Q&A: Authorization and Authentication
Matt Luckett and David Brossard discuss authentication and authorization and why enterprises need both as part of a successful access control strategy.
We recently sat down with our Vice President of Customer Relations, Matt Luckett, and Chief Technology Officer, David Brossard, to discuss authentication and authorization and why enterprises need both as part of a successful access control strategy.
What is the difference between authorization and authentication?
Matt: I always like to look at an application as a house to explain the difference. Authentication is the key to get through the front door. You really only want your family (people you know) to have that type of access. If you give the key to someone else, they can always get into the house.
Authorization, on the other hand, is what happens after someone has the key to get into your house. Once they are in the house, what do they have access to? If they have access to the kitchen, can they operate the sink, dishwasher, or get into the fridge?
Authorization enables you to get as fine-grained as you want.
For example, my kids could have access to the fridge, but I would not want my youngest ones to necessarily have unfettered access to the stove. When you look at it this way, authorization is that last mile of being able to figure out what the user can access once they are in the application.
David: What Matt says here is spot on, and I’d actually go a little further. I agree that authorization is the last mile, and think it’s also the longer mile. If you look at authentication, it is a very short journey to prove something about the user. Authorization is the very long tail of determining what the user can or cannot do.
Authentication can be generalized as the user must prove something about themselves. Most often, it is about the user’s identity, as is the case at a border crossing. Taking this example a step further, generally, the border officials simply want to validate that you have a passport, which allows you to go from one country to another – they don’t need any additional personal details, in many cases. They only require additional details in specific circumstances, such as if you happen to be on a no-travel list.
Authentication is the first step, proving a claim about the user, which is then used in the authorization process. Authorization is nearly always dependent on some type of authentication taking place.
Why isn’t authentication alone sufficient?
Matt: Authentication is a critical element of any successful access control strategy, but as access requirements evolve, it isn’t enough. Think of it this way – without authorization, essentially everybody is an administrator within an application.
David: That’s a great point, Matt. Pick any company, and you’ll see each employee has access to different sets of information depending on their role.
For example, the CEO and CFO would have access to detailed financial records, whereas other, non-finance roles (or perhaps more junior staffers) wouldn’t have access to that information. There must be some type of authorization in place to make the applications, services, and processes meaningful. It’s in line with what Matt said – not everyone should have the highest levels of access to your critical information. Unfettered access or standing access opens your organization up to risk.
Why is it critical to implement both authorization and authentication?
David: Well in short, you need authentication and, while we’re chatting about it, you also need user management. Going back to Matt’s analogy, you need the key – authentication – to get into the house. But you also need the homeowner who is in charge of assigning the keys, making and distributing them to different individuals, which is where user management comes in.
What is critical is that on the one hand, there are relatively clean cuts between authentication and user management, and on the other hand, applications. So you have the fact that you, as an identity, exist inside of a Lightweight Directory Access Protocol (or LDAP) whom we must recertify on a regular basis and verify entitlements. That is relatively decoupled from the application itself.
As it is decoupled, the application evolves more or less independently of the authentication scheme and the identity management scheme. Authorization, however, blurs the line between the identity and application pieces as authorization is all about what the user can do in the application.
Matt: I completely agree, David. Authorization and authentication go hand-in-hand, and for your access control strategy to be successful, you can’t have one without the other. Authentication is the basis for verification, and authorization is the last and longest mile.
What are the biggest misconceptions around authentication and authorization working together?
David: The biggest misconception is that authentication is enough and that the rest is in the application. Another popular misconception is that it is impossible to externalize authorization because it is so intertwined with application logic that it is not even worth doing or externalizing. Continuing to avoid external authorization makes it difficult to have a consistent, flexible and scalable policy-driven authorization strategy.
If there were three things you’d want readers to take away from this interview, what would they be?
Matt: First and foremost, I want people to know that while authentication is key, it’s a very small portion of the entire security process.
Second, internalizing authorization into the application is simple, but it’s not the path forward. As David said earlier, as your organization grows or you want to apply authorization to additional applications or resources, internalizing or isolating authorization will create roadblocks.
Last, the old way of doing things, including focusing on role-based access control (RBAC), has some value, but will create additional challenges as access requirements and business requirements evolve. Looking at roles is only one piece of determining appropriate access.
David: I would add that authentication is an absolute necessity. It isn’t authentication versus authorization, rather, it is a matter of when you need both.
Authentication provides a critical foundation for anything you want to do online. If you can’t prove who you are or what you represent then you aren’t going to be able to do anything. It’s basic identity management, which is a piece that application owners can’t get wrong. Once authentication is done right, organizations are then ready to tackle authorization.
Improve on your access control strategy with authorization
How does your organization leverage authentication and authorization?
What challenges has your organization faced as a part of their access control strategy?
These are questions to consider as your enterprise starts their journey to having a successful access control strategy.
Learn more about why it’s critical for authentication and authorization to work together and download our white paper to see how authorization meets your enterprise’s needs where authentication alone falls short.
Join us on LinkedIn for more insights