The CIA Triad is an information security benchmark model used to evaluate the information security of an organization (Techopedia). The CIA Triad has no affiliation with the U.S. Central Intelligence Agency but the CIA stands for the models three principles: Confidentiality, Integrity, and Availability. Confidentiality means that only authorized users and processes should be able to access or modify data. Integrity means that data should be maintained in a correct state and nobody should be able to improperly modify it, either accidentally or maliciously. Availability means that Authorized users should be able to access data whenever they need to do so.
The CIA Triad is different from most concepts simply because it has no single founder. Each one of the principles came from a different person or source. Confidentiality came from Ben Miller, Integrity was said to have come from an Air Force study, and Availability was the toughest to pin but the closest thing to the origin of the word was the Morris worm. Although each word came from a different place than the others, it was all put together by a man named Donn Parker. He put it all together when he published his book that talked about adding on to the original three words.
The three principles are important and are the basics of cybersecurity. The words are a part of questions that you ask yourself and team to determine the safety of the data or whatever it may be. Although these principles work together sometimes, they all cross with each other. For example, as stated by Fruhlinger, “Requiring elaborate authentication for data access may help ensure its confidentiality, but it can also mean that some people who have the right to see that data may find it difficult to do so, thus reducing availability.”
When we talk about Confidentiality, the two big A’s come up, the two big A’s are Authorization and Authentication. Authorization is used to make sure the wrong person isn’t given any sensitive information, in simpler words, it’s basically there to help with who sees what. In the event that an account is hacked, there may be some general information there but there is usually some more sensitive information somewhere deeper in the account that will need some type of authorization in order for it to be viewed. The other big A is Authentication, this one simply means to just make sure you are who you say you are. They determine this by using things such as fingerprints, face id/recognition, and crypto keys. A perfect example of Authentication would be how we have to use Duo to confirm it is really us logging into our ODU accounts. Duo helps ODU authenticate by having the person signing in send a push notification to the owners phone and when the push notification is received they just have to simply confirm that is them signing into the account or not and after it is confirmed they are granted access to the ODU account and of course if you deny that it is you signing in then the access will not be granted and they will probably suggest that you change your password.
The two words Authentication and Authorization are often confused but the major difference is that one (Authorization) is to confirm your access to the system and the other is to determine if you are authorized to access certain information and resources. In other words, authentication is who you are while authorization is what you have access to and can modify.
For my example of Authorization and Authentication, I will use the example I used earlier in the write-up. As ODU students, we all have a Midas account in which you have to log into every time you would like to access your ODU account. In order to login you must type in your username and password and then after that, you must use the app DUO on your phone to authenticate that it is you and they do this by sending a push notification to confirm if it is you trying to login or not. ODU requiring you to type in a username and password alongside the DUO push notification is the Authentication process. Once you have been authenticated and given access to the account you now have a bunch of information that can be accessed but some with the necessary authorization depending on the sensitivity of the information or resources. When students need their tuition paid, they are often required to mark their parents as authorized users so that they can access the payment portal and pay the tuition. The parents are marked as authorized users when the student enters the parents email address, then an email is sent to the email address and the parent must make an account, once that is done the parents are now authorized to few their students balance, make payments, and things of the sort.
References
Fruhlinger, J. (2020, February 10). The CIA triad: Definition, components and examples. Retrieved from https://www.csoonline.com/article/3519908/the-cia-triad-definition-components-and-examples.html
Khillar, S. (2019, October 18). Difference between Authentication and Authorization. Retrieved from http://www.differencebetween.net/technology/difference-between-authentication-and-authorization/#:~:text=Authorization Authentication Authorization ,for auth … 2 more rows
What is CIA Triad of Information Security? – Definition from Techopedia. (n.d.). Retrieved from https://www.techopedia.com/definition/25830/cia-triad-of-information-security#:~:text=CIA Triad of Information Security. Definition – What,to evaluate the information security of an organization.