The CIA Triad is the basic structure for setting up security for information. This model allows for any organization to determine how to safely “handle data when it is stored, transmitted, or processed” (EI-ISAC). It also acts as a way to put a name to what kind of attack is being made on the system containing the information. The model is broken down into 3 main components: Confidentiality, integrity, and availability. Each of these components act as a checklist for how secure the information is.
The first pillar, confidentiality, checks to see if the information can only be accessed by the approved party. Confidentiality is further broken down into 2 parts: authentication and authorization. The authentication portion of confidentiality determines whether the person attempting to access the information is verified as the correct user. This is usually determined by means of passwords and other ways of identification. Authorization has to do with whether the person attempting to access the information has the permission to do so. For instance, even if a user is authenticated, they wouldn’t be authorized to look at another user’s information. An attack on confidentiality would usually be described as a data breach because an unauthorized or authenticated user gains access to information they normally would not have.
The next pillar of the CIA triad, integrity, deals with the way the information looks. When information is transmitted, there shouldn’t be any changes to the way the information looks. An example as an attack on the integrity of data would be shown as someone without proper permissions altering a website.
The third pillar, accessibility, involves information being available for the user. Drawing back to the previous example, when someone goes to a website and is properly authenticated and authorized to access information, they should be able to access the information intended for them to see and/or use with ease. A common attack on someone’s accessibility is related to a denial of service (DoS) attack. These types of attacks aim to limit, or fully deny, the user from being able to properly access information.