Models – CIA and AAA

The field of information security is based on a number of basic principles that are important for us.

Each principle is part of two main Models, called the CIA and AAA models.


The CIA an AA Models are the basics of security, and for a good reason, the first one, called the CIA , model is probably the most important one, every employee working in the field of information security should memorize these principles and rules based on them since the CIA is a model that generally defines the security requirements in an organization.

The CIA Model

  1. C – Confidentiality : To protect the confidentiality of information, you must prevent unauthorized personals from accessing this information.
    Confidentiality can be achieved through encryption or authorization.

It is not possible to protect the confidentiality of all information at the same level of importance and therefore the level of sensitivity of the information should be defined firstly and more resources should be invested in protecting more sensitive information than in less sensitive information.

The AAA model helps us to uphold this principle through these three things :

  • Authentication – through Identity checks.
  • Authorization – Granting/ Not Granting access rights to certain resources.
  • Accounting – Monitors the use of resources and user activity.
    Monitoring is important, among other things, to provide undeniable proof if an offense has been committed (non-repudiation).

2. I – Integrity : Purpose of the protection: to prevent unauthorized persons from changing/deleting the information (keeping the information in its entirety).
For example: We do not want a foreign entity to lower the prices of products on the company’s website.
We secure the integrity of the information through hashing.

3. A – Availability : Every business or industry has a limited tolerance for downtime online. This tolerance is usually based on a comparison of the cost of downtime versus the cost of security against downtime. \

For example : in a small business with only one location, it may be tolerable to have one router as a single failure point.
However, if a large portion of the business’s sales are online, then the owner may decide to provide a level of redundancy to ensure that the connection will always be available.

Purpose of the protection : to maintain the availability of computer, communication services and to make the information available to users who are authorized to access the information.

To provide Availability, the following technologies can be used :
▪ Fault Tolerance – Implementation of a fault-resistance program.
▪ Redundancy – the use of redundancy, דo that necessary things will be available at any given time.
▪ Virtualization – A virtual environment facilitates the implementation of Availability.
▪ Cloud Computing – Transferring some of the computing services to the cloud.
▪ Performing updates and upgrades to software and operating systems.
▪ Preventing bottleneck by providing sufficient bandwidth.
▪ Back up the information so that the information is available even in exceptional cases of information loss.

Stay safe, Choose Kayran.

APT vs. ATP

In this article we will talk about APT vs. ATP. In other words, Advanced Persistent Threat and Advanced Threat Protection and the context between these

Read More »

What is a CWE ?

Similar to the article written on CVEs, in this article we will answer the questions :What is CWE ? and, what is the difference between

Read More »

Crossing Scripts – XSS

Injections. SQL Injections. Cross-site Scripting (hence the amazing title “Crossing Scripts – XSS”). There all sorts of Injection-Based attacks, if you want to read about

Read More »