A Beginner's Guide to Verification, Authentication, and Authorization
Jeff Carpenter explains identity verification, authentication (AuthN), and authorization (AuthZ), their differences, and their importance in securing access and managing entitlements within an organization.
Hello, I'm Jeff Carpenter with Delinea, and I'm going to talk about a couple of identity concepts you may or may not be familiar with. They're known as AuthN, also known as Authentication, and AuthZ, also known as Authorization. And I'm going to go through the differences between these things. Now, if you're joining our discussion here, you might have been tasked with an identity project, and maybe you're not in this space, so you're not super familiar with these concepts.
Well, you've come to the right place, and in fact, I'm going to introduce another concept here. So, let's just get into the basics of it. You start off, and somebody comes into your organization. Right? You need to, you know, onboard this person onto the network or onto an application. Alright, so the first thing, you may say, well, that's authentication, right?
Actually, we're going to introduce a new concept called verification. And it's a small but important concept here in that when a person actually joins an organization, you don't actually trust that it's them walking in on day one. You usually need them to bring a couple pieces of ID and that's what we mean by identity verification.
Now increasingly, Verification is taking place without the intervention of any human beings. So, in other words, a person wanting to enroll in an online bank needs to do verification online. So, they'll provide their driver's license, a scan of it, and then in the back end, the bank will then compare that to a known record of that person to at least get that first verification that it is them.
And that's not a throwaway concept because a lot of times you'll hear people refer to verification when they actually mean authentication. So it's just important to know that. And in the machine world, when you enroll a machine or a device onto a network, say you're setting up a printer or whatever, even there this is important.
A lot of times, Devices and machines will verify using keys, certificates, um, or even Kerberos, you know, which is a type of certificate and token. So even in the machine world, this becomes important. So, this is actually step one. And now let's talk about What happens now that that human or that machine has been verified?
Okay, we know that this is Jeff Carpenter. He has been verified. Now what? Okay. Now he is enrolled into The, the organization, and he's given a set of entitlements, allowing him to get out to the network, to the email, to the shared drives, etc. But before he does that, he needs to authenticate, and that's what we mean by AuthN or authentication.
And authentication is simply the claim of Jeff, in this case, you know, to make sure he is the person that we initially verified that he is. And this is most frequently done using username and password. And the username part is not the confidential part, the password is. Because with authentication, it's something that you, something that you know.
So that's typically the password. It's something that you are. It can be your biometric, like your eyes, your fingerprint, etc. Or something that you have. So something you have with you, like a token, something that only you have been assigned to, it's something that's, uh, tagged to you. Increasingly, this is your mobile device, of course.
And then once you are authenticated, then you are allowed access to your target system, your network, or to complete a transaction, like a bank money transfer, etc. So, authentication is very important, but a big, big part of this story that you need to understand is really this third part here, and that is authorization.
Because we are not all given the same rights to access everything. And this piece here, the authorization or AuthZ part is a very important part of a security equation, whether you're in security, identity, you know, whatever part of it or the organization you're in. Understanding this. Authorization part is very critical because you can go as deep and as wide with AuthZ as you possibly can imagine.
So, I mentioned I've been verified, I'm now authenticated, I'm in, I'm in the system here. Now what can I do? Obviously, I'm assigned, um, if you believe, you know, the various philosophies, but role based, I'm assigned a role, right? And the role will get me certain amounts of rights. So, I'm, for example, a salesperson.
Now I can go into Salesforce and I can look at certain views and certain tables, and that is all controlled by the authorization scheme. So understanding authorization and what you can do is critical from a security standpoint because limiting authorization to just in time, Concept of JIT or just in time access to what a user actually needs here and just enough access will allow this user to only get what they need when they need to limit the chance that on the off chance that somebody compromises the authentication gets into the network, gets into the application, they are able indeed, right here, limited with what they can see, what they can do, what they can access.
So AuthZ is very important as you talk about, talk to your peers about projects that you're doing and, and uh, rolling out new initiatives and applications. Understanding these concepts will be important to understanding how you can help secure your organization and get your users to the information they need as quickly as possible.
I'm Jeff Carpenter. Thank you for listening and thank you for watching today. For more information, visit delinea.com.
