Authentication, authorization and access control are three paramount cyber security concepts that are often confused and used interchangeably. It might be because these three are usually perceived as one single process by the end user, yet it is critically important to understand the distinction while designing the security framework.
In authentication process, identities of the users are verified. Most of the time this verification process includes a username and a password but other methods such as PIN number, fingerprint scan, smart card and such are adapted as well.
In order to conduct the process of authentication, it is essential that the user has an account in the system so that the authentication mechanism can interrogate that account. Or an account has to be created during the process.
A user is either who they claim to be or someone else. Thus the output of the authentication process is either a yes or no. ‘Maybe’ is treated as a no for security concerns.
In addition, the ‘user’ may not be an actual person but an application trying to use a web services API.
Authentication technologies are mainly used with two types of authorization processes:
Two factor authentication
In the past, multi-factor authentication was vastly popular but due to its difficulties in use, password authentication prevailed. Two factor authentication, on the other hand, is still a widely used security process that involves two methods of verification. One of them is password verification most of the time.
Frequently used types of authentication technology are username/password, one-time password and biometric authentication.
In authorization process, it is established if the user (who is already authenticated) is allowed to have access to a resource. In other words, authorization determines what a user is and is not permitted to do.
The level of authorization that is to be given to a user is determined by the metadata concerning the user’s account. Such data can indicate if the user is a member of the ‘Administrators’ or ‘Customers,’ or it can indicate if the user has paid-subscription for some content.
The processes of authorization also encompass Authorization Management which denotes creating authorization rules. For instance, an administrator can be allowed to create such a rule that lets another user to publish content to a web page.
We create authorization policies while using social media: Facebook, LinkedIn, Twitter or Instagram have millions of users but we can authorize (to an extent) which of those users can interact with us.
Authorization technologies empowers businesses by enabling them to control what employees can access, or where and on which device they can access data.
A little level of regulation allows businesses to make sure that their staff can access sensitive data on a secure device operating within the company’s firewall.
In the process of access control, the required security for a particular resource is enforced.
Once we establish who the user is and what they can access to, we need to actively prevent that user from accessing anything they should not. Thus we can see access control as the merger of authentication and authorization plus some additional measures like IP-based restrictions.
Most of the time security vulnerabilities in applications stem from inadequate access control mechanisms instead of faulty authentication or authorization mechanisms. The reason why is that access control is more complex and intricate than other two.
Main types of access control are DAC (discretionary access control), RBAC (role-based access control), ABAC (attribute based access control) and MAC (mandatory access control).