1.3. Trust and Identity in Digital Systems

💡 First Principle: Every time a system grants access to a resource, it's making a trust decision. The fundamental question is always the same: "How confident am I that this entity is who they claim to be, and should they have access to what they're requesting?" The history of cybersecurity is largely a story of evolving answers to this question.

Imagine airport security. Before you board a plane, someone verifies your identity (passport check = authentication), confirms you have a valid ticket for this flight (boarding pass = authorization), and logs that you passed through security (surveillance records = accounting). Without any one of these steps, the system fails — imposters board flights, ticketless passengers take seats, and nobody knows who was where if something goes wrong.

What breaks without proper trust and identity controls? Everything from data breaches (wrong person gets access) to insider threats (right person exceeds their access) to audit failures (no record of who did what). The exam devotes significant coverage to identity and access management because it's the foundation that every other security control relies on.