On this page, I am going to describe the CIA Triad and the differences between
Authentication & Authorization.
CIA Triad
There are many ways to explain the CIA Triad but the best way I would explain it would be the three fundamental concepts that together are commonly referred to as the CIA triad and affect information security policy for any organization are confidentiality, integrity, and availability. The CIA triad serves as a cornerstone to information security, ensuring that concentration is made on three important principles. Confidentiality ensures that sensitive information is only accessed by the properly authenticated user or application. This occurs through encryption and access controls. Integrity: Data integrity makes sure that the data can be held in its most accurate and comprehensive form without being tampered with either maliciously or unauthorized. Some techniques used include hashing and data validation techniques that ensure data integrity. Availability: It involves ensuring access to information and resources is provided to authorized users when needed, and hence disruption and downtime are prevented. Typically, redundancy, failover systems, and regular maintenance give support to availability. All these together can allow a robust security posture by protecting data against unauthorized access, ascertaining accuracy, and keeping the data accessible.
The differences between Authentication & Authorization
Many people confuse these 2 terms but in brief and short terms, authentication is the process of verifying who a user is, whereas authorization is the process of verifying what they have access to. Now diving deeper into these 2 terms to begin, Authentication: Authentication is the process of verifying if an end user or system is who they say they are. This is usually performed via passwords, biometric scans, or security tokens. It answers the question “Who are you?” to assure that the person or entity is truly who they purport to be. The easiest example for this would be comparable to when you place your finger on the scanner, it would compare that fingerprint with the data of fingerprints within the device. If it matches, then the phone authenticates your identity, therefore allowing access to the device. On the other hand, authorization is the process of establishing what an authenticated user or system is allowed to do: which resources it can access and which actions it can perform. It answers back to “What are you allowed to do?” through permissions and levels of access. Authentication is coming first and is going to make sure that an entity is recognized, and on its tail comes authorization, either to allow or restrict access based on policies set in advance. Both are considered very important in securing systems, but they handle different forms of security. Authentication identifies a person, while authorization handles access rights and permissions. The best example I could come up with would be an example of authorization including permission to files on a company’s network drive. First, you must authenticate yourself by logging in with your username and password, then the system checks your access rights. If your access is appropriately set, you will have permission to read, modify, and delete files according to your role-regular employees perhaps only having read access, while a manager has access to do anything. What the authorization can decide is what actions you are allowed to perform on the files or resources within that network.