevent unauthorized changes or data backups to restore correct data after a change.
Availability means “information should be consistently and readily available for authorized parties” (Chai 2). It, too, can be affected by intentional and unintentional actions. An example of something that unintentionally makes data unavailable would be a hardware failure. RAID 1 and higher, backups, and server clusters all help to guard against unavailability of data due to hardware failures. Intentional unavailability of data can be caused by things like Denial of Service (DoS) attacks. Modern DoS attacks are mostly implemented through many thousands of devices organized into botnets, all trying to access one system at the same time. They’re frequently guarded against by using services that have enough bandwidth to withstand the traffic coming from all those machines.
AAA
AAA has a more limited scope, addressing the issue of restricting access only to those who should have it. The first “A” stands for authentication, meaning “a user providing information about who they are” (What). The current standard is multi-factor authentication (MFA), where you must use at least two of the three standard methods: something you know, something you have, and something you are. An example of something you know is a password; an example of something you have is your cell phone that can receive texts sent to your number; an example of something you are is a fingerprint. Adding factors makes it more difficult, though not impossible, for an attacker to impersonate you.
The second “A” stands for authorization. Authorization is when “a user can be granted privileges to access certain areas of a network or system” (What). There are several authorization models, but some of the most common are role-based access control (RBAC), discretionary access control (DAC), and mandatory access control (MAC). Role-based access control is common in simple situations like assigning permissions for a web site. Accounts will be organized into a few possible roles like “administrator” or “user”, each with a predefined set of permissions. Discretionary access control is when the user can set permissions on objects that they own. An example is sharing a document in Google Docs- by sharing, you’re setting permissions to allow others access. Mandatory access control is the system that we think of in association with government agencies. A central authority will arrange documents into a few categories like “public”, “secret”, and “top secret” and then assign access levels to individual personnel.
The last “A” is for accounting. Accounting “keeps track of user activity” (What). For example, log collection services collect log data from workstations, servers, networking equipment, etc., and can then search through the records and flag when an authorized account is doing something out of character. Attackers have been caught when using valid credentials in unusual ways.
Conclusion
There are many acronyms important to the study of cybersecurity but learning about CIA and AAA is a good starting point. Fully understanding both can form the foundation for effective security practices and can help to protect systems from both attacks and accidents.
 

References

Chai, Wesley. “What is the CIA Triad? Definition, Explanation, Examples.” TechTarget,  28 June 2022, https://www.techtarget.com/whatis/definition/Confidentiality-integrity-and-availability-CIA.

“What is Authentication, Authorization, and Accounting (AAA) Security?” Fortinet.com, Fortinet, Inc., 2024, https://www.fortinet.com/resources/cyberglossary/aaa-security.