Authorization and Authentication both play a crucial role in securing our digital identities. The two measures go hand-in-hand in terms of allowing individuals access to an environment and permitting access to specific resources within that environment. In the article below, we aim to distinguish the two and explain how they work in tandem to safeguard our digital identities and environments. We also aim to explain the difference between modern and legacy authentication and authorization practices.
What is Authentication?
Authentication is the practice of approving or disapproving an individual user the access to enter an environment. It works as a process to prove a user is genuinely who they claim to be before allowing entrance to resources.
Authentication works by leveraging access controls to confirm an end-user’s credentials match those stored in an organization’s identity provider, such as Active Directory or Azure Active Directory. The authentication process functions by the following two steps:
Confirming a user that attempts login has the correct credentials, (username, password, biometric data, device data)
Confirming that the established policies and access controls permit the user to access to a specific environment
What is Authorization?
Authorization is the next step to securing identity in an environment. Authorization occurs after a user is approved to enter an environment via authentication but then takes security a step further. Through access controls and group settings, authorization determines the unique resources a user is permitted to access and the resources that are restricted.
Here’s a good example of authorization working in a business to secure sensitive areas of your environment:
Suppose a member of your business’ marketing team was determined to access secured HR documents. Anecdotally, a member of a marketing team would have no business or reason to view this sensitive data – in other words, they are not authorized. Nonetheless they proceed in attempting to access this secure data.
The marketing team member successfully authenticated and logged into your environment using their unique credentials. However, when they search for these aforementioned HR documents, their set of unique permissions established from a predefined group prevents them from accessing or even seeing that these documents exist – while allowing the individual access to resources only necessary for the individual to perform their marketing duties. They’ve effectively been obstructed from entering the portion of your environment specifically dedicated to the eyes of the HR team. That’s authorization in action.
Basic Authentication vs. Modern Authentication
Basic authentication (sometimes referred to as basic auth) provides a single tier of security when it comes to granting and receiving access to an environment. It predominately relies on a single username and password to authenticate.
The disadvantage to the basic authentication principle is that credentials are easily compromised. For instance, credentials like a username and password can be easily guessed or access tokens can be compromised.
Often, we’ll see basic auth protocols used for email. For example, POP, SMTP, MAPI and IMAP are all protocols of basic authorization. The issue that stems from these forms of basic authentication is that there are no additional layers of verification when you are leveraging these protocols. This makes it easy for an attacker to log in – and although it may not allow for authorization to resources to occur, it opens the door for lateral movement in your environment to less protected resources.
Modern Authentication uses multiple components to authenticate. It adds additional steps for authentication in addition to username and passwords and requires a second layer of approval for a user to authenticate (access) to an environment – commonly referred as multi-factor authentication. This additional layer of verification is often a prompt from a tool such as the Microsoft Authenticator app, Windows Hello for Business (biometrics), a FIDO key (security key), or a certificate. The extra step needed to authenticate provides a more secure authentication process as prompts from tools like Windows Hello for Business are very difficult to compromise.
From an administrative standpoint, modern authentication allows IT teams to create the same credentials for end-users as in basic authentication, but then prompt the end-user to create an alternative form of authentication. These end-user-created types of authentication often come in the form of text message, Authenticator App, FIDO key, etc.
In most environments, the end-user will take these steps on their own but in certain situations, administrators are able to step in. For example, adding a phone number for text-based multi-factor authentication.
Legacy Authorization Models vs. Modern Authorization
Modern authorization models are far more sophisticated than legacy authorization techniques. Legacy models simply involve assigning a user to a group or resource directly in Active Directory.
There are various issues with legacy authorization models. The first is that legacy models are difficult to administer. For many organizations, depending on the resource, a higher tier of permissions are required to manage the groups associated with the resource. Continuously requesting these permissions to administer these groups becomes a cumbersome task when a large number of users require access to the resource. Even worse, allowing standing admin permissions to manage these groups creates vulnerabilities within an environment.
The second and most important issue with the legacy authorization models is due to the manual management of these resources, users and admins are given more permissions than are required. For IT teams with less mature identity governance processes and policies, auditing of these permissions happens less frequently, if ever, leaving environments open to attack.
These issues related to legacy authorization are relegated by embracing modern authorization models, Attribute based access control (ABAC) and Role based access control (RBAC).
Role based access control (RBAC)
Role-based access controls (RBAC) can be defined as the methodology used to restrict or grant unique permissions to groups or individuals within an identity provider such as Active Directory (on-premises) or Azure AD. The idea is to limit access to highly sensitive areas of your environment while giving certain employees just enough access to sufficiently perform the duties of their job. RBAC can either restrict or permit access to your environment based on a group or user’s scope role assigned by an administrator. For further information on RBAC, check out this piece written by my colleague: Getting to Know Role Based Access Controls (RBAC) — Mobile Mentor (mobile-mentor.com)
Attribute based access control (ABAC)
Attribute based access control leverages leveraging specific attributes of an object or record to grant access to resources. Often used in conjunction with RBAC, ABAC takes user information and compares it to resource data to decipher whether a user is permitted to access a resource.
For example, an organization may have a department called finance. All members of the finance department will have a common “Department” attribute in an identity store, such as Active Directory or Azure AD, with a value of “Finance”. With modern authorization software, the identity provider can automatically assign finance department members to group or rules at the moment the user is onboarded into the organization, allowing the appropriate access from day 1.
At Mobile Mentor we recommend the modern approach to authorization and authentication. The extra tiers of invisible security that accompany the modern approach are crucial to securing digital identities for the modern, hybrid workforce. By leveraging cloud-based directory services like Azure Active Directory for authentication and authorization, you can ensure a safer environment for your employees and business at large.
Contact us to learn more about Digital identity
Demetrius Cooper is Moblie Mentor’s Digital Identity lead. He has over 11 years of industry experience with a predominant focus on digital identity. A Chicago native, Demetrius lives and works in Atlanta, GA.