The following should help to bring some insights.

The CIA Triad of confidentiality, integrity and availability is considered the core underpinning of information security. Every security control and every security vulnerability can be viewed in light of one or more of these key concepts. For a security program to be considered comprehensive and complete, it must adequately address the entire CIA Triad.

#Confidentiality:

-----------------------

Threat vectors include direct attacks such as stealing passwords and capturing network traffic, and more layered attacks such as social engineering and phishing. Not all confidentiality breaches are intentional. A few types of common accidental breaches include emailing sensitive information to the wrong recipient, publishing private data to public web servers, and leaving confidential information displayed on an unattended computer monitor.

There are many countermeasures that organizations put in place to ensure confidentiality. Passwords, access control lists and authentication procedures use software to control access to resources. These access control methods are complemented by the use encryption to protect information that can be accessed despite the controls, such as emails that are in transit. Additional confidentiality countermeasures include administrative solutions such as policies and training, as well as physical controls that prevent people from accessing facilities and equipment.

#Integrity:

----------------

In maintaining integrity, it is not only necessary to control access at the system level, but to further ensure that system users are only able to alter information that they are legitimately authorized to alter.

#Availability:

--------------------

Some of the most fundamental threats to availability are non-malicious in nature and include hardware failures, unscheduled software downtime and network bandwidth issues. Malicious attacks include various forms of sabotage intended to cause harm to an organization by denying users access to the information system.

Ref:

[1] https://www.certmike.com/confidentiality-integrity-and-availability-the-cia-triad/

[2] https://devqa.io/confidentiality-integrity-availability/

Your question focused on the CIA and AAA as commonly called in the cybersecurity world. In your question, you are more concerned with security attributes that are related to ISO/IEC 25010. That implies that you are concerned with:

(1) quality in use model and

(2) product quality model.

In addition to contribution by Ziaur Rahman William M. Hayden Jr.

Krunalkumar Shah

• identify software and system requirements;
• validate the comprehensiveness of a requirements definition;
• identify software and system design objectives;
• identify software and system testing objectives;
• identify quality control criteria as part of quality assurance;
• identify acceptance criteria for a software product and/or software-intensive computer system;
• establish measures of quality characteristics in support of these activities. (taken from https://www.iso.org/standard/35733.html)

If you are considering high availability, one of the best means of attaining close to 99.9% availability is IaaS with the infrastructure provided by CSP with SOC2 type 2 audit report. By my definition and suggestion, I am vendor neutral. Ask for SOC2 Type 2 report from any cloud service provider before using such infrastructure to guarantee high up time. Since you have identified the open source ERP, proceed to development environment or sandbox to first deploy, test and then move to production. However, ensure that the Open Source ERP has wide community support.

You can support the integrity of both the system and data with the implementation of TLS for data in transit and AES for data at rest in the cloud. If you have the fund and you plan to work remotely in your organization, you may also invest in thin-client. This will ensure both integrity and confidentiality of your data and systems.

For AAA, you must have the I - Identification system for all users. Try to use the same user identification nomenclature to simplify identity management. Perhaps, if you have a system that uses kerberos, you may plan to have a federated identification in the future or even use a SAML to provide a seamless integration of the cloud and on premise infrastructure through a TLS connection. Make your A-Authentication follow your organization's policy on password. These days, NIST recommend the use of long paraphrase instead of complex password while you may not need to set the password to expire at any date. For A-Authorization, you should adopt the least privilege and need to know principle for all users. Try to ensure a proper documentation of all authorization of access using two-man authorization principle (at least, two persons must authorize the assignment of access to any user). Finally you must enable logging of user activities, especially privilege users to guarantee A-Accountability.

For non-repudiation, the use of both symmetric and asymmetric encryption must be enforced for all users and the entire system. That means use TLS (https) for your data in motion through the browser and AES for data at rest (in database). You can always use hash to ensure for each backup to ensure the integrity of your backups.

All the above needs management full support. Try to implement a good Change Management system so that someone will not mess up your work. Users must be trained and evaluated to ensure a good success of your project.

I hope the explanation above will be helpful. You may reach me for further clarification on my email (in my profile). Thanks.