Supporting the Security Parthenon: How the Five Pillars of Information Security Work Together and Why Authorization Deserves Its Place
Like the pillars of the great Parthenon the five pillars of information security hold up and support a comprehensive security program. In this essay I will discuss the five pillars and how they are connected by providing specific examples of how they support and rely on each other within a comprehensive security program. I will also argue that there is one crucial pillar missing, authorization. I will explain why it is crucial to the information security pillars and how it fits in, how it is different from authentication, and how it supports and relies on it.
The five pillars of information security are confidentiality, integrity, availability, authentication, and non-repudiation. The first three make up the CIA triad, one of the original concepts around information security. However, with all things this evolved and changed. Authentication and non-repudiation were added to the CIA triad to make the five pillars. Each of these pillars is essential for a well structured security program. Throughout this essay I will use your bank account, yes yours, as an example. I will show how each of the five pillars are used to secure your account and how authorization is already being used in this example.
I imagine no one wants their banking information public. We want to keep this information confidential. We also want to know without a doubt that the information in it is correct, and that the data has kept its integrity. We want our money available to us whenever we need it. We access our account and our funds when we authenticate with the bank, proving we are who we say we are. To protect themselves the bank implements non-repudiation. This means that when you withdraw money you can not deny that you were the one who withdrew the funds. Or when you transfer money to someone else they can not deny they received it. This is where my proposed pillar of authorization comes in. Other users or services may be able to access your account information. They may be authorized to read the data. Or they may be authorized to add funds but not withdraw them. Or when you use your debit card you have authorized the other bank to withdraw a specific amount. This is an example of each pillar as it stands alone. Each providing its own strength yet it is when we use them together that we really have something that will withstand the test of time. Next, I will provide examples of how they support and rely on each other.
The Parthenon is still standing, not because of one pillar but because together they are greater than their sum. What I mean is each one shared the load. Distributing the weight and strengthening those around it, just like the five pillars of information security. Sticking with our banking example, how do we make our data confidential? We do this by only making it available to those who are authorized to have access. This is why I believe authorization should be one of the key pillars. And how do we know if someone has authorization? By authenticating the user or service and proving they are who they say they are. Here we see that alone confidentiality is good but with authorization and authentication it is great! We can continue this with integrity. How do we know the data is correct? By only allowing authorized people who have authenticated to change the data. Doing this gives us non-repudiation. Meaning one can not deny that they changed the data since to do so you have to be authorized and be authenticated. Non-repudiation gives the confidence that if something was incorrectly changed we know when it was changed and by whom. This can help a bank fight fraudulent transactions, and identify where the compromise happened. Hopefully, you can now see how each pillar is supported by another and each relies on another. How they share the load and uphold a security program.
Hopefully you can see how a comprehensive security program is built on information security's five pillars, how each pillar supports and relies on each other, and how they are connected. I have made a case for including authorization to the information security pillars. Given an example of how it differs from authentication, and how it relies on and supports it. I have shown how it supports the other pillars yet stands alone. For a security program that will withstand the tests of time consider building it on top of the five pillars, and consider adding authorization for extra strength.