What is authorization in cyber security

While authentication and authorization are often used interchangeably, they are separate processes used to protect an organization from cyber-attacks. As data breaches continue to escalate in both frequency and scope, authentication and authorization are the first line of defense to prevent confidential data from falling into the wrong hands. As a result, strong authentication and authorization methods should be a critical part of every organization’s overall security strategy.

So, what is the difference between authentication and authorization? Simply put, authentication is the process of verifying who someone is, whereas authorization is the process of verifying what specific applications, files, and data a user has access to. The situation is like that of an airline that needs to determine which people can come on board. The first step is to confirm the identity of a passenger to make sure they are who they say they are. Once a passenger’s identity has been determined, the second step is verifying any special services the passenger has access to, whether it’s flying first-class or visiting the VIP lounge.

In the digital world, authentication and authorization accomplish these same goals. Authentication is used to verify that users really are who they represent themselves to be. Once this has been confirmed, authorization is then used to grant the user permission to access different levels of information and perform specific functions, depending on the rules established for different types of users.

AuthenticationAuthorization
Authentication verifies who the user is.Authorization determines what resources a user can access.
Authentication works through passwords, one-time pins, biometric information, and other information provided or entered by the user.Authorization works through settings that are implemented and maintained by the organization.
Authentication is the first step of a good identity and access management process.Authorization always takes place after authentication.
Authentication is visible to and partially changeable by the user.Authorization isn’t visible to or changeable by the user.
Example: By verifying their identity, employees can gain access to an HR application that includes their personal pay information, vacation time, and 401K data.Example: Once their level of access is authorized, employees and HR managers can access different levels of data based on the permissions set by the organization.

Common Authentication Methods

While user identity has historically been validated using the combination of a username and password, today’s authentication methods commonly rely upon three classes of information:

  • What you know: Most commonly, this is a password. But it can also be an answer to a security question or a one-time pin that grants user access to just one session or transaction. 
  • What you possess: This could be a mobile device or app, a security token, or digital ID card.
  • What you are: This is biometric data such as a fingerprint, retinal scan, or facial recognition.

Oftentimes, these types of information are combined using multiple layers of authentication. For example, a user may be asked to provide a username and password to complete an online purchase. Once that’s confirmed, a one-time pin may be sent to the user’s mobile phone as a second layer of security. Combining multiple authentication methods with consistent authentication protocols, organizations can ensure security as well as compatibility between systems.

Once a user is authenticated, authorization controls are then applied to ensure users can access the data they need and perform specific functions such as adding or deleting information—based on the permissions granted by the organization. These permissions can be assigned at the application, operating system, or infrastructure levels. Two common authorization techniques include:

  • Role-based access controls (RBAC): This authorization method gives users access to information based on their role within the organization. For example, all employees within a company may be able to view, but not modify, their personal information such as pay, vacation time, and 401K data. Yet HR managers may be given access to all employees’ HR information with the ability to add, delete, and change this data. By assigning permissions according to each person’s role, organizations can ensure every user is productive, while limiting access to sensitive information.
  • Attribute-based access control (ABAC): ABAC grants users permissions on a more granular level than RBAC using a series of specific attributes. This may include user attributes such as the user’s name, role, organization, ID, and security clearance. It may include environmental attributes such as the time of access, location of the data, and current organizational threat levels. And it may include resource attributes such as the resource owner, file name, and level of data sensitivity. ABAC is a more complex authorization process than RBAC designed to further limit access. For example, rather than allowing all HR managers in an organization to change employees’ HR data, access can be limited to certain geographical locations or hours of the day to maintain tight security limits.

A sound security strategy requires protecting one’s resources with both authentication and authorization. With a strong authentication and authorization strategy in place, organizations can consistently verify who every user is and what they have access to do—preventing unauthorized activity that poses a serious threat. By ensuring all users properly identify themselves and access only the resources they need, organizations can maximize productivity, while bolstering their security at a time when data breaches are robbing businesses of their revenue and their reputation. 

See how SailPoint integrates with the right authentication providers.

Businesses use authentication and authorization solutions to positively identify users and control access to applications and IT systems. Authentication refers to the process of validating a user’s identity. Usernames and passwords are the most basic and familiar forms of authentication.

Authorization refers to the process of granting a user permission to access specific resources or capabilities once their identity is verified. For example, a system administrator might be granted root-level or superuser privileges to a resource, while an ordinary business user might be granted restricted access or no access at all to the same resource.

Most identity and access management (IAM) solutions provide both authentication and authorization functionality and can be used to tightly control access to on-premises and cloud-based applications, services and IT infrastructure. Access management  solutions help ensure the right users have access to the right resources at the right times for the right reasons.

Multi-Factor Authentication

Basic authentication methods that require only username and password combinations are inherently vulnerable. Threat actors can carry out phishing attacks or other schemes to harvest credentials and pose as legitimate users to steal data or perpetrate attacks.

Most IAM solutions support Multi-Factor Authentication (MFA) functionality to protect against credential theft and user impersonation. With MFA, a user must present multiple forms of evidence to gain access to an application or system—for example, a password and a one-time, short-lived SMS code.

Authentication factors include:

  • Knowledge factors – something the user knows, such as a password or an answer to a security question
  • Possession factors – something the user has, such as a mobile device or proximity badge
  • Inherence factors – something biologically unique to the user, such as a fingerprint or facial characteristics
  • Location factors – the user’s geographic position

Adaptive Authentication

Many modern IAM solutions support adaptive authentication methods, using contextual information (location, time-of-day, IP address, device type, etc.) and business rules to determine which authentication factors to apply to a particular user in a particular situation. Adaptive authentication balances security with user experience.

Single Sign-On

Many IAM solutions support Single Sign-On (SSO) capabilities that allow users to access all their applications and services with a single set of credentials. SSO improves user experiences by eliminating password fatigue and strengthens security by eliminating risky user behaviors like writing passwords on paper or using the same password for all applications. Many IAM solutions support standards-based identity management protocols such as SAML, Oauth and OpenID Connect to enable SSO federation and peering.

Authorization

Most IAM solutions provide administrative tools for onboarding employees and managing access privileges throughout the employee lifecycle, including separation and the offboarding process. Many of these solutions support role-based access controls (RBACs) to align a user’s privileges with their job duties. RBACs help prevent privilege creep and simplify administration when employees change jobs or leave an organization. Many IAM solutions also support self-service portals and automated approval workflows that let employees request access rights and update account information without help desk intervention.

Learn More About Authentication and Authorization