(Originally written on September 15th, 2024)
General Overview:
The CIA Triad is defined as “a model designed to guide policies for information security within an organization.” (Chai 2022). This model is composed of three parts : Confidentiality, integrity, and availability. All of these parts provide a solid foundation for an organization’s policies and are used to reduce potential vulnerabilities in their systems.
The first letter in the triad stands for confidentiality. This element of the triad ensures that sensitive information is kept private and is only available to authorized users. This data can be categorized by the level of potential damage that could be done should it be accessed by an unauthorized party. Encryption and the requirement of two factor authentication are ways this element can be included in an organization’s security policies.
The second element is integrity. This element is centered around ensuring that data present in a system is reliable and trustworthy. By including this element in security policies, the unauthorized alteration of the data can be prevented. Both human and non-human caused alterations must be taken into account “such as an electromagnetic pulse (EMP) or server crash.” (Chai 2022) Data backups in particular are highly important to this element. “Regularly backing up data so that it can be restored to its original state” (University of Tulsa 2024)
The last part of the triad is availability. This element is focused around ensuring that a system or set of data is available to those with authorized access whenever they may need them. Both the hardware and software in a system must be maintained in order to fulfill this element of the triad. Preventative measures to ensure that availability is maintained is key.
Authentication vs. Authorization:
In a theoretical situation, say you are logging into a secure system that requires a password. First, you must prove who you are. The system must authenticate the user. This is most commonly done by providing the correct credentials for your account. Second, the system must determine what permissions you have when it comes to your account and grant those permissions. In other words, the system must authorize the associated permissions.
These two processes are closely related to each other but serve two different purposes. Because of this, the two are often confused with one another. “Authentication and authorization are related but distinct processes in an organization’s identity and access management (IAM) system.” (Kosinski 2024).
Conclusion:
The CIA triad stands for Confidentiality, Integrity, and Availability. These three parts come together to guide the development of an organization’s security policies. Each element serves its own purpose and is integral to the creation of these policies.
Authentication and authorization are two processes that ensure the protection of secured, sensitive information. Authentication verifies the identity of the user, while authorization is the process of granting the user access to the correct systems and data.
Both the CIA Triad and the principles of authentication and authorization provide guidance for the creation of security policies for an organization. Organizations can then use these policies to ensure that their data remains secure and protected from threats.
References
Chai W. (2022, June). What is the CIA Triad? Definition, Explanation, Examples. Tech Target. https://www.techtarget.com/whatis/definition/Confidentiality-integrity-and-availability-CIA?jr=on
Kosinski M. (2024, June) Authentication vs. authorization: What’s the difference?. IBM. https://www.ibm.com/blog/authentication-vs-authorization/
University of Tulsa. (2024, Jan). What Is the CIA Triad?. https://online.utulsa.edu/blog/what-is-the-cia-triad/