When used together, authentication and authorisation further protect your information security environment, says April Bourne.
There’s a big difference between gaining successful entrance to the king or queen’s castle (authentication) and what you are allowed to do once you are inside (authorisation). Chances are, as a visitor, your actions and movement will be restricted and for good reason. Just because you got through that big iron door does not mean you are allowed to do whatever you please.
Exactly what is authentication?
Authentication is proving who you are in order to gain access to a system or application (in most cases). It can require something you know (a password), something you are (a fingerprint) or something you have (a one-time-use token).
You were probably already familiar with the process of authentication, because most of us perform it most every day, whether at work (logging onto your PC) or at home (logging into a website). The truth is, in order to access most “things” that face the Internet, you have to prove who you are by supplying credentials. However, once you authenticate, there are many decisions that happen seamlessly in the background, thanks to the secret powers of an administrator.
Once you authenticate, you are then granted authorisation or permissions to perform certain allowed tasks. In most cases, an administrator of that system provides permission through use of controls.
What do we mean by allowed? An example would be authenticating to your bank website. Successful authentication will not give you the ability to look into other customer accounts or withdraw money that is not your own. Authentication does not give “keys to the castle,” as you are only authorised to access a room in the castle and not the moat.
To summarise, authentication grants you consideration of sorts. If you can’t authenticate successfully you are no longer going to be considered. The conversation between you and the application you want to access will be very short, resulting in denied access and possibly account lockout.
Authorisation however, gives you the actual ability to perform allowed functions once you authenticate. A bank customer representative logged on as a bank employee (and not as a customer) can access many accounts and perform additional functions that you, as a bank customer, cannot and for good reason. Hopefully you now “care” that there is such a thing as authorisation and are eager to know more.
How can authorisation help with information security?
Consider this: Should an employee who is about to quit (and such employees don’t give prior notice on these matters!) be able to print the company’s customer directories on Saturday morning, so they can take a list of prospects with them to their new job along with the secret proprietary formula? This may be an extreme example, but scenarios similar to this can happen, they just don’t always make the news.
Users have access to what has been allowed on any MFD on purpose or by default. Authorisation permissions can be very simple, such as authenticated users are authorised to perform any function at any time on the MFD and non-authenticated users can’t do anything except add paper to the trays for all the authenticated users! Authorisation can also be extremely granular by defining user roles and assigning very specific permissions to those roles. Remember the permissions authorised for bank customers and those of customer service reps discussed earlier, they are surely not the same.
Get granular with authorisation
Authorisation can be very specific, such as certain users not allowed to scan to e-mail and fax. Other restrictions might not allow printing of certain applications like Excel or PowerPoint. It also can be more granular, such as art department users can only print from 8am to 5pm weekdays and Saturday from 9am to 12pm. These are only a few examples of the levels of granularity. Using authentication and authorisation together provides greater information security protection, since many functions can be uniquely authorised to users at a granular level.
Authentication and authorisation may not be required today within your organisation, but that could change as soon as tomorrow. Recall that the keys to the castle do not have to include access to the moat!