CIA in security
The three main security objectives are confidentiality, integrity, and availability, which form the CIA triad.
Many organizations focus on one area more than the others.
For example, intelligence agencies are concerned with confidentiality. Financial institutions are focused on accuracy or integrity, and e-business sites emphasize availability.
We need to integrate all three elements of the CIA triad to achieve Defense-in-Depth. The trick is getting a proper balance of the three. Maximizing availability can sometimes compromise confidentiality. Implementing strong integrity measures, such as error checking, may impact availability if throughput is affected. Requirements for all three categories should be carefully weighed before technologies are implemented.
Concepts
Confidentiality, integrity, and availability can also be expressed as Disclosure, Alteration, and Destruction (DAD).
Confidentiality aims to prevent the unauthorized disclosure of information, ensuring secrets remain Secret. Data breaches serve as a prime example of a breach of confidentiality.
Integrity focuses on preventing unauthorized modification of assets, whether data or systems. Unauthorized alteration of a system\’s configuration through malware installation would be a system Integrity violation.
Availability tries to ensure the required access to resources remains possible. Denial of service attacks represents an obvious breach of availability.
Other definitions
Identification provides a weak and unproven claim of identity. Providing a username would be an example of identification but would require proof before being granted access to controlled data.
Authentication serves as proof that a user\’s identity claim was legitimate. Stronger authentication implies higher integrity means of proof or multiple methods of proof.
Authorization proceeds after successful authentication and determines what an authenticated user can do.
Accountability details the interactions performed by individuals. For example, audit logs could be generated, which could be used to hold users accountable for their actions.
