CIA (Confidentiality, Integrity, and Availability) triad is the basic model for defining security policies of an organisation.
Elements of CIA are considered as building blocks of security. It is also denoted as AIC (Availability, Integrity, and Confidentiality) triad to avoid confusion with the CIA (Central Intelligence agency).
Meaning and Purpose of CIA Triad
Confidentiality
As the name suggests, it is related to the privacy of information or data. Achieving confidentiality means preventing data from unauthorised access. It also needs to achieve within the organisation by defining security levels and provide access to the information on the basis of the defined levels.
There are several ways to achieve confidentiality such as passwords, logins, encryption of messages, two-factor authentication, biometric authentication, key fobs and security tokens. Bell–LaPadula Model (BLP) is the security model that focuses on achieving confidentiality by deploying access control mechanisms.
Integrity
It is the ensuring of data accuracy, trustworthiness and consistency along its life cycle. It is basically the limitation of unauthorised access to alter the data. The difference between confidentiality and integrity is that in confidentiality, the person cannot access or read the data on upper levels. In contrast, in integrity, they can read the data on the upper level but do not have any ability to alter that data and compromise the integrity of the data.
In addition, there is also a need for some other means which can detect the alteration of data that is not done by any human interaction but through non-human interaction, like EMP and server crash. To achieve full integrity there must be some backup to retrieve the lost data, in case of some cyber-attack or server crash. The security that model focus towards integrity is Biba Model or Biba Integrity Model.
Availability
It is the continued supply of services or data availability without any interruptions. To achieve availability, the most important factor is the maintenance of hardware used in the system, and also its immediate repairing in case of any failure. Along with the maintenance of hardware, the maintenance of a correctly working operating system is also important.
The worst-case scenario for the availability of services is the immediate recovery from a natural disaster or cyber-attack. To avoid such a situation, the backup of the data must be stored at a different location, which can be used in case of any disasters. The ideal time for the availability of services is calculated to be 99.99% or four nines, which indicates the downtime of server for about 52 minutes, 36 seconds per year. If the person is too anxious to achieve more, there is also a concept of five and six nines.