The 4 steps to complete access management are identification, authentication, authorization, and accountability. Many get confused or consider that identification and authentication are the same, while some forget or give the least importance to auditing. These are four distinct concepts and must be understood as such.
Whenever you log in to most of the websites, you submit a username. In case you create an account, you are asked to choose a username that identifies you. This username which you provide during login is “Identification”. It is simply a way of claiming your identity.
From an information security point of view, identification describes a method where you claim who you are. If you notice, you share your username with anyone. Your email id is a form of identification and you share this identification with everyone to receive emails. This means that identification is a public form of information.
So now you have entered your username, what do you enter next? The password. This is what authentication is about. Here you authenticate or prove yourself that you are the person you are claiming to be. Authentication can be done through various mechanisms. Let’s understand these types.
There are commonly 3 ways of authenticating: something you know, something you have, and something you are.
Something You Know: Here the authentication happens with your knowledge or what you know. This can be a PIN, password, key, pet’s name, etc. This is the most common authentication implemented today. This is also one of the cheapest authentication mechanisms.
Something You Have: Here the authentication happens with ownership, i.e. something you have or own. An access id card, credit card, RSA token, and security badge are all examples of things you can own and authenticate yourself with. In case this badge is stolen or lost, this could be an issue in those cases.
Something You Are: Here the authentication happens with YOU (characteristic). Your physical attribute is used to authenticate you. Characteristics such as fingerprints, voice prints, iris scans, palm prints, etc. are examples of characteristics or biometrics. An issue with this can be you can never change your characteristics if someone gets hold of your biometrics, unlike a password which can be changed.
Dual factor Authentication / Multifactor Authentication – If more than one factor of authentication is used, it is called as multi-factor authentication. Dual means 2, hence 2 factors will be used. Example – PIN + Access ID card (Something you know + Something you have) is an example of dual-factor authentication. Consider a top-secret research organization, where a person has to showcase his access ID card, then enter a PIN and then get his IRIS scanned to get access, this means that the organization has deployed multi-factor authentication.
A lot of times, many people get confused with authentication and authorization. To many, it seems simple, if I’m authenticated, I’m authorized to do anything. Once the subject provides its credentials and is properly identified, the system it is trying to access needs to determine if this subject has been given the necessary rights and privileges to carry out the requested actions. Consider your mail, where you log in, and provide your credentials. You will be able to compose a mail, delete a mail, and do certain changes which you are authorized to do. Can you make changes to the messaging server? No, since you are not authorized to do so. Hence successful authentication does not guarantee authorization. Successful authentication only proves that your credentials exist in the system and you have successfully proved the identity you were claiming. However, to make any changes, you need authorization. The system may check these privileges through an access control matrix or a rule-based solution through which you would be authorized to make the changes.
The final piece in the puzzle is accountability. Imagine where a user has been given certain privileges to work. What happens when he/she decides to misuse those privileges? If the audit logs are available, then you’ll be able to investigate and make the subject who has misused those privileges accountable on the basis of those logs. The subject needs to be held accountable for the actions taken within a system or domain. The only way to ensure accountability is if the subject is uniquely identified and the subject’s actions are recorded. Auditing capabilities ensure users are accountable for their actions, verify that the security policies are enforced, and can be used as investigation tools.
If all 4 pieces work, then the access management is complete. Although there are multiple aspects to access management, the 4 pillars need to be equally strong, or else it will affect the foundation of identity and access management.
What are your thoughts on this?