Authentication and Authorization might sound similar but the difference between them is crucial to access management as they both play important but different roles in robust IAM procedures.
Authentication means verifying that someone has valid credentials to be allowed onto a computer, network, or app. Traditionally, this is done by entering a username and password. Sometimes information that only the user knows, such as the name of their first pet, is used as an additional authentication factor. A biometric Authentication factor, for example a fingerprint, can also be used. In all cases, the input is checked against information stored in the network’s database and permission is granted or denied.
In some companies, authentication is considered a strong enough security measure. It keeps people who have no legitimate need to access your computers out. But is this enough? How do you ensure that users don’t wreak havoc on your network, intentionally or accidentally?
The simplest level of protection is designating one or more users as administrators and allowing only them to perform sensitive actions, including managing users and performing network security measures. This is a good start, but without some restrictions, some granularity, every authenticated user can access all the files in a network, except those restricted to administrators. This can lead to all types of problems, from accidental deletion of critical files to sensitive information getting into the wrong hands.
In smaller companies, this problem is solved by using an access control list to limit who can access a file and what they can do with it. Such a list must include every object the company wants to protect, and must specify the permissions of each user by name. If anyone changes positions, the list should be reviewed and modified. All too often, however, users simply gain access to more resources as they change positions or are legitimately granted “one-time” access to a file but the permission is not removed afterwards.
Authorization means specifying which actions valid users can take on which resources, and in doing so, Authorization goes beyond the “authentication-only” approach. Let’s say that Steve is a company's programmer and Susan is its CFO. The authentication-only approach means that IT has to decide which resources Steve and Susan can access, and what they can do on each. By using an Authorization-based solution that considers what programmers and CFOs do, IT can draw up two sets of permissions, one for each type of user, and then assign every employee to the correct set. If Susan retires and Steve takes her place, it would be simple to give Steve the correct permissions.
Granting permissions based on what employees do is called Role-Based Access Control (RBAC). Introduced in the 1990s, RBAC quickly became the dominant access management model. Afterwards, a somewhat different approach, Attribute-Based Access Control (ABAC) emerged, adding additional parameters to the logic of access control, such as an employee's location or the time of day. For example, although programmers normally work with source code, you might want to deny access if they log in at 2 AM from a country you have no offices in; ABAC supports this kind of fine-grained Authorization model.
Recently, a third approach, Policy-Based Access Control (PBAC) has emerged, combining the strengths of RBAC and ABAC. KuppingerCole describes PBAC as a model that helps “enterprises address the need to implement actionable access control schemes based on corporate policy and governance requirements”. PBAC enables management (not just IT!) to create flexible access management policies that consider a user’s role and other parameters (task, time, place, etc.) under the specific conditions occurring in real-time. For example, if a critical security breach occurs, PBAC enables you to immediately block all user accounts.
Authorization and authentication are both vital but different elements of access management. Validating credentials is necessary but not sufficient in today’s complex business environment. Fortunately, there are a number of excellent Authorization solutions.