Authentication, Authorization and Access Control for Dummies

Monday, 23rd September 2013

Just as in the book series "... For Dummies", this post is meant to introduce the concept of authentication, authorization and access control for non-technical readers.

To start with, a simple principle needs to be introduced and higlighted: Security principles in IT are exactly the same as those in real life. By understanding this simple statement, you will be able to understand all IT security principles in a very easy manner.

As an accompanying exapmle, we will start by listing the normal security procedures that we usually undergo when visiting a secure place for a business meeting. At the entrance, we introduce ourselves and state the reason of our visit. The information desk checks our ID and makes sure the photo there resembles us. He then checks if the person we are going to meet has already left our name at the information desk. If not, he calls that person to verify that we have a meeting with him.

Once the visit is verfied, we are given a badge that gives us access into the places that we are allowed to enter. Assuming our client is in the 3rd floor, the badge will work only at the entrance of the 3rd floor and at meeting room door(s) in that floor.

Given the above example, it will be very easy to identify the security terms involved in here.

Authentication was achieved when the information desk personnel checked our ID and made sure the photo there resembles us. This simply means making sure that the person claiming to be myself is actually me. In IT systems, authentication is exactly the same. We need to make sure that if a certain user claims to be Victor Sawma, then that user has to be Victor Sawma. This is usually done with a variety of techniques that are based on secrets that only Victor Sawma and the system knows. The most famous from those techniques are username/password systems or PIN-related systems where only Victor Sawma knows the password or the PIN. 

Authorization was also achieved when the badge was generated for us. This simple step has a production system behind it. This system will check what that person is allowed to do and will generate the badge accordingly. Since Victor Sawma is there for a meeting and is a guest, then the system can determine (based on a pre-defined mechanism) that Victor Sawma should only have access to the floor that he is visiting. More specifically he should be able to only enter the main entrance and go into meeting room(s). Then, the badge is produced electronically and these permissions are stored into the badge.

In IT, this is exactly the same. Once the ID of the person is checked (authentication is done), the system will generate the set of permissions related to that ID and will store them in a virtual badge (usually referred to as the Session). This badge is then carried with us wherever we go online and will be used whenever we intend to enter or use any part / component of the system.

Access Control is simply the process of ensuring that authorization is being respected at all times. During our visit to that secure place, it is usually achieved through badge-accessible doors. These doors will not open unless our badge has the related permission in there. Simply put and said, we are controlling access of all users so that they access only what they are allowed to access. Hence, the term Access Control. The same takes place in the IT world. Once we have a virtual badge generated (Session), the system will always check that badge for our associated permissions and will make sure that we only access and do what we are allowed to access and do.

It is very important to understand the difference between these 3 terms since they are all related yet different. Furthermore, people trying to break security systems usually attack them individually since breaking one of them will lead to breaking the others. If for example, a certain attacker succeeds in generating a fake ID, he will not have to worry about the badge or doors. The same applies to a certain user who can generate a badge that has permissions in it not related to his ID. The same also applies to a certain attacker who can make a door open without worrying about badges and permissions.

In a nutshell, breaking the security of the system is as simple as breaking a ring in a chain of rings. By breaking one ring, the whole chain is broken. Therefore it is very important to make sure that your security system is well connected and complete to be able to provide a secure environment.