What is Authorization?

So let’s move on now to authorization and people, commonly confuse authentication and authorization – they are different. Authorization is the function of specifying access or privileges to a particular subject. So here we have somebody who is authenticated and who is trying now to access a particular object, and we need ongoing authorization to maintain the security level. In the example we gave of somebody accessing a property – very simple example. Real life is much more complicated than that. If we’re looking at a file share with ten different folders, one of the folders is marked top secret, the rest are marked public access, and we want users with low levels of privileges not to be able to access the top secret data.

This is where authorization comes in. Having somebody authenticate it means that we know who they are. We now need to rely on the privileges assigned to that account in order to start matching their individual transactions to their profile. Should they be allowed access or not? So here we’re looking at things like security labels for each individual transaction. So to authorize something, we need typically some kind of access policy. So we need to be starting to think very carefully about who has access to what. An access control process– typically we want our policy in place before we do anything else.

And once we have the policy, we want to make sure that that policy can be enforced as it’s used day-to-day, and we want some mechanism for assigning, managing, revoking privileges. Because having an identity that’s been authenticated is not enough in isolation. We need to understand what individual privileges that identity, or the account managed by that identity, has. So this becomes very complex in practice. So we see technologies like XACML as a new or a very modern form of managing authorization. Also what we want to consider with authorization is latency. If we update privileges, if we revoke privileges or assign new privileges, how quickly are they assigned to the account? How quickly are they applied, do they become enacted?

And this can be a problem, if we revoke somebody’s privileges but those changes only become enforced at the point of next login then that can be problematic for us, that can create an issue. That means that if somebody is immediately suspended from the organization, they can continue to stay logged into their device for two or three days, still having access. So again, this is something that requires very careful thought when we’re defining the policy and we’re defining the associated processes that go with that policy. What we are looking at is every single transaction being subject to the authorization policy.

So we need to make sure that, whether this is in the physical world or the logical world, that all of our transactions fall under this.

So authorization versus authentication: authentication is where we’re looking to confirm that the subject is who they say they are. Authorization is the ongoing process, beyond authentication, where we’re asking ‘Is the subject permitted access to the resource?’ And if they are permitted access to the resource, what kind of right do they have to that source? So when talking about authorization, it’s not just ‘Can they access the resource?’ If you think about that file share as an example, are we talking about read access? It is the file visible but inaccessible? Are they allowed to write, delete? What kind of permissions are we actually allowing?

With authorization versus authentication, we also have some confusion that tends to surface relating to the standards as well. So we have OAuth and XACML, which are actually authorization standards. These do not deal with authentication. An OAuth typically confuses people because they assume it is a form of authentication. So OAuth is what we see when you can log in via Facebook or your social media accounts. Actually, in these cases, the authentication provider is the social media provider. And this is a form of delegating then authorization from your login, you will say to your social media provider that the application can have access to elements of your profile and can be used as part of this process.

So OAuth is not an authentication protocol, it is an authorization protocol. XACML is, we said, related to typically adaptive authentication, is a newer standard and relates a little bit to XML. We’ll take a look at all of these standards in the technology section of the course, so don’t worry if you’re not aware of what these are just at this stage. But just be aware that OAuth and XACML relate to authorization, and that SAML and OpenID relate to authentication. So SAML and OpenID will deal with both authentication and authorization. SAML is a very longstanding technology, OpenID more recent. And OpenID is based upon OAuth. So OpenID extends the capabilities of OAuth to deal with authentication, as well as the delegated rights.