The CIA triad is a set of principles aimed at shaping business information security policies. These principles include confidentiality, integrity, and availability, which rely on understanding authentication and authorization, two necessary security features. This write-up will broadly explain the importance of these three topics and how they correspond.
CIA Triad Debrief
Chai (2023) defines the CIA triad as “a model designed to guide policies for information security (infosec) within an organization.” As such, it is a foundational piece of cybersecurity. The Triad consists of confidentiality, integrity, and availability, which guide businesses in protecting their information. Thus, it is crucial to understand each of these components and examples of their use so that a person can enhance both their professional and personal development.
Confidentiality
The first of these three components, confidentiality, pertains to protecting sensitive information. This information can include military operations, customer data, or finances. Confidentiality is important, regardless of a person or organization’s level of security, there is always sensitive information to protect. Thus, as Chai (2023) puts it, data can be “classified according to the amount and type of damage that could be done if it fell into the wrong hands.” This is especially prevalent in the working world, in which companies have hordes of customer information that foreign countries may try to obtain. As such, many companies require various elements of barriers to access information. Security measures such as two-factor authentication, fingerprint or facial recognition, and PINs are all examples of this.
Integrity
The second piece of the triad, integrity, is far more difficult to explain. Unlike confidentiality, integrity has to do with the technical elements of data. Chai (2023) cuts the more complicated jargon out of its definition, simplifying their explanation into; “the consistency, accuracy, and trustworthiness of data must be maintained over its entire lifecycle.” Although this is still dense, essentially integrity refers to consistently protecting sensitive data. In practice, integrity manifests itself as managing who has access to files and ensuring that they cannot be altered by everyone. Other examples of this can be seen within applications such as Google Docs, where document owners are given a detailed revision history, including timestamps.
Availability
The third and final piece of the CIA triad is availability, which includes a very clear distinction from integrity. With integrity, the main purpose is to ensure that unauthorized individuals cannot access or alter sensitive information. Availability, on the other hand, has to do with allowing authorized individuals, as Chai (2023) puts it, “to consistently and readily access information.” This is important because to ensure data integrity, it must be possible for authorized individuals to periodically monitor the information on demand. By doing so, all three aspects of the CIA triad can be implemented. Examples of availability are best represented when it comes to system hardware maintenance. These periods are usually accompanied by information being temporarily unavailable, and as such, maintenance must occur swiftly to ensure the availability of data. Similarly, ensuring that there are backup safeguards during periods of unexpected downtown (such as outages) is equally important for availability.
Authentication
Authentication, often shortened to just (AuthN), is a security process which, according to OneLogin (2023) “verifies that someone or something is who they say they are.” Authentication comes in many forms, including ones that extend outside of the cybersecurity and technology field. Without a better explanation, it is simply responsible for making sure that whatever person or system is what they claim to be. There are hundreds of examples of authentication, however, the simplest is seen when trying to access a phone or computer; the prompting of password input. It is a simple, yet effective way to verify an individual’s identity that has only gotten easier as technology advances. The major difference between authentication and authorization is that authentication gives a user the ability to enter a system, whereas authorization limits what the user can do within that system.
Authorization
Very similar to authentication, authorization is commonly used with 4 letter shorthand (Authz), however despite the apparent similarities, it provides a very different function. As OneLogin (2023) explains, “[authorization] determines a user or service’s level of access.” Authorization is slightly less common than authentication, seeing as it does not often extend to people’s personal lives. However, it is still very important to understand, especially when it comes to military or government environments. Even within a standard business, there are typically separations for “users” and “administrators.” As a student employee, for example, individuals are permitted to log into and access employee desktops and emails, however, this access is still heavily limited to the required functions. Primarily, this is an integral function, although confidentiality certainly plays a part. The information communicated between employees, if leaked, has the potential to put the system at risk. Thus, it is tightly controlled through limited authorization.
Conclusion
Although authentication and authorization are very different, they are equally important as they pertain to the CIA triad. Authorization is primarily taken into account when it comes to confidentiality, as it determines the level of access a user has. Authentication, although also important to confidentiality, is much more so when it comes to integrity. This is because it is primarily responsible for verifying a user’s identity, thus keeping unauthorized users from accessing information. Overall, the CIA triad is a crucial pillar of information security.
References
Chai, W. (2023, December). CIA Triad (Confidentiality, Integrity and Availability). WhatIs.com; TechTarget.https://www.techtarget.com/whatis/definition/Confidentiality-integrity-and-availability-CIA?jr=on
OneLogin. (2023). Authentication vs. authorization: What’s the difference? | Onelogin. www.onelogin.com.https://www.onelogin.com/learn/authentication-vs-authorization#:~:text=Authentication%20and%20authorization%20are%20two