Join Mike Chapple for an in-depth discussion in this video Identification, authentication, and authorization, part of CompTIA Security+ Exam Prep (SY0-401): Access Control and Identity Management.
- As security professionals, one of the most important things that we do is ensure that only authorized individuals gain access to the information, systems, and networks under our protection. The Access Control Process consists of three steps, that all Security+ candidates must understand. These steps are Identification, Authentication, and Authorization. During the first step of the process, Identification, an individual makes a claim about his or her identity.
The person trying to gain access doesn't present any proof at this point, they simply make an assertion. It's important to remember that the Identification step is only a claim, and the user could certainly be making a false claim. Imagine a physical world scenario, where you want to enter a secure office building where you have an appointment. During the Identification step of the process, you might walk up to the security desk and say, "Hi, I'm Mike Chapel." Proof comes into play during the second step of the process, Authentication.
During the Authentication step, the individual proves his or her identity to the satisfaction of the Access Control System. In our office building example, the guard would likely want to see my driver's license to confirm my identity. Just proving your identity isn't enough to gain access to a system, however. The Access Control System also needs to be satisfied that you are allowed to access the system. That's the third step of the Access Control Process, Authorization. In our office building example, the security guard might check a list of that day's appointments, to see if it includes my name.
When you get ready for the Security+ exam, it's very important that you remember the distinction between the Identification and Authentication phases. Be ready to identify the phase associated with an example of an Access Control mechanism. So far, we've talked about Identification, Authentication, and Authorization, in the context of gaining access to a building. Let's now talk about how they work in the electronic world. When we go to login to a system, we most often identify ourselves using a username, most likely composed of some combination of the letters from our names.
When we reach the Authentication phase, we're commonly asked to enter a password. There are many other ways to authenticate, and we'll talk about those later in this course, as well as how strong Access Control Systems combine multiple authentication approaches. Finally, in the electronic world, Authorization often takes the form of Access Control lists that itemize the specific file system permissions granted to an individual user or group of users. All Access Control Systems provide the means to accomplish these three steps of the Access Control Process.
Security+ professionals must understand how to implement secure Identification, Authentication, and Authorization systems.
Author Mike Chapple, an IT leader with over 15 years experience, introduces identification methods such as usernames and biometrics, as well as authentication methods to verify users, including multifactor authentication, password authentication, and single sign-on. He also discusses authorization concepts such as mandatory and discretionary access controls, which can help you restrict access to sensitive parts of your network. The course also covers best practices for ongoing account management, such as establishing a good password policy, managing user roles, and monitoring accounts, and what to do when you need to suspend or terminate access.
NOTE: We are now a CompTIA Content Publishing Partner. Our training prepares members to pass CompTIA certification exams and become qualified IT professionals. As such, we are able to offer CompTIA exam vouchers at a 10% discount. For more information on how to obtain this discount, please download these PDF instructions.
- Setting policies for usernames and access cards
- Implementing biometrics
- Combining authentication factors for multifactor authentication
- Using a Kerberos access control system
- Using access control lists such as Windows NTFS file permissions
- Role-based authorization
- Implementing account and password policies