28 May 2025
The CIA Triad
The CIA Triad is also known as confidentiality, integrity, and availability. These elements are the crucial cybersecurity needs that are meant to “guide policies for information security within an organization” (Chai, 2023, p. 1). This is not to be confused with the AIC Triad, which is availability, integrity, and confidentiality.
To breakdown the CIA Triad, it is important to know what the three elements mean and why they are important for the triad. Confidentiality is the privacy feature that is meant to prevent unauthorized personnel from accessing sensitive information. There are categories for the information due to the amount of sensitive data that could be dangerous if accessed by the unauthorized persons. Integrity works to make sure that data remains consistent, accurate, and trustworthy. The integrity aspect protects data to ensure there is no changes and altering by those unauthorized persons. Availability keeps the information available for those that are authorized to do so. To maintain the data in a strong security system, authorized personnel must routinely maintain the hardware and systems. These elements are not meant to be independent. Instead, they are meant to work together to provide a strong and safe system to consistently improve the development of security for organizations. However, there are challenges that the CIA Triad faces. Chai discusses the concept of “big data,” which is the large amount of information that organizations must have protected. This information is from the sources and formats that the data comes from, as well as duplication of data. Unfortunately, this causes the oversight of responsible data collection. It is important for organizations to routinely monitor and consider the development of security for its data by implementing the CIA Triad.
Authentication
Authentication is validating the identity of a person attempting to access information through a security process. It ensures the person who messages, transmits, or uses an action with the information is the individual they claim to be (Bhattacharya, 2024). This will include logging into a computer, website, app, or even an email is the authorized person that can access these things. They will have to use authentications such as a username, user ID, passcode, password, or personal identification number.
Password-based authentication is the most common method where the person uses their username and password to gain access. It is crucial that the individual keeps the information private. The problem is that there can be types of hackers that can find access through password hash. The password hash is a generated password protection created in a system. However, a hacker that is attempting to reach the passwords may be able to use password attacks to retrieve the real passwords. This is why the passwords must not have the ability to be guessable to further prevent the ability to break the code. Two-factor authentication has become another common method by requiring two different forms of identification (Bhattacharya, 2024). It usually requires a password and then verifying through your cell phone or any other type of personal access. According to Bhattacharya, this method makes the account 99% less likely to have a cyberattack.
Biometric authentication uses the biological characteristics of an individual such as using the scanner for their facial features or their fingerprint. As much as this method seems strong against attacks, there are concerns and issues. There is a way for an unauthorized individual to copy a person’s fingerprint to access data. Since a person cannot change their fingerprint, it makes privacy and security issues severe. Next, there is an attack called “spoofing” where an unauthorized individual will use a collection of biometric samples to match the authentication.
Multifactor authentication requires multiple forms of authentication. This can include the combination of a keycard, password, and biometric authentication. The multiple layers of authentication provide that stronger wall of protection to prevent cyberattacks.
An example of authentication used by an individual is with an ATM. The user must use the physical bank card and enter the personal identification number associated with the account. For a system in the digital aspect, the user will have their identification card to enter a building and sometimes in addition a fingerprint scan.
Authorization
Authorization is the access allowed for the individual who successfully passed the authentication process. When the user is authorized to access the information, the system only allows certain resources for that user to access. This will include items such as information, files, and databases (Anna, et al., 2021).
User-managed access (UMA) is a type of standardized authorization released by Kantara Initiative Group (Mahalle, Bhong, & Shinde, 2022). This system controls access to the applications programs for an individual. The applications included in the controlled access are desktop, web, browser-based, and mobile applications (Mahalle, Bhong, & Shinde, 2022). The control of authorization is through the resource owner. The resource owner has primary access to the data and the system. Without the resource owner’s authorization, a third-party cannot access the data.
An example of this would be the account holder of a bank account providing limited access to a trusted individual, like a next of kin. The resource owner provides the third party’s information to the bank with specific information that has allowable access.
Conclusion
Authentication and authorization differ in the roles they play in cybersecurity. Authentication identifies an individual and authorization limits the access of data for an individual after authentication is granted. The CIA Triad, authentication, and authorization provide a strong security system when working together. The prevention of cyberattacks ensures sensitive information and a system’s programming remain private. Allowing only the authorized personnel to have access to information with their specialized authentication further protects the confidentiality, integrity, and availability for an organization.
References
Anna, K., Olena, K., Mykhailo, K., Svitlana, K., Consulting, S., & Rostyslav, Z. (2021). Methods of Security Authentication and Authorization into Informationals Systems. 2020 IEEE 2nd International Conference on Advanced Trends in Information Theory (ATIT), 270-274. doi:10.1109/ATIT50783.2020.9349333
Bhattacharya, S. (2024). Authentication in Cybersecurity. In A. Khanna, Securing an Enterprise (pp. 75-94). Plano, TX, USA: Apress. doi:https://doi.org/10.1007/979-8-8688-1029-9_4
Chai, W. (2023, December 21). What is the CIA Triad? Definition, Explanation, Examples. Retrieved from TechTarget: https://www.techtarget.com/whatis/definition/Confidentiality-integrity-and-availability-CIA?jr=on
Mahalle, P. N., Bhong, S. S., & Shinde, G. R. (2022). User-Managed Access. In P. N. Mahalle, S. S. Bhong, G. R. Shinde, & F. Edition (Ed.), Authorization and access control : foundations, frameworks, and applications (pp. 53-69). CRC Press. doi:https://doi.org/10.1201/9781003268482