For a security program to be considered complete and concise, it must encompass the entire CIA triad, Confidentiality, Integrity, and Availability. Authentication and authorization are important and distinct concepts that are used to support and protect the CIA triad.
What is The CIA Triad?
The CIA Triad is a model designed to guide policies for information security within an organization. Each acronym represents a different pillar; Confidentiality, Integrity, and Availability. These three elements are crucial components of security. Now keep in mind that these three pillars are dependent on each other and must work together as an interconnected system to ensure information security. Information security is defined by the National Institute of Standards and Technology (NIST) as the protection of information and information systems from unauthorized access, use, disclosure, disruption, modification, or destruction in order to provide confidentiality.
Confidentiality
Confidentiality refers to a set of rules that limit access to information, similar to privacy. It prevents sensitive information from unauthorized access attempts.
This can be done using a variety of methods from data encryption, two-factor authentication, and even biometric verification such as fingerprint, voice or facial recognition, and iris detection.
An example of confidentiality can be found when using an ATM. An ATM uses two-factor authentication, the debit card, something you have, followed by a PIN, something you know. These two things are required before accessing the sensitive data within a bank account, providing confidentiality.
Integrity
Integrity is the assurance that the information is trustworthy and accurate over its entire lifecycle and data cannot be altered by unauthorized people.
Integrity can be practiced with the implementation of file permissions, user access controls, read-only files, and the use of checksums. A checksum checks the validity of data usually by comparing two sets of data to ensure nothing has been altered or compromised. It can be explained as simply as the data sent is the data received.
Taking a look back at our ATM, it ensures data integrity by maintaining accurate records of all transactions.
Availability
We don’t want the information available to just anyone. Availability refers to a guarantee that information should be consistently and readily accessible for authorized users when needed. In our ATM example, physically being in a public place with 24/7 access perfectly demonstrates its availability.
Establishing and ensuring availability can be done by doing the basics, maintaining hardware, and staying up to date with all system updates.
Authentication and Authorization
Authentication and authorization are used to secure each pillar of the CIA triad. Authentication is the process of verifying the identity of someone or something and who they say they are. Often a prerequisite is required to allow access to resources in an information system, such as a username and password. Authorization is the process of granting or denying specific requests for either obtaining and using information and related information processing services or entering specific physical facilities.
When I worked in a restaurant as a food server, I had access to the point of sale system through employee login (authentication), but had limited access and could not do certain things, such as voiding food from a customer’s bill (authorization).
The two play different roles but they work hand in hand when practicing information security and are extremely vital in protecting the three pillars of the CIA triad. So, what comes first? Authentication and then authorization. You cannot authorize someone or something without first authenticating said person or thing.
Conclusion
The CIA triad security model is one of the most important concepts in information security that should be used, along with other security models and frameworks, when creating and practicing security measures. It is used by organizations around the world to set the foundation for security. It provides a guide to protecting your most critical data and information systems. Using the triad probes clients to ask the right questions. It is a way of thinking, planning, and setting priorities.