The CIA Triad is a foundational concept in cybersecurity that can influence policy decisions. Authentication and Authorization are tools used to ensure the CIA Triad is maintained. This write-up discusses their definitions and implementations.
What is the CIA Triad?
The CIA Triad is the foundation upon which all security controls are built. According to an article by Wesley Chai (2022), CIA stands for confidentiality, integrity, and availability. Confidentiality ensures data is only readable by authorized entities. Integrity is maintaining the state of that information outside of edits by authorized parties. Availability is having access to resources when they are needed. Typically, service providers commit to a “five nines” standard, or 99.999% server uptime. Systems should have all three to be useful and secure.
Authentication vs Authorization
While authentication and authorization are both involved in access control, they vary slightly. Authentication is making sure a person is who they claim to be. There are five authentication factors: “something you are”, “something you have”, “something you know”, “something you do”, and “somewhere you are.” Authorization is the process of allowing an authenticated entity to access data based on its permissions.
As an example, authentication could be presenting your birth certificate to get a state-issued ID card. This is an example of “something you have” authentication because you should be the only one with an authentic copy. Alternatively, authorization might be using that ID to enter a club or sit at a bar. You need to have an ID certifying you are above 21 years old to be authorized to access certain areas with alcohol in America.
These principles may be used to assess an organization’s risks, threats, and controls. Risks are the potential for integrity to be compromised (Alexander, 2021). Threats are entities that could capitalize on vulnerabilities to compromise a system. Controls are created to manage and mitigate risks and threats.
The ideas of confidentiality and integrity could be used to acknowledge the risk an impersonator poses to an organization. For instance, if an impersonator gains access to a server room by pretending to be a janitor, it could have a serious impact on the secrecy and state of the data stored there. In this situation, the imposter should have been authenticated to make sure it actually was a janitor. Their authority to be in the server room should also be assessed. Controls like visitor badges and door checks should be used to mitigate the risk of this threat.
Additionally, availability could be compromised in attacks like Denials of Service (DoS). They negatively impact a system’s availability by consuming the resources normally used to host a service. This may cause connectivity issues and prevent the service from being used. To prevent this and other possible lapses in uptime, companies should emphasize redundancy and backup servers.
The CIA Triad is integral to the continued functioning of the security industry and the global market. When used in tandem with authentication and authorization, organizations can improve their security posture and risk management strategies.
Alexander, J. (2021, January 28). Risk, threat, or vulnerability? what’s the difference. Kenna Security. Retrieved September 15, 2022, from https://www.kennasecurity.com/blog/risk-vs-threat-vs-vulnerability/#:~:text=In%20cybersecurity%2C%20risk%20is%20the,likelihood%20of%20a%20negative%20event.
Chai, W. (2022, June 28). What is the CIA triad? definition, explanation, examples – techtarget.WhatIs.com. Retrieved September 15, 2022, fromhttps://www.techtarget.com/whatis/definition/Confidentiality-integrity-and-availability-CIA?jr=on