Join Mike Chapple for an in-depth discussion in this video Understanding authorization, part of CompTIA Security+ (SY0-501) Cert Prep: 4 Identity and Access Management.
- [Instructor] Authorization is the final step in the access control process. Once an individual successfully authenticates to a system, authorization determines the privileges that individual has to access resources and information. There are many different authorization approaches, and we'll discuss those in this course. First, let's talk about two general principles of authorization that lead to strong security. First, the principle of least privilege. This principle states that an individual should have only the minimum set of permissions necessary to accomplish his or her job duties.
Least privilege is important for two reasons. First, least privilege minimizes the potential damage from an insider attack. If an employee turns malicious, the damage they can cause will be limited by the privileges assigned to them by a job role. It's unlikely for example, that an accountant would be able to deface the company website, because an accountant's job responsibilities have nothing to do with updating web content. Second, least privilege limits the ability of an external attacker to quickly gain privileged access when compromising an employee's account.
Unless they happen to compromise a system administrator's account, they will find themselves limited by the privileges of the account that they steal. The second important principle is separation of duties. This principle states that sensitive business functions should require the involvement of at least two people. This reduces the likelihood of fraud, by requiring collusion between two employees to commit fraud. One common example of separation of duties is found in accounting departments.
One way that employees might steal funds from the organization is to setup fake vendors on the system and then issue checks to those vendors for services that were never rendered. To prevent this, organization typically separate the ability to setup a new vendor, and issue a check to that vendor, and say that no employee should ever have both of those privileges. Organizations must watch out for privilege creep, when trying to follow the principles of least privilege and separation of duties. Privilege creep occurs when users change from one job to another and gain new privileges associated with their new responsibilities but never lose the privileges from the job that they left.
Over time, an employee who moves around from role to role may gain substantial privileges in this way. Consider the example of Alice. Alice starts as a clerk in the accounting department where she is responsible for issuing checks to vendors, there she has the issue check privilege. After a few years, Alice receives a promotion to a supervisory accountant position, and gains responsibility for setting up new vendors in the system.
Nobody ever takes away her old privileges. Alice now has the ability to both set up a new vendor and issue check, a violation of both least privilege and separation of duties. Organizations looking to preserve the principles of least privilege and separation of duties should perform regular account reviews. These may come in both manual and automated forms. For example, an automated process might run every time a user is granted new privileges, to ensure that the new privileges won't violate any separation of duties requirements.
The organization might supplement these automated checks with quarterly access reviews, where managers manually review the permissions assigned to each employee for compliance with the principle of least privilege. Maintaining authorization systems is a critical task for security professionals, the security plus exam might contain a question, asking you to review a scenario and describe what authorization principle is described. Be sure to know the difference between least privilege and separation of duties, so that you're ready for those exam questions.
Instructor Mike Chapple has designed the training around the most recent version of CompTIA Security+, SY0-501, which expands coverage of mobile and cloud technologies. By learning about the topics in this course, you'll be prepared to answer questions from the latest exam—and strengthen your own organization's systems and defenses. To join one of Mike's free study groups, visit certmike.com.
- Identification methods
- Authentication factors
- Multifactor authentication
- Single sign-on
- Authorization and access controls
- Account management