Understanding the CIA Triad & Authentication vs. Authorization

Posted by jcotm001 on

THE CIA TRIAD
The CIA Triad is an information security model that outlines the three fundamental
concepts that businesses should use to protect their data systems: availability,
confidentiality, and integrity.
AUTHENTICATION VS AUTHORIZATION
These two ideas have separate functions in system security. Both are necessary and
frequently used together.
AUTHENTICATION: Confirming the identity of someone proving identity. Occurs first. To
verify their identity, the user provides credentials. Ex: using a smartphone fingerprint scan
or logging into an email account with a username and password.
AUTHORIZATION: Determining the resources and operations that an authenticated
identity is permitted to access and complete. Occurs after authentication. The system
determines access by examining policies or permissions after identity has been verified.
Ex: You might not be able to edit specific files or access specific data (authorization) even if
you are able to log in (authentication). A regular employee, for instance, authenticates but
is only permitted to access specific documents. Not change or remove them.
KEY DIFFERENCES:
Authorization is about access rights, but authentication is about identification.
Authorization requires authentication; you can’t decide what someone can do unless you
know who they are.
EXAMPLES OF INTEGRATING CIA TRIAD +
AUTHENTICATION VS AUTHORIZATION
Imagine a hospital’s electronic health record system.
CONFIDENTIALITY: Medical records of patients must be kept confidential. These records
should only be viewed by the medical professionals who are currently treating a particular
patient.
INTEGRITY: Timestamps must be kept, records must be correct, and audit logs must be
kept so that changes can be tracked.
AVAILABILITY: To ensure that patient care is not interrupted during system maintenance or
disaster recovery, doctors and nurses must have round-the-clock access to patient
records.
AUTHENTICATION: To establish her identity, a nurse checks in with her username,
password, and possibly a smart card.
AUTHORIZATION: The system verifies her authorization to read or modify specific patient
records after she has been authenticated. She might, for instance, be permitted to access
patient records in the ward to which she has been assigned, but no change or view
psychiatric or intensive care records that are under the supervision of another team.
WRAP UP
The CIA Triad offers a straightforward yet effective structure to guarantee that information
security is addressed in the three crucial areas of availability, confidentiality, and integrity.
In addition, the control techniques of authorization and authentication serve to restrict
who has access to system (authorization) and what they are allowed to do within them
(authentication). These ideas work together to provide the foundation of many technical
controls and cybersecurity policies. Gaining experience with them is crucial for effective
data protection and system trust.

REFERENCES
https://www.techtarget.com/whatis/definition/Confidentiality-integrity-and-availability-
CIA?utm_source=chatgpt.com
https://www.csoonline.com/article/568917/the-cia-triad-definition-components-and-
examples.html?utm_source=chatgpt.com
https://www.fortinet.com/resources/cyberglossary/authentication-vs-
authorization?utm_source=chatgpt.com
https://auth0.com/docs/get-started/identity-fundamentals/authentication-and-
authorization?utm_source=chatgpt.com

Leave a Reply

Your email address will not be published. Required fields are marked *