The CIA Triad is often confused with the Central Intelligence Agency, which forms the foundation of information security. The CIA triad consists of Confidentiality, Integrity, and Availability. It is important to know the difference between Authentication and Authorization while working with access management security. Authentication checks your identity, while Authorization gives you access. These terms are relevant when you are concerned with securing data and systems internal to your organization.

The CIA Triad
The widely known Cybersecurity CIA triad (confidentiality, integrity, and availability) is a foundational model to secure systems and information. Each of the components addresses one of three key security objectives. Together, the CIA triad is used to keep data free from unauthorized access, being changed (disrupted), or being used entirely.

As our example, we will use an employee accessing a cloud-based payroll system within their own organization to discuss each concept as we are defining it.

Confidentiality
Confidentiality means protecting valuable information in a way that only authorized users can disclose and quote the data. In your example, the data in payroll will contain sensitive employee information (e.g., salaries, tax information, personal). This data should only be accessible to HR personnel and management (should not be able to see this data). Data storage systems on confidentiality utilize access control and then encryption (e.g., TLS) while the data is in transit, and when stored. Unauthorized users (such as regular staff members/third-party contractors) should have access to this data denied using a role-based access control (RBAC) application.

Integrity
Integrity is the property that ensures the data is correct and consistent and has not been changed or modified by an unauthorized person. For example, in the payroll system, only people with the proper HR permissions should be able to adjust a person’s salary. Some sort of hashes and audit trail would also be beneficial in the payroll system to alert if any data were changed, authorized, or not.
If someone were to change the payroll file not through the application that was authorized to make changes (e.g., through database access), that would be identifiable and potentially reversible based on integrity.

Availability
Availability ensures that the systems and the data are available when needed. Availability is exceptionally important for the payroll system at payroll time. Organizations might conduct data redundancy (as an example, redundant servers), load-balanced servers, and backup systems to provide guaranteed access to the user to the platform, regardless of traffic, or if a server goes down. The availability of firewalls, DDoS mitigation tools, etc., is also protecting against attacks that could prevent users from accessing the system.

Authentication and Authorization
While these terms are often used interchangeably, they are two distinct concepts, or two separate “things”.

Authentication is the process of verifying or confirming a user’s identity. In the example above, the HR employee authenticates into payroll utilizing multi-factor authentication (MFA) on the system–first providing their password and then confirming a code sent to their mobile device. So, the process of authenticating the HR employee’s identity takes place before being allowed into the system.

Authorization checks provide what the authenticated user can and cannot perform in the system. After the HR employee authenticates into the system, the system checks the HR employee’s role and authorization interaction with the payroll data. The HR employee is authorized to access and edit the payroll data. Whereas a finance team member may log into the system and only be authorized to view payroll information. A regular user would log into the system and be denied any access or authorization to any payroll information. These permissions and authorizations are made from pre-determined access control policies established by the organization itself.

Conclusion
To sum up, the CIA Triad offers a basic framework to help drive information protection, and with the same level of clarity about Authentication and Authorization, proper access control can take place within systems. These three will support a more trustworthy, strong, and secure level of business operations in today’s digital world.