Authentication vs Authorization vs Accounting

Authentication and authorization procedures are the basic components of online security aimed at keeping your data secure. They are common security processes that are often used in tandem. In basic terms, authentication checks the identity of a user while authorization checks and controls what you have to access. When using a shared document for example a google doc, you need to log in to authenticate your identity. Whether you have permission to open and view or edit the document is determined by the authorization controls.

Being able to log in and gain access to resources is one of the most important parts of anyone’s network. If you're logging into a network or connecting to a VPN, you're probably using a “AAA” Security framework which stands for authentication, authorization, and accounting. The first step of a AAA framework is identifying yourself where we typically use a username. But there are various ways to identify your identity and at that point, we would need to provide another type of authentication. This would be unique to you and prove that you are who you say you are. This would be a password or different types of authentication factors. Once you have been successfully authenticated, you can then gain access to the resources that are associated with your particular username. If you are logging in as an administrator, you will have different authorization than someone using a user or a guest account. With accounting, we keep a track of the information such as when a user logged in, what resources or data were sent back and forth, and when a user logs out.

Basic Authentication processes should be familiar to most people such as inputting passwords, answering security questions, and scanning a fingerprint to access your smartphone are all authentication methods of proving that you are who you claim to be. Local authentication applications traditionally store credentials that must be entered and validated for a user to be granted access. Password-less authentication techniques such as multi-factor authentication like one-time passcodes sent via SMS and single sign-on are increasingly being used and are generally more secure than passwords alone. Having all your data in a centralized database and being able to have a single sign-on may be very convenient but there may be times where you would not want to authenticate to a centralized database and for such cases, you could use local authentication. So if you were to log into a server, you might want to use a set of credentials that are stored on that local device. Keep in mind that it is difficult to scale local accounts and could be a great backup resource.

Biometric authentication is becoming a popular method of authentication. This security process relies on a user’s unique physical or biological markers, like a fingerprint, which is then compared with data stored in a database. If a user inputs a facial scan or fingerprint that matches the stored biometric data for that approved user, authentication is confirmed. Since these biological markers are hard to fake and can’t be forgotten or lost like a password, biometric authentication has become a powerful and convenient tool in secure authorization for consumer smartphones, computers, and applications. Hardware authentication relies on a physical device to grant users access to a computer and network resources. Typically, a hardware authenticator like a USB security key or security token can be inserted into a computer’s USB port or wireless connection to the device the user is trying to access to verify the identity of a user for access. Together with the user’s login credentials, the device can provide protection, even if you lose access to a phone or are subject to a SIM swap attack.

Authorization is the next step after successful authentication. Authorization verifies whether you have the authority to access the content or resources you have requested access to. Some of these procedures occur via access tokens. These tokens contain security credentialing information concerning a user’s level of privilege and the extent of their access rights. For example, when a user provides credentials to log into a system and that login information is authenticated, an access token, which indicates what access is permitted, is generated. When a user tries to access a specific resource, the contents of that token are then checked to determine if the action is authorized. Role-Based Access Control identifies users with a specific role and the access privileges associated with that role. Access Control Lists (ACL) can specify which users or processes are authorized to access specific objects or data, and which operations can be performed.

Using a “AAA” framework, you can log access details and gather a lot of information about which user is using the network and when. With all this information logged, you can then go back and provide audits of this information. We can make sure the right people are logging in from the right location and every user has access to the correct resources assigned to them. You can make sure how these resources are being used after they log in and can make sure that all of the systems and applications are secure. An efficient tool to collect the information of all these events is a SIEM (security information and event management). This can provide you the information to prevent unauthorized access to your systems and network.