<img alt="" src="https://secure.hook6vein.com/218483.png" style="display:none;">

BIO-key Blog

Read below for news, insights, and discussion on identity and access management.

Cyber Security Fundamentals: CIA Triad and AAA

by BIO-key Team


One of the first concepts you will learn when studying Cyber Security is the CIA Triad, which stands for Confidentiality, Integrity, and Availability. These are the three main pillars around which information and data security revolve.



Unlike most major pillars of cybersecurity, the concept of the CIA triad cannot be tied back to a single person or place of origin. The triad’s notion of Confidentiality may have first been proposed way back in 1976 in a US Air Force study, while the concept of Availability did not become widespread until 1988. It was not until 1998 that the cybersecurity community saw all three concepts come together as the cohesive triad we know today.



Confidentiality means that only the intended audience can view, modify, and delete the given data. Encryption at rest, encryption in transit, access management, permissions, etc. are all ways to increase the confidentiality of data.

Encrypting sensitive or valuable data is one of the strongest and most common measures taken to protect data confidentiality. Only individuals who have the decryption key can read or gain access to the contents of an encrypted document.



Integrity is the notion that data exists in its original state and is not tampered with by anyone who is not authorized to do so. Hashing is a way to ensure data does not change. Running data through a hashing algorithm will return a fixed-length string. Only that exact data will produce the same string. If the data is modified in any way, the hash will return a different result.

BIO-key’s biometric authentication solution – Identity-Bound Biometrics – for example, hinges on the Integrity pillar. Biometric data privacy is ensured by non-reversible cryptographic hashing and salting to render the protected information unusable to potential threat actors.



Availability is to make information always available to the intended audience. If a webserver goes down and users are unable to log in, or an employee is unable to read from a database, then availability is compromised. Backups are crucial to ensuring availability, as it is a way to return to a known good state of data before an issue occurs.

These three simple ideas are crucial for guiding an organization to secure their information. There are countless tools, applications, and services that aim to increase these three sections.


How Can Each of the Three Components of the CIA Triad be Compromised?

All three elements can be compromised either intentionally or by accident. Regarding Confidentiality, a bad actor could breach a network and gain access to sensitive information, or an under-trained employee can mishandle information. Data integrity can be compromised by ransomware or destructive malware while threats to data availability include cyberattacks like DDoS attacks and incidents like power outages, infrastructure overload, and unplanned downtime.


What Measures Can Help Preserve the CIA Triad?

When it comes to Confidentiality, one of the strongest measures to take for protecting data is encrypting all sensitive information. Only someone with the decryption key can read or gain access to the content of an encrypted document. To preserve data Integrity, there are three main things you need to do:

  • Do not allow unauthorized users to make changes to data.
  • Prevent unintentional data changes by authorized users.
  • Employ processes like data validation to ensure consistent and accurate data.

Lastly, regarding data Availability, it’s crucial to implement safeguard procedures against interruptions to systems that require constant uptime. This could include hardware redundancy or routine backups stored in a separate location.



When talking specifically about access control, the acronym AAA comes up. This stands for Authentication, Authorization, and Accounting. These describe the three areas that need to be covered when granting access to a resource to an individual.



A user must be authenticated by proving their identity. A provided identity needs to be verified that they are who they say they are. This can be done in multiple ways. The most rudimentary form that everyone would be familiar with is a simple password. The idea is that you would only know the password to a specific account if you were, in fact, that person. In practice, of course, that is hardly the case. That is why modern systems use various forms of MFA to verify identities much more thoroughly. Sending an OTP to a user’s phone or using a security key, for example, are both much more secure ways of authenticating.

One of the most secure forms of authentication is Identity-Bound Biometrics (IBB) – biometric verification such as fingerprint, face, palm, and iris scanning. This form of identification is directly tied to the intended individual, not just something that the individual has or knows.



Once an individual’s identity is verified with authentication, that person’s access then needs to go through authorization. The process involves defining an access policy that determines what rights that user has. A system would then check that access policy to determine what is permitted to occur between this user and the resource they are accessing. Access can be granted, denied, or permitted a level of access such as read or write.

There are different types of access control that can be followed to determine how access policies are created. Two common types used today are Role-Based Access Control (RBAC), and Attribute-Based Access Control (ABAC). Role-based means that a user is defined a role, such as Human Resources. They are then authorized to access various resources that users in other roles would not be able to. Attribute-Based Access Control analyzes attributes attached to a resource. Attributes related to the subject, object, requested operations, and sometimes environment variables are analyzed to determine what access is allowed for the request.



Lastly, once access to a resource is granted or denied, accounting needs to occur. Accounting is logging an audit trail to keep a record of what happened with the request and outcome. This is commonly known as simply logging in applications. Although it can be overlooked, logging provides a very important function as it can be looked back on when needed to prove an action happened. When investigating security events this can prove to be invaluable.

When the CIA Triad and AAA are followed to the best ability, Information Security and access control can be properly secured within an organization. Information is the most valuable resource to an organization and keeping it all safe is mission critical.


Want to Find Out More?

If you liked this blog, BIO-key has some more great reads you may be interested in, including topics like Biometric MFA Solutions in Authentication, How Hackers Circumvent Cybersecurity, and Biometric Authentication on Smartphones.

Be sure to follow our blog, as I’ll be making more contributions throughout the year. Stay tuned!


BIO-key Team

Author: BIO-key Team

Subscribe to the BIO-key blog!

Recent Posts