In addition to the U.N. six languages, this content is also available in
You are probably familiar with the concept of authentication, the way that security systems challenge you to prove you are the customer, user, or employee whom you claim to be, using a password, token, or other form of credential. You may be less familiar with the concept of authorization, and the related term, access control.
Authorization
Authentication verifies your identity and authentication enables authorization. An authorization policy dictates what your identity is allowed to do. For example, any customer of a bank can create and use an identity (e.g., a user name) to log into that bank's online service but the bank's authorization policy must ensure that only you are authorized to access your individual account online once your identity is verified.
Authorization can be applied to more granular levels than simply a web site or company intranet. Your individual identity can be included in a group of identities that share a common authorization policy. For example, imagine a database that contains both customer purchases and a customer's personal and credit card information. A merchant could create an authorization policy for this database to allow a marketing group access to all customer purchases but prevent access to all customer personal and credit card information, so that the marketing group could identify popular products to promote or put on sale.
We implicitly create authorization policies when we use social media: Facebook, LinkedIn, or Twitter may authenticate hundreds of millions of users, but to some extent we can authorize whether or how these users engage with us. The same is true when you share files, videos, or photos from sites like Google Docs, Dropbox, Instagram, Pinterest, or Flickr or even when you create a "shared" folder from on your laptop.
Access Controls
Whereas authorization policies define what an individual identity or group may access, access controls – also called permissions or privileges – are the methods we use to enforce such policies. Let's look at examples:
- Through Facebook settings – Who can see my stuff? Who can contact me? Who can look me up? – We allow or deny access to what we post on Facebook to users or the public.
- Google Docs settings let us set edit or sharing privileges for documents we use collaboratively.
- Flickr settings allow us to create or share albums or images with family, friends, or publicly, under different (e.g., Creative Commons) publishing rights licenses.
- Shares and permissions on the MacOS or the Security tab in a Windows OS file properties dialog box allow you to set access privileges for individual files or folders.
Correct configuration of access privileges is a critical component of protecting information against unauthorized access and protecting computer systems from abuse, but access control configuration is tricky business. In our next post, we'll look at how organizations implement authorization policies using access conrols or user permissions. We'll follow that with a post that examines attacks that malicious actors or criminals can conduct when access controls are not adequate to prevent unauthorized use, unintended disclosure, or privilege escalation.
Authors
Dave Piscitello
You May Also Like
- DNS Security Facilitation Initiative Technical Study Group Interim Update
- Introducing the DNS Security Facilitation Initiative Technical Study Group
- FY15-16 in Review - Protecting and securing ICANN's unique identifier systems
This is a short article on the differences between three important and fundamental security concepts that are often confused. The difference between authentication, authorisation and access control is often not understood properly, and sometimes they are thought to be the same thing or the terms are used interchangeably.
Perhaps this is because the processes of authentication, authorisation and access control often appear to happen at the same time from an end user’s perspective, and as one single process. But it can be critically important to understand the distinction when designing the security framework for a software application, so here we provide a clarification of these distinct concepts and provide an explanation of how they would be applied to a typical software application or website.
Authentication
Authentication is a process by which you verify that someone is who they claim they are.
This usually involves asking the user for a username and a password, but it can include any other method of demonstrating identity, for example a smart card, a PIN number, a secret code sent in a letter in the post, a fingerprint scan, and so on.
In order to perform authentication, a user must already have an account created in a system which can be interrogated by the authentication mechanism, or an account must be created as part of the process of the very first authentication.
The output of the authentication process is usually a binary “yes or no” results – either the user is who they say they are, or they are not (a “maybe” would be treated as a “no”).
Note that the “someone” may not be a real person. For example, an application that is trying to use a web services API may need to use authentication to prove that it is the application in question, and could do this in exactly the same way as a real human user would prove their identity (excluding of course biometrics like fingerprints).
Authorisation
Authorisation is the process of establishing if the user (who is already authenticated), is permitted to have access to a resource. Authorisation determines what a user is and is not allowed to do.
The level of authorisation to give a user is determined by examining the additional properties (metadata) associated with the user’s account. For example, data associated with a user may indicate if they are a member of a given group such as “Administrators” or “Customers”, or it may indicate if they have paid a subscription for some paid-for content, or it may indicate that they are still within the 90 day period of a free trial.
Authorisation also includes an Authorisation Management component, which is a system that provides the functionality to create the authorisation rules. For example, it may allow an administrator to create a rule to allow another user to edit or publish content to a website. Authorisation Management often uses Groups, Roles, Privileges and Permissions (the difference between each of these four concepts is for another blog article!) to define these rules.
Access Control
Access Control is the process of enforcing the required security for a particular resource.
Once we know who a user is, and we know what authorisation level they have and what we should and should not give them access to, we need to physically prevent that user from accessing anything that they should not be able to. Access Control can be seen as the combination of Authentication and Authorisation plus additional measures, such as clock- or IP-based restrictions.
In the context of a web or software application, access control may be implemented using bespoke logic, security features of the development framework being used, file permissions, URL access lists, or many other mechanisms.
Note that lack of adequate access control is more often the cause of security vulnerabilities in applications than faulty authentication or authorisation mechanicms, simply because access control is more complex to implement and becomes more complex as the application being secured becomes more complex itself.
Further Reading
The following articles are worth reading for further details on the subject. In particular, Authentication and Authorisation and often combined with Accounting (that is, the logging of information relating to Authentication and Authorisation) to form “AAA” – Authentication, Authorisation and Accounting.
- AAA Protocol (Wikipedia)
- Authentication, Authorization, and Identities in WCF (Microsoft MSDN)
- Authentication, Authorization, and Access Control (Apache HTTP Server)
- Authentication and Authorization for Google APIs (Google)