Who Are You, And What Are You Authorized To Do? Authentication Vs. Authorization

Posted by jthom214 on

SUMMARY

The CIA Triad consists of three cybersecurity components considered the most important concepts within information security: confidentiality, integrity, and availability. Understanding the difference between authentication and authorization is necessary to further understand the CIA Triad concepts.

IMPORTANCE OF THE CIA TRIAD

  NIST SP800-12r1: An Introduction to Information Security defines “Information Security” as “The protection of information and information systems from unauthorized access, use, disclosure, disruption, modification, or destruction in order to ensure confidentiality, integrity, and availability.” (Nieles et al., 2017) The CIA Triad defines three integral components relied on in the information security domain: confidentiality, integrity, and availability. Confidentiality is a set of rules that limits access to information, integrity is the assurance that the information is trustworthy and accurate, and availability is a guarantee of reliable access to the information by authorized people. (What Is the CIA Triad_ Definition, Explanation, Examples – TechTarget.pdf, n.d.)

AUTHENTICATION VS. AUTHORIZATION

In the NIST Glossary, authorization is defined as “Verifying the identity of a user, process, or device, often as a prerequisite to allowing access to resources in an information system.” while authorization is defined as “the right or a permission that is granted to a system entity to access a system resource.” (Glossary | CSRC, n.d.)

Authentication establishes confidence as it confirms the identity of the individual or entity before establishing a connection to the network, server, device, resource, or other component within an organization by using a bound credential(s) as determined by the organization.  Authentication does not determine the claimant’s authorizations or access privileges; this is a separate decision. (Grassi et al., 2017)

Authorization gives individuals and entities access to information and resources as determined by the organization and system owner while incorporating best practices aligning with NIST 800-53: Security and Privacy Controls for Information Systems and Organizations within the Access Control (AC) family, such as account management, principles of least privilege (PoLP), and Separation of Duties (SoD) (Security and Privacy Controls for Information Systems and Organizations, 2020)

Authentication might include multi-factor authentication like a Personal Identity Verification (PIV) credential or Common Access Card (CAC) that needs a Personal Identification Number (PIN) as well to access, whereas authorization might be defined into role-based access using active directory groups to manage. 

CONCLUSION

Understanding the key concepts of the CIA Triad is a fundamental part of Information Security.  Authentication and Authorization are key components of confidentiality. They answer crucial questions before accessing information and resources. Authenticating individuals and entities answers  “Who are you?” while authorization provides rules for what the individual or entity can access, answering “What are you allowed to do? 

REFERENCES

Nieles, M., Dempsey, K., Pillitteri, V. Y., Computer Security Division, & National Institute of Standards and Technology. (2017). NIST Special Publication 800-12 Revision 1 An Introduction to Information Security. In NIST Special Publication 800-12 Revision 1. U.S. Department of Commerce. https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-12r1.pdf

What is the CIA Triad_ Definition, Explanation, Examples – TechTarget.pdf. (n.d.). Google Docs. https://drive.google.com/file/d/1898r4pGpKHN6bmKcwlxPdVZpCC6Moy8l/view

Glossary | CSRC. (n.d.). https://csrc.nist.gov/glossary

Grassi, P. A., Garcia, M. E., Fenton, J. L., Applied Cybersecurity Division, Information Technology Laboratory, Altmode Networks, U.S. Department of Commerce, National Institute of Standards and Technology, Jr. Ross, W. L., & Rochford, K. (2017). NIST Special Publication 800-63-3 Digital Identity Guidelines. In NIST Special Publication 800-63-3 [Report]. https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-63-3.pdf

Security and privacy controls for information systems and organizations. (2020). https://doi.org/10.6028/nist.sp.800-53r5