Information security concepts

CIA Triad

The CIA triad of confidentiality, integrity, and availability is at the heart of information security.

Confidentiality

Confidentiality is the property, that information is not made available or disclosed to unauthorized individuals, entities, or processes. Examples of confidentiality of electronic data being compromised include laptop theft, password theft, or sensitive emails being sent to the incorrect individuals.

While similar to "privacy," the two words aren't interchangeable:

BASIS FOR COMPARISON	PRIVACY	CONFIDENTIALITY
Meaning	The state of being secluded is known as Privacy.	Confidentiality refers to the the situation when it is expected from someone that he will not divulge the information to any other person.
What is it?	It is the right to be let alone.	It is an agreement between the persons standing in fiduciary to maintain the secrecy of sensitive information and documents.
Concept	Limits the access of the public.	Prevents information and documents from unauthorized access.
Applies to	Individual	Information
Obligatory	No, it is the personal choice of an individual	Yes, when the information is professional and legal.

Integrity

Integrity means maintaining and assuring the accuracy and completeness of data over its entire lifecycle. This means that data cannot be modified in an unauthorized or undetected manner.

Availability

Availability means the computing systems used to store and process the information, the security controls used to protect it, and the communication channels used to access it must be functioning correctly. High availability systems aim to remain available at all times, preventing service disruptions due to power outages, hardware failures, and system upgrades. Ensuring availability also involves preventing denial-of-service attacks, such as a flood of incoming messages to the target system, essentially forcing it to shut down.

Authentication/Authorization concepts

Authentication	Authorization
Determines whether users are who they claim to be	Determines what users can and cannot access
Challenges the user to validate credentials (for example, through passwords, answers to security questions, or facial recognition)	Verifies whether access is allowed through policies and rules
Usually done before authorization	Usually done after successful authentication
Generally, transmits info through an ID Token	Generally, transmits info through an Access Token
Generally governed by the OpenID Connect (OIDC) protocol	Generally governed by the OAuth 2.0 framework
Example: Employees in a company are required to authenticate through the network before accessing their company email	Example: After an employee successfully authenticates, the system determines what information the employees are allowed to access