The CIA triad (also sometimes referred to as the AIC triad to avoid confusion with the Central Intelligence Agency) is a model designed to guide policies for information security within an organization (Chai). The three letters stand for the three key elements/concepts that form the triad, Confidentiality, Integrity, and Availability.

Confidentiality is described as a set of rules that limit access to private or sensitive information, determined to prevent unauthorized access, only allowing a certain process that must be followed correctly by a person specially authorized to gain access. The rule also applies to protecting sensitive information from being transferred from one party to another intended party. Although the standard data encryption method of user IDs and passwords has been used for quite some time, additional methods have been introduced to further secure data from being breached, such as two-factor authentication (2FA) which is now becoming widely accepted across many different platforms. Other forms include biometric verification (ex. face id, finger scanning) and security tokens (security badges), as well as key fobs or soft tokens. Users can take extra measures of precaution by storing highly classified data and documents on systems in a closed off area that can only be authorized by employees that have permitted access through any or multiple forms of the method mentioned previously.

Integrity is the assurance that the information or data is trustworthy and accurate throughout its entire lifecycle. It must not be comprised or changed when sent to other destinations, and certain steps and methods need to be taken to ensure the security of the data, preventing unauthorized parties from accessing and/or potentially altering confidential information. Through measures such as file permissions and user access controls, backups that can be used to restore data lost in a human or non-human caused event, as well as digital signatures, these all ensure that there is no modification of the original message or data, and that only the authorized user has permission to alter the information.

Availability is specified as the guarantee of reliable access to information by authorized people. This is best guaranteed by constantly maintaining all hardware and software, performing repairs when necessary, as well as making sure that the operating system (OS) is always properly functional, as well as being free of software issues and challenges. Always keeping the systems caught up with the latest updates, using network or server monitoring systems, taking preventative measures by implementing disaster recovery strategies and backup options for worst case scenarios, and installing additional security equipment such as firewalls and proxy servers, can protect against intrusions and malware.

Despite the elements of the triad being viewed as three of the most foundational and crucial cybersecurity needs, experts believe the CIA triad needs to be upgraded to stay effective.

Authentication vs. Authorization

Although both are used synonymously, authentication and authorization are separate processes that are used to protect an organization from cyber-attacks. Authentication is the process of confirming the identity of the person trying to access the data, whereas authorization is the process of establishing what specific data, files, and applications that the authorized user has access to. These two are the first line of defense to prevent confidential information from falling into the wrong hands. These can be seen in the form of role-based access controls, which gives users specific access to data that is related to their role within the organization, or attribute-based access control, which grants users permissions on a more detailed level than role-based access control, using multiple specific attributes including the user’s name, role, or even level of security clearance.







Sources:

https://drive.google.com/file/d/1898r4pGpKHN6bmKcwlxPdVZpCC6Moy8l/view

https://www.forcepoint.com/cyber-edu/cia-triad

https://www.sailpoint.com/identity-library/difference-between-authentication-and-authorization