The three letters in the CIA Triad stand for Confidentiality, Integrity, and Availability. The Triad forms the foundation and fundamental components of cybersecurity, security development, and security research. The Triad provides a foundation for Authentication and Authorization, which relies on security measures to be in place.
Confidentiality
Confidentiality is the privacy and secrecy of an organization’s or one’s own information and data (Chai, 2022). It is crucial to safeguard this data, as not providing adequate measures leads to information being stolen by threat actors. To counter this, companies often implement role-based access controls and encryption to sensitive data, such as personally identifiable information. Role-based access controls mean that a user must have a certain role, such as administrator, to view confidential information (Gibson, 2020). Additionally, encryption allows for data to be securely stored. To decrypt the data, a key must be provided. The key is only owned by people with certain roles. This allows for data to remain confidential.
Integrity
Integrity is maintaining trust and accuracy of files, applications, and data (Chai, 2022). For example, the Secure Hashing Algorithm, SHA, is used to verify that files, applications, or information are not tampered with. SHA provides a set output of characters and numbers. If a file, application, or data has any changes made, the SHA’s output will be different. By comparing the SHA’s output, one can see if there are any changes made. If no changes are made, one can assume that the file, application, or data is intact and is trustworthy, therefore providing integrity.
Availability
Company’s often store and encrypt information that is sensitive for the public eye. However, people with certain roles can access this information. For example, these roles can include administrators and developers. This leads to the concept of availability. Availability is the ability for information and data to be readily accessible to authorized users (Chai, 2022). On the other hand, availability could also refer to the uptime of critical infrastructure systems. These systems could include databases, web servers, file transfer servers, and more. It is important to keep the systems online as it prevents monetary loss for the company.
Authentication vs Authorization
Authentication is the process of proving one’s identity (Wike et al., 2022). This could be as simple as entering a username and password to log in to an account. The username and password prove that one owns the account and associates with that identity. This is not always foolproof. This means that administrators and websites often encourage the use of two factor or multifactor authentication. A second form of authentication provides an extra layer of security because additional information is needed to prove the identity of an account. Authorization is granting permission to an authenticated user to perform an action (Wike et al., 2022). For example, a person login into an admin account may be able to block certain IP addresses from reaching a website. A regular user account does not have access to this type of functionality. This means that the regular user account does not have authorization to access and perform this action.
Conclusion
The CIA Triad provides three important cybersecurity components that all organizations should implement. It is built to help protect and mitigate attacks and downtime against vulnerable and critical systems. It also provides insight on the trustworthiness of files, applications, and data. The Triad is best implemented on a case-by-case basis to suit the needs of an organization. Authentication and authorization would not be able to exist without the CIA Triad. Both rely heavily on the correct implementation of the Triad to be effective to better improve security.
References
Chai, W. (2022, June 28). What is the CIA triad? Definition, Explanation, Examples – TechTarget. WhatIs.com. Retrieved September 13, 2022, from https://www.techtarget.com/whatis/definition/Confidentiality-integrity-and-availability-CIA
Gibson, D. (2020). Understanding Identity and Access Management. In Comptia Security +: Get Certified Get Ahead SY0-601 Study Guide (pp. 35–66). essay, YCDA, LLC.
Wike, R., Richards, O., Macy, M., Waweru, E., Coulter, D., & Adman, N. (2022, September 6). Authentication vs. Authorization – Microsoft Entra. Microsoft Entra | Microsoft Docs. Retrieved September 13, 2022, from https://docs.microsoft.com/en-us/azure/active-directory/develop/authentication-vs-authorization
