The foundation of access control is based on the three major tenants of identification, authentication, and authorization. In this video, you’ll learn how each of these is used to maintain the security of our networks.
<< Previous Video: SAMLNext: Authorization and Access Control >>
Identification is the process of associating a user with something that has occurred on a server, on a network, or with some other resource. You need to know who accessed a particular file. You need to understand who just logged into a server. That is the process we call identification.
This information is almost always logged. And there’s usually a username or some type of very unique identifier assigned to that particular function. This identifier could be something like a name of a person– maybe their first name or their last name.
In Windows, there’s something called a Security Identifier, or a SID. And that is something that is assigned to every user on a device. And it’s something unique for every user on that device.
We could use something like a smart card, or a certificate that we might carry with us, and that would certainly identify us uniquely. There could be also biometrics in use. Maybe we use something like a fingerprint, or a retina scan, to be able to identify us uniquely. Or certainly something like a verification card that has our picture and our personal information on it. That may be something that we provide to an end user, or to a third party, that does indeed say that we are identified as this particular person.
It’s not enough to say that you’re a particular user or have a label associated with yourself. You also have to prove that you are that person. And that is the process of authentication. The authentication process means that you’re going through some extra steps to prove you are who you say you are. We can’t just take at face value that you happen to be that user. We need some other type of proof to be made available.
This proof would commonly be something like the combination of a username and a secret password or passphrase. That combination of things together would help prove that you are who you say you are because no one else has that combination of information. But you might also want to add additional authentication types to that. Maybe we do provide biometric information, or provide a pseudo random key generation that is something that you have to have with you when you’re authenticating to these resources.
Once you have authenticated to these resources, and we believe we have identified you successfully, now we have to provide you with authorization. This is the step that defines what rights and permissions you have to these particular resources. We need to define this as, perhaps, your name of the user. Perhaps you belong to a certain group of users and therefore you have certain rights and permissions available.
Ultimately, it’s access to the resources that is the important part. And these resources may be files, or directories on a file server, or it may be what you can access on the intranet of your network. This is all defined by these rights and permissions that we’re assigning based on your authorization to the network.
There also needs to be a way to ensure that these policies are enforced. Now that we know who you are, and you’ve authenticated to the network, we need to make sure the authorization will provide the limits and the access that you need, based on who you are. This is usually something that might be defined in policies in a firewall, or an access control list on a file server.