Custom Search

Cyber Security:

Authentication and Authorisation

Authentication and authorisation are two vital information security processes that administrators use to protect systems and information. Both of them are important to CIA Confidentiality

Authentication verifies the identity of a user or service, and authorization determines their access rights.

Authentication

Authentication is the process of determining that someone is who they claim to be by verifying their identity.

For example, if you want access to your online bank account you are required to fill out your details, these are then checked against a specific database following your input.

After this step, if the submitted data matches, you are granted system access.

Another example of authentication would be when two devices are set in different locations - like when you work at home and your laptop logs in to the work server. Through authentication, these basically can establish a trust level and you can connect to the server.

Authorisation

Authorisation is the process of granting someone permission to do something, or access a certain resource. For this to happen the authentication stepmust have been completed. The 'level of access' is then ascertained from data files and the user then has access to files at that level of trust.

This access permission can be granted by a person or an automated system.

Authorization is usually done with the goal of preventing unauthorized access to resources.

For example, you may be authorised to use standard apps at your job, but you might not be authorised to use some applications reserved only for admins. To get access to restricted areas you have to be authorised through a privileged access management system for example, that assigns you limited privileged permissions.

Authentication vs. authorization

Authentication verifies the user's identity Authorization validates the user's access
Checks the identity of a user Level of access to apps, files or data permitted
Uses passwords or biometric data to validate the identity of the user Follows some settings established and managed by the company
A process that is visible and accesible to the user The user has no power in terms of modifying or altering the set of settings already established within the company
data is transmitted via ID tokens data is transmitted via access tokens

 

See here for two-factor authentication