SkarpChapter 2 of 27
Security Foundations: CIA Triad, AAA, and Core Security Controls
Before diving into attacks and tools, anchor your thinking in the fundamental models and control types that shape every security decision you’ll see on the exam and in real environments.
Why CIA, AAA, and Controls Matter (SY0-701 Context)
Foundations First
In SY0-701, CIA, AAA, and security controls appear in almost every domain. They are the mental models behind most exam questions and real-world security decisions.
Where This Fits
CIA triad = what you protect. AAA = who can do what and how you track it. Controls = how you enforce protections and support CIA and AAA in practice.
Modern Environments
Many organizations now run a hybrid environment, mixing cloud, mobile, IoT, OT, and on-premises systems. CIA, AAA, and controls help you secure all of these consistently.
Your Goal
You should learn to read a scenario and instantly ask: which CIA goal is at stake, which AAA element applies, and which control type and function best reduces the risk?
The CIA Triad: Core Security Goals
CIA at a Glance
CIA triad = confidentiality, integrity, availability. These are the three core security goals that every control and design decision ultimately supports.
Confidentiality
Confidentiality means keeping data secret from unauthorized parties. Think encryption, access controls, and safe disposal like shredding paper records.
Integrity
Integrity means data stays accurate and unaltered except by authorized actions. Think hashes, digital signatures, and strict control over who can modify data.
Availability
Availability means systems and data are accessible to authorized users when needed. Think redundancy, backups, load balancing, and DDoS protection.
Exam Angle
Many controls affect multiple CIA goals. On the exam, identify the main goal in the scenario, not every possible side benefit of the control.
CIA Triad in Real Scenarios
Scenario 1: Ransomware
Ransomware encrypts a hospital’s file servers so staff cannot access patient records. The primary CIA impact is availability: data exists but is not usable.
Scenario 2: Wrong Recipient
A payroll spreadsheet with salaries and bank info is emailed to the wrong external address. The main impact is confidentiality: unauthorized exposure of sensitive data.
Scenario 3: Tampered Records
An insider alters financial records to hide fraud. The main impact is integrity: data no longer accurately reflects reality or authorized changes.
Exam Shortcut
Map plain-language harms to CIA: leaked/exposed → confidentiality; changed/tampered → integrity; down/unavailable → availability.
AAA: Authentication, Authorization, Accounting
AAA Overview
AAA = authentication, authorization, accounting. It answers: who are you, what are you allowed to do, and what did you actually do?
Authentication
Authentication proves identity. Examples: passwords, biometrics, smart cards, OTP apps, and MFA that combines multiple factors.
Authorization
Authorization decides what an authenticated user can do. Examples: RBAC roles, ABAC policies, and least-privilege permissions.
Accounting
Accounting (auditing) records actions. Examples: logs, audit trails, and SIEM tools that track and analyze user and system activity.
AAA and Zero Trust
Zero trust relies on strong AAA: continuous authentication and authorization, plus detailed accounting of actions to detect misuse.
Quick AAA & CIA Classification Exercise
Classify each statement. For each item, decide:
- Is it Authentication (AuthN), Authorization (AuthZ), or Accounting?
- Which CIA goal is primarily supported?
Write your answers in a notebook or mentally, then reveal the suggested answer.
Item A: "The system requires users to scan their fingerprint and enter a PIN before accessing the HR portal."
- Your guess:
- AAA element: ?
- CIA goal: ?
Suggested answer:
- AAA element: Authentication (verifying identity with biometric + PIN).
- CIA goal: Mainly confidentiality (ensuring only authorized HR staff see sensitive data). Also supports integrity/availability indirectly.
Item B: "Nurses can view patient records, but only doctors can prescribe medications in the electronic health record system."
- Your guess:
- AAA element: ?
- CIA goal: ?
Suggested answer:
- AAA element: Authorization (different permissions for different roles).
- CIA goal: Integrity (ensuring only the right people can change certain data), and confidentiality (restricting access to medical data).
Item C: "All administrator commands on network devices are logged and sent to a central SIEM for analysis."
- Your guess:
- AAA element: ?
- CIA goal: ?
Suggested answer:
- AAA element: Accounting (recording actions).
- CIA goal: Integrity (detecting unauthorized or incorrect changes) and accountability.
As you continue in the course, keep practicing this 2-step classification: AAA element + CIA goal. It will make many SY0-701 questions much easier to decode.
Security Controls by Type: Technical, Administrative, Physical
Control Types Overview
Security controls are grouped by type: technical, administrative, and physical. These categories describe how the control is implemented.
Technical Controls
Technical controls use technology: firewalls, IDS/IPS, encryption, antivirus, ACLs, DLP, authentication protocols, and disk encryption.
Administrative Controls
Administrative controls are policies and procedures: security policies, AUPs, incident response plans, change management, and training.
Physical Controls
Physical controls protect facilities and hardware: locks, fences, guards, CCTV, badge readers, mantraps, and environmental controls.
Exam Clues
Policy/procedure/training → administrative. Software/hardware/firmware feature → technical. Barriers/guards/building features → physical.
Security Controls by Function: Preventive, Detective, Corrective, Deterrent, Compensating
Functional Categories
Controls are also grouped by function: preventive, detective, corrective, deterrent, and compensating. This describes what the control does in practice.
Preventive & Detective
Preventive controls stop incidents (MFA, firewalls, ACLs). Detective controls identify incidents (IDS, log monitoring, CCTV, FIM).
Corrective
Corrective controls fix issues after incidents: restore backups, patch vulnerabilities, reimage infected systems, and apply hotfixes.
Deterrent
Deterrent controls discourage bad behavior: warning banners, visible cameras, "authorized personnel only" signs, and clear sanctions.
Compensating
Compensating controls are alternatives used when the ideal control is not possible. They aim to provide similar protection in another way.
Mapping Controls: Type + Function + CIA
Example: DB Encryption
Encrypting a cloud database at rest is a technical, preventive control that mainly supports confidentiality by protecting data if storage is accessed.
Example: Phishing Training
Phishing awareness training is an administrative, preventive (and deterrent) control that protects confidentiality and integrity by reducing credential theft.
Example: CCTV
CCTV in a data center is a physical, detective and deterrent control that indirectly supports all CIA goals by protecting hardware.
Example: Backups
Daily offsite backups are largely technical and corrective, primarily supporting availability and also helping restore data integrity after corruption.
Exam Skill
Practice labeling each control: type (technical/administrative/physical), function (preventive/detective/etc.), and main CIA goal it supports.
Defense-in-Depth and Security Baselines
What is Defense-in-Depth?
Defense-in-depth uses multiple layers of controls so that if one fails, others still protect the asset. No single control is relied on alone.
Layered Example
A web app can be protected at network, host, application, data, and human layers. Each layer adds different controls toward CIA goals.
Security Baselines
Security baselines are standard, approved configurations and minimum controls for systems, like hardened OS images or required cloud settings.
Baselines and GRC
Baselines support governance, risk, and compliance by making security consistent and auditable across many systems and environments.
Exam Keywords
Terms like "golden image", "hardened image", and "baseline configuration" usually point to baseline security and defense-in-depth concepts.
Quiz 1: CIA, AAA, and Control Types
Test your understanding of CIA, AAA, and control classifications.
A company configures a firewall to only allow HTTPS (TCP 443) from the internet to its web servers. Which classification is MOST accurate?
- Technical, preventive control supporting confidentiality and integrity
- Administrative, deterrent control supporting availability
- Physical, corrective control supporting availability
- Technical, detective control supporting integrity
Show Answer
Answer: A) Technical, preventive control supporting confidentiality and integrity
A firewall rule is a technical control. It is mainly preventive because it blocks unwanted traffic. Allowing only HTTPS helps protect confidentiality and integrity of data in transit by forcing encrypted connections. It is not administrative (no policy), not physical, and the primary function is not detective or corrective.
Quiz 2: AAA and Control Functions
Apply AAA and control function concepts to a scenario.
An organization implements a policy that all administrator actions on cloud resources must be logged and retained for at least one year, and sends these logs to a SIEM. Which AAA element and control function are BEST represented?
- Authentication and preventive control
- Authorization and deterrent control
- Accounting and detective control
- Accounting and corrective control
Show Answer
Answer: C) Accounting and detective control
Recording and retaining logs of admin actions is the accounting part of AAA. Sending logs to a SIEM so they can be monitored and analyzed is a detective function, helping identify suspicious or malicious activity. It does not directly authenticate or authorize, and it is not mainly corrective.
Key Term Flashcards: CIA, AAA, and Controls
Use these flashcards to reinforce key terms. Try to answer from memory before revealing the back.
- CIA triad
- A core security model consisting of confidentiality, integrity, and availability. It defines the main goals security controls aim to achieve.
- Confidentiality
- Ensuring that information is not disclosed to unauthorized individuals, entities, or processes. Often implemented with encryption and access controls.
- Integrity
- Ensuring that data is accurate, complete, and has not been altered in an unauthorized way. Supported by hashes, digital signatures, and strict change controls.
- Availability
- Ensuring that systems and data are accessible to authorized users when needed. Supported by redundancy, backups, and resilient architectures.
- Authentication
- The process of verifying the identity of a user, device, or system, such as via passwords, biometrics, or multifactor authentication.
- Authorization
- The process of determining what an authenticated identity is allowed to do, such as which resources they can access and what actions they can perform.
- Accounting (Auditing)
- The process of recording and tracking actions performed by users or systems, typically via logs and audit trails, to support monitoring and investigations.
- Technical control
- A control implemented using technology, such as firewalls, encryption, access control lists, and antivirus or EDR solutions.
- Administrative control
- A policy, procedure, or process created by management to guide behavior, such as security policies, training, and incident response plans.
- Physical control
- A control that protects the physical environment, such as locks, guards, CCTV, and secure server rooms.
- Preventive control
- A control designed to stop an incident from occurring, such as MFA, firewalls, and secure configurations.
- Detective control
- A control designed to identify that an incident is occurring or has occurred, such as IDS, log monitoring, and CCTV recording.
- Corrective control
- A control designed to fix issues and restore systems after an incident, such as restoring from backups or applying patches.
- Deterrent control
- A control designed to discourage attacks or policy violations, such as warning banners, visible cameras, and clear sanctions.
- Compensating control
- An alternative control used when the primary or preferred control is not feasible, intended to provide comparable protection.
- Defense-in-depth
- A strategy that uses multiple layers of security controls across different areas (network, host, application, data, human) to reduce overall risk.
- Security baseline
- A standard, approved configuration and minimum set of controls for a system or environment, used to ensure consistent and repeatable security.
Key Terms
- AAA
- A framework consisting of authentication, authorization, and accounting that governs identity verification, access decisions, and activity tracking.
- CIA triad
- A core security model consisting of confidentiality, integrity, and availability. It defines the main goals security controls aim to achieve.
- Integrity
- Ensuring that data is accurate, complete, and has not been altered in an unauthorized way.
- Accounting
- The process of recording and tracking actions performed by users or systems, typically via logs and audit trails.
- Zero trust
- Zero trust is a security model that assumes no implicit trust and requires continuous verification of users and devices, limiting access to only what is needed.
- Availability
- Ensuring that systems and data are accessible to authorized users when needed.
- Authorization
- The process of determining what an authenticated identity is allowed to do.
- Authentication
- The process of verifying the identity of a user, device, or system.
- Confidentiality
- Ensuring that information is not disclosed to unauthorized individuals, entities, or processes.
- Defense-in-depth
- A strategy that uses multiple layers of security controls across different areas to reduce overall risk.
- Physical control
- A control that protects the physical environment and hardware, such as locks, guards, and CCTV.
- Detective control
- A control designed to identify that an incident is occurring or has occurred.
- Deterrent control
- A control designed to discourage attacks or policy violations by increasing perceived risk.
- Security baseline
- A standard, approved configuration and minimum set of controls for a system or environment, used to ensure consistent and repeatable security.
- Technical control
- A security control implemented using technology, such as firewalls, encryption, and access control lists.
- Corrective control
- A control designed to fix issues and restore systems after an incident.
- Hybrid environment
- A hybrid environment is an enterprise environment that includes a mix of cloud, mobile, Internet of Things (IoT), operational technology (OT), and on-premises resources that must be monitored and secured.
- Preventive control
- A control designed to stop an incident from occurring.
- Compensating control
- An alternative control used when the primary or preferred control is not feasible, intended to provide comparable protection.
- Administrative control
- A policy, procedure, or management action that influences security, such as security policies, training, and incident response plans.
- Governance, risk, and compliance
- Governance, risk, and compliance refers to operating with an awareness of applicable regulations and policies, including principles of governance, risk, and compliance when securing enterprise environments.