The easiest way to understand the difference between authentication and authorization is to remember the last time you checked into a hotel.
First, the person behind the desk verified your identity based on your passport or driver's license. They confirmed you had a reservation (your entitlement). You can think of that process as authentication.
Next, they gave you a keycard—that’s your token. What does that token allow you to do? This is where everyone’s story is different.
You’re allowed to enter your room, but not anyone else’s room. You may be able to enjoy the gym and the pool. Maybe breakfast is included. If you’re lucky, you can head to the swanky Ultra lounge.
Determining your access is what’s known as authorization. And that’s where the magic is.
That’s because to reduce risk, it's not enough to just manage and secure identities, you must also manage and secure all their interactions.
Authentication vs. authorization in the enterprise
Now, let’s apply these concepts of authentication and authorization to risk management in a work environment.
What is authentication?
In an enterprise setting, authentication is simply confirming that users are who they say they are. This is most frequently done using unique username and password combinations.
Multi-factor authentication (MFA) is another layer of identity assurance. With MFA, you’re asked to provide evidence including something you HAVE (like a code on a mobile phone), something that you ARE (a biometric, like your fingerprint), or something you KNOW (like the answers to challenge questions).
Enterprise authentication isn’t just applicable to human identities. Non-human or machine identities can also be authenticated using keys, certificates, or even Kerberos, a type of certificate in a token.
What is authorization?
Once an identity is enrolled into the organization, they’re given a set of entitlements. For standard employees, this typically includes accessing the network, email, and shared drives. Privileged users, however, will have higher levels of access to IT systems or business applications.
These privileged users can be domain administrators, system administrators, or users who have access to critical business applications like your finance and accounting systems. They may be allowed to access certain sections of a database, or execute some transactions but not others.
Authentication is managed via access controls. Access controls determine who can access which resources in the enterprise. You may implement one or more of a wide range of access controls, most commonly:
- Role-Based Access Control: Determines the authorization for an identity based on pre-defined roles, typically related to job title, organizational structure, or seniority level.
- Policy-Based Access Control: Access is based on defined policies that can incorporate roles, attributes, and other conditions.
- Rule-Based Access Control: Rules can be based on conditions such as time, IP address, or other specific criteria.
- Context-Based Access Control: CBAC considers the context of the access request, such as the user's location, time of access, and the device being used.
Authorization and least privilege access
Let’s go back to the hotel example for a moment. Let’s say I drop my keycard, and someone picks it up. Yes, they can get into my room, but they still can’t get into the room across the hall. Because my privileges—my entitlements—are limited, so is the blast radius of the damage they can do.
Limiting authorization to just-in-time, just enough access allows each identity to access only what they need, when they need it. Should a threat agent circumvent controls, impersonate this user, or steal their password, the damage will be contained.
How are authentication vs. authorization converging?
Traditionally, authentication and authorization processes and controls are managed in organizational silos, with disconnected tools and processes.
Teams responsible for identity provisioning typically manage authentication using a variety of tools for Identity and Access Management (IAM), MFA, federated identities and Single-Sign-On (SSO). They may connect to Active Directory, Okta, or any number of identity directories. Some security controls are shared between authentication and authorization such as Multifactor Authentication or peer reviews.
Meanwhile, Privileged Access Management (PAM) solutions manage privileged access, including access policies, session recording, auditing, and reporting. They may use shared privileged accounts that can be checked out of a vault by different people.
Additionally, other teams in the enterprise are managing similar processes directly within cloud platforms or business applications.
This fragmentation has led to inefficiency, duplication of spend, and wasted time.
In forward-thinking organizations, convergence is starting to happen. The people who manage authentication and authorization processes are starting to work together more closely, and so are the solutions that support them.
When you bring authorization and authentication together you can realize the benefits of defense-in-depth to provide stronger identity security for your organization. The key is ensuring your authorization and authentication solutions are fully integrated and interoperable, so they share information back and forth and are always up to date.
Context-aware, dynamic authentication and authorization
Integration between authentication and authorization make it possible to achieve adaptive access controls that are based on risk criteria. You have a better understanding of risk for a specific identity that desires access to a particular resource. Taking all the information into account, you can automatically apply an integrated risk score that helps to manage both processes.
For example, before granting access you can check reputation, history, and behavior of an identity. You may want to know what identity provider or directory the identity is coming from. You can also check things like an unusual time of day, device, or physical location, or any other criteria that differ from the norm.
Based on the risk score, you may determine that the identity shouldn’t have access under specific circumstances. Then, you can apply additional security controls, such as MFA in-depth, meaning at different interaction points when risk increases. This flexible approach allows you to keep pace as risk changes based on new technologies, partnerships, and ways that data is being used. You avoid the risk of standing, static privileges with excess permissions.
Embedding governance in authentication and authorization
Governance plays a crucial role in both authentication and authorization, ensuring that the processes for verifying identity and granting access are consistent, secure, and compliant with policies and regulations. Having ongoing oversight gives you the confidence that authentication and authorization controls are configured correctly and working as expected.
Examples of authentication and authorization governance include session recording, privileged behavior analytics, auditing, and reporting.
Governance isn’t something you bolt on at the end of authorization or authentication processes. Rather, it should be embedded in the workflow to enable better decision-making based on real-time information.
Ultimately all three elements of identity security—authentication, authorization, and governance—work together to help secure modern enterprises.
To learn more about applying these concepts and security controls in your enterprise, check out the podcast:
3 Keys to Protecting Identities: Authentication, Authorization, and Governance with Frank Vukovits.
