Authorization vs. Authentication: Understand the Difference
Two inseparable sides of the network security coin, authentication and authorization ensure that only the right people access your company’s IT resources. Authentication verifies user identities while authorization ensures authenticated users only gain access to specific permitted resources.
As network security evolves beyond legacy technologies such as VPN, having a solid understanding of the role each process plays in access control is more important than ever. This article will explain the difference between authorization and authentication and discuss the growing role of each in modern security approaches such as Zero Trust Networking.
Authentication is a process for verifying identity. It answers the question “Is this person who they claim to be?”
A key code for an apartment building is an everyday example of authentication. Having a code is proof that a person is a resident of the building. An equivalent example in the network security world would be a password-protected website. The user’s possession of the password verifies the user’s identity.
Of course, these scenarios depend on individuals keeping their credentials confidential. The authentication process can be compromised if the password is shared with others - for example, if a building’s residents give their codes to the delivery personnel.
Both scenarios are examples of single-factor authentication where one credential, or factor, is used to verify a user’s identity. Authentication factors can be broken down into three broad categories: knowledge, possession, and inherence. You often hear these factors summarized as something you know, something you have, or something you are.
- Knowledge Factors: Access codes, PINs, and passwords are the most common examples of identity factors based on what people know. Authentication is verified based on unique information a user is aware of vs. the possession of a physical object or certificate. As we have seen, this type of authentication can be compromised easily through poor security practices or carelessness.
- Possession Factors: ID badges, security fobs, and authenticator apps can prove identity using something people have. However, they can be lost, stolen, or left behind since they are physical objects. Digital items, such as security certificates, are another type of possession-based authentication that relate verification to unique factors held by the specific user or device.
- Inherence Factors: Fingerprint scans, face recognition, and other biometric technologies prove user identities based on what they are. These authentication factors are believed to be more secure due to their uniqueness to the end user; however, it has yet to be proven the effectiveness of these security practices against the growing sophistication of security breaches. In addition, gloves or other common hindrances can prevent inherence authentication from working, making such security features difficult to implement.
Used in a single-factor authentication system, each type of authentication factor has failure modes that would prevent confirmation of a user’s identity or could allow someone else to pass as the user.
Therefore, multi-factor authentication (MFA) systems were built to rely on two or more factors, preferably from distinct categories, to confirm a person’s identity.
A simple example of multi-factor authentication happens whenever you pass through airport security. The TSA officer will ask for your state-issued driver’s license (something you have) and compare the picture on the license to your face (something you are).
Security-conscious websites will go beyond asking for your password (something you know) by texting a security code to your smartphone (something you have).
But verifying user identity is not enough. Passing through airport security does not leave you free to roam across the tarmac. Authentication only completes the first step in access control. Next comes Authorization.
Authorization gives the user permission to access specific resources. It answers the question “What is this authenticated person allowed to do?”
Security policies at the airport or on a website determine what you can access. Passing through the TSA checkpoint gives you permission to wander around the airport’s public areas, but not into restricted areas like the tarmac. Similarly, a website’s 2-Factor Authentication only lets you access information specific to your account.
Your authorization system determines which users have permission to access specific resources under specified circumstances. The context of a user’s access — the state of their device or network connection — is increasingly important as companies adopt work-from-home, bring-your-own-device (BYOD), and blended workforce policies. Developing strategies to dynamically identify the context of a user’s access request is a clear gap in network security today.
Combining the public internet with VPN security technologies made remote access easy and affordable for even the smallest business. But VPN security’s core assumptions make the technology a significant vector for security breaches.
Originally developed to link remote employees to the office network, the VPN paradigm assumes that authenticated connections are authorized to access anything on the network it protects. As a result, compromised user credentials and unpatched VPN firmware have given cybercriminals free access to corporate and government networks around the world.
Authorization systems replace the universal access of VPN technologies with a compartmentalized approach. Companies develop policies and criteria that limit users’ access to business resources. These policies should include:
- Role-based permissions: Employees should only access the resources they need to do their work, a concept called “least privilege access”. Salespeople need access to customer relationship management systems, but they shouldn’t be able to touch a development server.
- Device permissions: Thanks to BYOD and work-from-home policies, fewer employees use company-managed, on-prem computers. If users do not install operating system updates and security patches promptly, their devices may become compromised. Evaluations of each device’s security posture should constrain the user’s access permissions.
- Location permissions: Likewise, the nature of the user’s network connection should also inform access permissions. Letting a human resources administrator access employee records from their home office is one thing. But letting them do so when using a coffee shop’s unsecured public Wi-Fi while traveling abroad is quite another.
- Static and dynamic permissions: Ideally, authorizations should expire at the end of every session. In practice, traditional security systems make this too inconvenient for users. That is why a newspaper’s public website authorizes access for as long as a cookie is in the subscriber’s browser. Unfortunately, the same reasoning often applies to corporate networks.
Authentication and authorization are two distinct and required steps in a company’s access control process. You cannot have one without the other and preserve the integrity of your network’s security.
- Authentication does nothing beyond confirming identity. The user cannot access network directories, files, or other resources.
- Authorization does nothing without authentication. The authorization system must know who the user is before it can grant access permissions.
Working together, authentication and authorization give your company more control over who accesses which resources.
You will find a diverse ecosystem of vendors and service providers ready to enhance your organization’s identity-based authentication management today. However, easily tying this authentication data to dynamic authorization rights is the next “giant leap” for IT teams. Authentication-focused vendors commonly target the below niches:
- Cloud-first authentication vendors: Okta and Auth0 provide authentication solutions for cloud-first enterprise infrastructures.
- Traditional networking vendors: Cisco and Aruba Networks offer access control solutions optimized for companies standardized on their hardware.
- Cloud service providers: Microsoft Azure and Amazon Web Services offer their own identity management systems and work with third-party providers.
- Mixed authentication solutions: Yubico and RSA Security develop hardware and software authentication solutions.
- Social single sign-on providers: through OpenID and proprietary systems, users are authenticated through Facebook, Twitter, and other social media accounts.
Zero Trust Networking (ZTN) is a modern approach to network security that addresses the failures of traditional security technologies, such as VPN. As we touched on earlier, VPN technologies protect access to a network but permit universal access to resources on that network. Mitigating this inherent security weakness requires layers of infrastructure. Combined, these workarounds make network security brittle, expensive to manage, and difficult to scale.
As its name implies, ZTN is based on the premise that nothing about a network can ever be trusted. Since no user is ever trustworthy, ZTN treats an IT executive sitting at a desktop in the data center no differently from a service rep connected to hotel Wi-Fi on their laptop. No matter who they are, how they connect, or what device they use, ZTN requires fresh authentication every time a user tries to access any resource.
Unlike VPN solutions, ZTN security systems do not give users unfettered authorization to all resources within a company network. ZTN creates a secure perimeter around every resource. Once authenticated by a ZTN system, users can only see the resources they are authorized to access based on requirements set by the IT team. Each access attempt expires at the end of every session and must be renewed when the user reconnects.
Twingate’s ZTN solution replaces the overhead of legacy VPN systems through a simplified, yet more secure access control system. Twingate integrates with identity providers (IdP) such as Okta and OneLogin making least privilege access policies easy to implement within existing company infrastructure.
Authentication and authorization are essential pieces of your network security strategy. Implementing a solid MFA policy that balances user experience with the security of a dynamic access control system is essential to minimize your organizations risk of a security breach. Users should have access to the resources they need, but only in situations where it is considered safe to do so.
Neither authentication nor authorization can securely function on their own but, together, they are a powerful tool. Twingate protects your company’s resources, whether on-prem or in the cloud, and integrates with your preferred IdP, to provide an easy to deploy zero trust solution.