BLUF: In this paper there will be a discussion about the CIA triad, one of the most important models in cybersecurity. This framework is designed to guide policies for information security within an organization (Chai, 2022, p.1). CIA stands for Confidentiality, Integrity and Availability. There will be an exploration of each principle in this paper. Additionally, the difference between Authentication and Authorization will be considered.
Confidentiality:
Confidentiality is described as a set of rules that limits the access to information (Chai, 2022, p.1). This principle prevents sensitive information from unauthorized access attempts thus, ensuring privacy within an organization. Additionally, proprietary information is also preserved from unauthorized access within a business (Nieles et al, 2017, p.2). Training is also adopted to teach individuals within the company how to enforce confidentiality (Chai, 2022, p.3). Some examples of the enforcement of confidentiality include applying two-factor authentication which is, a security process in which users provide two different authentication factors to verify themselves (Kirvan et al, 2024). Others include key fobs and storing information on air-gapped computers. An organization can properly implement confidentiality by enforcing the best practices such as, keeping access control lists and other file permissions up to date (Chai, 2022, p.6).
Integrity:
Integrity requires maintaining the consistency, accuracy and trustworthiness of data over its entire lifecycle (Chai, 2022, p.1). This means that information must not be changed or altered by unauthorized parties. Therefore, information integrity illustrates that information is represented in a true and intended manner (Bourgeois, 2019, p.65). However, integrity may be lost unintentionally either by human error or natural disasters (Bourgeois, 2019, p.65). Moreover, there are two types of integrity relating to information security; data integrity that deals with data in storage, processing and in transit and system integrity where there is high quality system that performs its intended function (Nieles et al, 2017, p.2). Some mechanisms that demonstrate integrity include file permissions and user access control which guarantees that there are no accidental deletions of data by authorized or unauthorized parties. Additionally, measures are also put into place by organizations to detect alterations to data as a result of non-human caused events (e.g. server crash) (Chai, 2022, p.4). If data was altered, backups should be available to restore the affected data.
Availability:
The principle of availability conveys that information should be consistently and readily accessible for authorized users (Chai, 2022, p.2). There is also an emphasis on accessing information in a timely manner where authorized users are not hindered at any time (Nieles et al, 2017, p.2). This is established through maintenance of all hardware and keeping up with necessary system upgrades. Safeguards should be made available, in case of data loss or interruptions that may occur due to unpredictable events. An example of this would be possessing a backup copy stored in an isolated location that is fool proof. An organization can properly implement availability by enforcing the best practices such as, using preventive measures like RAID. This is a way of storing the same data in different places, so users have multiple platforms to access information (Gillis et al, 2021).
Authentication and Authorization:
Information security is important within an organization and both authentication and authorization are tools utilized to keep information safe and secured. Authentication is the process of verifying who a user is. This can be established by the user providing something they know, something they have and or something they are thus, personalising the access (Bourgeois, 2019, p.65). An example of this would be providing a user ID, password and possessing a key card. By utilizing all these functions, it is more difficult for someone else to access the information and compromise it. Some of the latest forms of authentication is through scanning physical characteristic called biometrics (Bourgeois, 2019, p.65).
Authorization is verifying what the user has access to. This is done through access control. This function determines which users are authorized to read modify add, and/ or delete information (Bourgeois, 2019, p.66). RBAC (role- based access control) allows an organization to manage what users have the ability to perform specific actions through a list. Those who are authorized to perform an action will be on the list. This has been further developed by users assigned to a role and then those roles are assigned access to prevent confusion (Bourgeois, 2019, p.65).
Conclusion:
As discussed above there has been a discussion of the three key principles of the CIA triad: Confidentiality, Integrity and Availability. It is evident that each component plays an important role in ensuring information security within an organization. Additionally, both authentication and authorization have been considered and although both functions play different roles, they are both useful in providing information security. To conclude, the CIA triad aims to identify any vulnerabilities within an organization and provides solutions to those vulnerabilities.
References
Bourgeois, D. (2019). Information Systems for Business and Beyond. P. 65
Bourgeois, D. (2019). Information Systems for Business and Beyond. P. 65
Chai, W. (2022). What is the CIA Triad? Definitions, Explanations, Examples. P.1
Chai, W. (2022). What is the CIA Triad? Definitions, Explanations, Examples. P.2
Chai, W. (2022). What is the CIA Triad? Definitions, Explanations, Examples. P.3
Chai, W. (2022). What is the CIA Triad? Definitions, Explanations, Examples. P.4
Chai, W. (2022). What is the CIA Triad? Definitions, Explanations, Examples. P.6
Gillis, A. (2021). RAID (redundant array of independent disks) What is RAID?
Kirvan, P. (2024). What is two-factor authentication (2FA)? What is Two-Factor Authentication (2FA)? | Definition from TechTarget
Nieles, M., Dempsey, K., Pillitteri, V. (2017). NIST Special Publication 800-12 Revision 1, An Introduction to Information Security. P.2