What is the CIA triad?
The Confidentiality, integrity, and availability (CIA) model; or, at times, referred to as the availability, integrity, and confidentiality (AIC). Formulated to guide Information security within organizations; there are three core principles that define the CIA model.
Confidentiality would be the privacy aspect in which sensitive data must stay secure. The United States Department of Defense (DoD) uses three main classifications: Secret, Top Secret, and confidential. The determination of classification comes from an Original Classification Authority (OCA). The OCA first must determine if the information is official and has the full rights to control the information. The next step would be to see if it the official information is eligible for classification; for instance, if there is a generic blanket classification there would be no need to duplicate. Impact would be the evaluation for potential damage to national security which would determine the effort required to secure the information. Once the evaluation of the information is complete comes the classification; Confidential would be the highest level of security towards information.
Think of Integrity as tamper proofing a document. The original, official document must stay accurate and trusted over the document’s entire lifecycle. Limited access to Confidential information should be of top priority as to narrow down the potential for a data breach. If a data breach occurs and you must investigate five hundred individuals; that could take time, whereas if less than two individuals have access it would be much easier to narrow down who, when, and where the breach occurred. Availability is the readily accessibility of the information in question. For confidential information you would never want to carry around the original document. This could result in tampering and loss of information. Secure the original in a safe environment and disseminate an electronic copy on a need-to-know basis. This ensures you can readily pull the original document and validate the integrity of the duplicate and mitigates downtime in the event of hardware failure.
What is the difference between Authentication & Authorization?
Authentication is the process of determining the identity; are you who you say you are? Logging into your academic grades; you would need to use a login name – this is the authentication process.
Authorization is process of determining if you have a need to access what you are requesting. This usually is your password, or it could come in the form of biometrics. There may not even be any need to authorize your need to access such information – depending on resources you are requesting.
Coupling your login name with password to access your bank account is the act of authenticating your authorization to access confidential information that only you would need to access. If you are just searching for the local weather; there would be zero need to authorize your access for such data.
