The CIA triad is the de facto standard when it comes to setting up information security policies within a company or corporation. The model is based on using the three principles of the triad: Confidentiality, Integrity, and Availability. Within the explanation of the CIA triad the differences between authentication and authorization will be defined.
Confidentiality
Confidentiality is defined by the National Institute of Standards and Technology (NIST) as “Preserving authorized restrictions on information access and disclosure, including means for protecting personal privacy and proprietary information.” The concept of confidentiality also recommends categorizing data into how much damage can be done to the company by the release or altering of the data. For a person to access or modify the data within a company a person must have authorization to do so. To gain this authorization, the person must be vetted to have access to the data.
Integrity
Integrity is defined by the NIST as “Guarding against improper information modification or destruction, and includes ensuring information non-repudiation and authenticity.” Broken down this is the way companies secure their information from being modified or destroyed by anyone without the proper authorization to do so. The definition also goes on to include non-repudiation and authenticity of the data. What this implies is that the data can be verified as original even by a third party that possesses a private key, that way no one can say “We never had access to this” Essentially this can be broken down into an old military phrase “trust but verify”. I trust that company A sent this data to company B but still need to verify that the data went to each party.
Availability
Availability is defined by the NIST as “Ensuring timely and reliable access to and use of information.” If a multi-national company has sensitive data at office A on the West Coast and office B through D need access to it, it is pertinent that all involved are authorized to view the data. The concept of availability explains that all offices will have reliable access to the data. With this integrity is included because if the data transferred is accounting data, and a few numbers here and there are not exact, it could end up causing the corporation to lose money. This is also where authorization and authentication are vital. To access the data a person must have the authorization provided by the company. Once this is done, the data is sent and includes a checksum, that way the receiving end can verify the data sent is authentic.
Conclusion
The CIA triad is a baseline for setting up information security policies. Confidentiality requires that sensitive data be protected by the company. Integrity requires that any information sent is done by authorized personnel on both ends by means of authentication checksums. Availability is making sure that reliable data is available to all parties. In the end it’s a technical way of saying trust but verify