CompTIA Security+security-concepts-cia-aaa-zero-trust

Core Security Concepts: CIA Triad, AAA, and Zero Trust

The foundational goals and models of information security, from the CIA triad to Zero Trust.

Nearly every Security+ (SY0-701) question rests on a small set of foundational models: the goals you are protecting (CIA), the accountability you enforce (AAA), the controls you deploy to get there, and the modern trust model (Zero Trust) that assumes the network is already hostile. Learn these frameworks cold and the rest of the exam becomes an exercise in matching a scenario to the right concept.

Core Idea

  • The CIA triad — Confidentiality, Integrity, and Availability — is the goal. Everything else (controls, AAA, Zero Trust) exists to preserve one or more of these three properties.
  • The opposite of CIA is DAD: Disclosure, Alteration, and Denial — the three ways security fails.
  • Non-repudiation guarantees an actor cannot deny an action, and is provided chiefly by digital signatures and audit logging.

The CIA Triad and DAD

  • Confidentiality keeps data secret from unauthorized parties. It is achieved with encryption, access controls, and steganography. A breach of confidentiality is disclosure.
  • Integrity ensures data is not altered without authorization. It is verified with hashing, digital signatures, and checksums. A breach of integrity is alteration.
  • Availability ensures authorized users can reach systems and data when needed. It is supported by redundancy, backups, fault tolerance, and load balancing. A breach of availability is denial (for example, a DoS attack).
  • Non-repudiation is a related property — proof of origin and integrity so a sender cannot deny having sent a message. It relies on digital signatures (private-key signing) and logging.

AAA: Authentication, Authorization, and Accounting

  • Authentication proves you are who you claim to be (something you know, have, are, or your location).
  • Authorization determines what an authenticated identity is permitted to do — enforcing least privilege.
  • Accounting (auditing) records what an identity actually did — the logs that make accountability and non-repudiation possible.
  • AAA applies to people and systems/devices. Common AAA protocols include RADIUS and TACACS+; devices often authenticate with certificates.

Security Control Categories and Types

Categories describe who or what implements a control:

  • Technical (logical) — enforced by systems: firewalls, encryption, antivirus, IDS.
  • Managerial — administrative direction: policies, risk assessments, security planning.
  • Operational — carried out by people day-to-day: security awareness training, guard patrols, incident response.
  • Physical — tangible barriers: fences, locks, badge readers, bollards, lighting.

Types describe what the control does:

  • Preventive — stops an incident (firewall rule, badge lock).
  • Deterrent — discourages an attacker (warning signs, visible cameras).
  • Detective — identifies an incident in progress or after (IDS, log review, motion sensors).
  • Corrective — fixes or restores after an incident (backup restore, patching).
  • Compensating — an alternative when the primary control isn't feasible.
  • Directive — instructs or mandates behavior (acceptable use policy, signage that tells you what to do).

Defense in Depth and Least Privilege

  • Defense in depth (layered security) stacks multiple, overlapping controls so no single failure is catastrophic — physical, technical, and administrative layers together.
  • Least privilege grants each user, process, or system only the minimum access needed to do its job, limiting the blast radius of a compromised account.

Zero Trust

Zero Trust replaces the old "trusted internal network" with "never trust, always verify" — every request is authenticated and authorized regardless of origin. Key components:

  • Control plane — makes the trust decisions: the Policy Engine (evaluates and decides grant/deny), the Policy Administrator (executes the decision and issues/revokes access tokens), and the policy definitions, adaptive identity, and threat scope reduction that inform them.
  • Data plane — where the decision is enforced: the Policy Enforcement Point (PEP) sits between the subject and the resource and allows or blocks the actual traffic.
  • The control plane decides; the data plane acts on that decision.

High-Yield Exam Patterns

  • Map any scenario to the CIA element at stake: encryption → confidentiality, hashing/signatures → integrity, redundancy/backups → availability.
  • Non-repudiation = digital signatures. If an option says a user "cannot deny" an action, look for signing or logging.
  • Distinguish control category (technical/managerial/operational/physical = who implements) from type (preventive/deterrent/etc. = what it does). Questions love to test this split.
  • A camera is detective if reviewing footage, but deterrent if its visible presence is meant to scare attackers — context decides the type.
  • In Zero Trust, remember Policy Engine decides, Policy Administrator issues the token, and the Policy Enforcement Point enforces on the data plane.
  • AAA order matters: authenticate, then authorize, then account (audit).

Common Traps to Avoid

  • Confusing authentication (who you are) with authorization (what you may do) — they are separate A's.
  • Calling a policy or training a "technical" control — policies are managerial, training is operational.
  • Assuming Zero Trust means "trust the internal network" — it assumes the network is already breached and verifies every request.
  • Treating deterrent and preventive as the same; a deterrent discourages but does not physically stop an attacker.
  • Forgetting that least privilege applies to services and devices, not just human users.

Flashcards

Card 1 of 14

1/14

Keyboard: Space/Enter to flip • Arrow keys to navigate

Ready to Test Your Knowledge?

This quiz has 8 questions and each one has 4 options.

Quiz Details

8 Questions

Multiple choice with instant self-check

Final Review

See correct answers and explanations at the end

Build your own lesson in minutes.

Upload a source document and turn it into flashcards, quizzes, and a study-ready lesson bank.