InfoSec Fundamentals

When dealing with Information Security there are a few fundamental concepts which one needs to be aware of:

  • Authentication
  • Authorization
  • Confidentiality
  • Integrity
  • Availability
  • Attribution

Almost all protections in Information Security boil down to these primary fundamentals, and thus the importance in having a good understanding what they are and what they represent.

You may also hear the term "CIA", this is used to refer to the concepts of Confidentiality, Integrity and Availability.

Authentication

Authentication is the process of identifying a principal. Now this principal can either be a human or something such as a service, or device. This process involves the means of validating the principal is who it says it is.

For example, using an online bank account I would perhaps enter in an account number along with a password, and hopefully some form of multi-factor authentication (MFA). The process of doing this is authentication.

Authorization

Authorization is the process of determining if an (most often, authenticated) principal has the required permissions (privileges) or roles to access the system or data which they are requesting.

For example, I have authenticated to an online forum. The process of determining if I have the sufficient privileges (or roles) required to access the admin console of the forum.

Confidentiality

Confidentiality is the process, method or functions which help keep the data private from those principals who are not authorized to view or access the data.

For example, in my online bank account only I should have access to my transactions. This should not be made available to anyone else (including those who also have an account at the same bank).

Integrity

Integrity is the process, method or functions which help prevent the data from being tampered or manipulated by those who are not authorized to modify the data.

For example, in my online bank account no one else should be able change the details pertaining to my account. Or if I submit a transaction, details of that transaction should not be allowed to be modified.

Availability

Availability is the process, method or functions which ensure that the data or service is made available to those authorized principals.

For example, in the online banking example, I as an account holder should be allowed to access my online bank account if and when I need to.

Attribution

Attribution is the process, method or functions which associates actions with an authorized principal. This is sometimes referred to as auditing. This helps identify who did what.

Switching back to the online forum example, if I added a new user, an audit trail/log should log that it was myself who added the new user.

Hat tip to Mike Thomspon for suggesting this entry.