The CIA Triad

By Angelica Grace Castro

The CIA Triad

The CIA triad is a model consisting of three concepts that aids organizations in striving for information security. CIA is an acronym for confidentiality, integrity, and availability. Security controls and strategies have been developed using the CIA triad as a guideline. Two of those security controls are authentication and authorization. Authentication and authorization are both used to protect the CIA triad however, the way they do so is different. Authentication ensures a person’s identity is correct while authorization deals with what that person has access to.

Confidentiality

In Wesley Chai’s article “What is the CIA Triad? Definition, Explanation, Examples”, he describes confidentiality as being roughly equivalent to privacy. Confidentiality is a concept that ensures only those that need to see the information are able to. Using Alice, Bob and Trudy as a model, if Alice and Bob were sending emails to each other confidentiality ensures that a third person such as Trudy will not know the contents of those emails. Confidentiality can be ensured in many ways including authentication, access controls and encryption.

Integrity

Integrity is ensuring the information is trustworthy and true to the original message of the owner. If Alice sent an email to Bob but Trudy intercepted and changed its contents before Bob reads it, that is a violation of integrity. The data is no longer what was intended. Authorization given to certain users depending on their role is one way to protect integrity.

Availability

Availability is ensuring that information is always accessible for those who are allowed to access it. An example of a violation of availability is if the email Alice sent was intercepted and deleted before it was received by Bob. Similarly, hardware failures or hackers conducting denial of service attacks violate availability. Maintaining up to date equipment, backing up data, and using security software are some of the ways to ensure availability.

Authentication

According to the National Institute of Standards and Technology, authentication is a process that provides assurance of the source and integrity of information that is communicated or stored or the identity of an entity interacting with a system. Authentication is ensuring that only those who are authorized have access to the data, system or resource. For example, an employee at a company would have to use their username and password to login to the system and access their data. The use of usernames and passwords are just one form of authentication.

Authorization

Authorization is the permission given to an entity to access a certain data, system or resource. The permission given will be dependent on the role of the person within the organization. For example, an employee in one department may have access to a folder containing that department’s data but not access to the other departments.

Authentication vs. Authorization

Authentication and authorization are always present and are the first steps in achieving adequate information and cyber security. Authorization can only be given after access is provided. When providing access authentication must be first completed. Thus, authorization always comes after authentication. An example of the two working together is when a student logs in to Canvas they are using a username and password that is linked to their university account. The student has the ability to view modules, submit assignments and view grades. On the other hand, a teacher has the ability to upload modules, assignment information and edit grades. Both student and teacher authenticate themselves but have a different level of authorization because they have different roles.

Conclusion

The CIA triad is an incredibly helpful model in ensuring information security. There is a variety of ways in protecting the CIA triad. Authentication and authorization are two methods that are always used. Authentication and authorization both work together in providing access and ensuring that user access is correct.

References

Chai, W. (2022, June 28). What is the CIA Triad? Definition, Explanation, Examples. https://www.techtarget.com/whatis/definition/Confidentiality-integrity-and-availability-CIA?jr=on

One Identity. (n.d.). Authentication vs. Authorization. Onelogin. https://www.onelogin.com/learn/authentication-vs-authorization

National Institute of Standards and Technology. (n.d.).  Authentication. Computer Security Resource Center. https://csrc.nist.gov/glossary/term/authentication

National Institute of Standards and Technology. (n.d.).  Authorization. Computer Security Resource Center. https://csrc.nist.gov/glossary/term/authorization

Fruhlinger, J. (2020, Feb 10). The CIA triad: Definition, components and examples. CSO. https://www.csoonline.com/article/568917/the-cia-triad-definition-components-and-examples.html

Leave a Reply

Your email address will not be published. Required fields are marked *