BLUF: The CIA triad is a foundational security model that balances Confidentiality (privacy), Integrity (data accuracy), and Availability (reliable access) to protect organizational data. Effective implementation of this model relies on the distinction between Authentication, which verifies a user’s identity, and Authorization, which defines their specific permissions.
Confidentiality: Protecting Sensitive Information from Unauthorized Access
The CIA triad is a framework for creating organizational information security policies. There is Three principles: Confidentiality (privacy), Integrity (data accuracy), and Availability (reliable access). Confidentiality keeps access to only authorized users to information to act as a safeguard of privacy. In most cases, organizations protect the confidentiality of users by grouping data in a manner that is reflective of the impact of leaks and implementing methods to secure this such as encryption, two-factor authentication (2FA) or biometric authentication.
Integrity: Ensuring Data Accuracy and Trustworthiness
For data to be trust-worthy (and hence reliable) over its entire life cycle, integrity guarantees that the system never erodes. Such a principle, according to this principle, means that any information held in a system isn’t changed in transit and is safe from modification due to improper access. File permissions, user access controls, and digital signatures are common tools for integrity. Moreover, checksums and backups are being leveraged to detect data corruption and reinstate error-free information following a data crash.
Availability: Ensuring Reliable and Timely Access to Information
Access to information ensures that relevant people obtain information consistently and on time. This is done through hardware health, repairing solutions as they come and removing software collisions from the operating environment. Organizations maintain redundancy, failover systems, and a strong disaster recovery plan for the system to avoid any downtime from a hardware failure or malicious attack scenario, in this case a Denial-of-Service (DoS) attack.
Authentication: Verifying User Identity
The CIA triad lays the foundation, though, but the implementation of these aims is based on the difference between authentication and authorization. Authentication is the first step of checking someone’s identity and it is basically a question of who the person is: “Who are you?”. This can be done using passwords, security tokens or fingerprints.
Authorization: Defining User Permissions and Access Levels
When identity verification occurs, Authorization defines the extent to which a user can perform specific permissions and accesses to it – the question, “What are you able to do?”. And they can’t even take data of users who are not authenticated are therefore not able to interact with anything which doesn’t play a part with their role.
Real-World Example: Authentication and Authorization in Online Banking
Online banking represents a relationship between authentication and authorization. When a user fills out his account number and password, they are undergoing an authentication process as an account owner. When the system authenticates its identification, it gives them the ability to see their balance and transfer funds from their accounts. The same client is not authorized by the system to visit the bank’s internal log of its servers or get inside the private accounts of other customers of that same customer to read up on the bank’s logs or any other data.
References:
Chai, Wesley. “What is the CIA Triad? Definition, Explanation, Examples.” TechTarget, 28 June 2022, www.techtarget.com/whatis/definition/Confidentiality-integrity-and-availability-CIA.
“Authentication vs. Authorization.” CyberArk, 2024, www.cyberark.com/what-is/authentication-vs-authorization/.
Authentication and Authorization: How it Works? A Simple Explanation https://www.youtube.com/watch?v=CvzPTeGv9Gw