Authentication, authorization, and accounting

- There are three key concepts that are foundational to identity and access management. Authentication, authorization, and accounting. These concepts are the basis of everything we will build on, so this is a good one to spend some extra time understanding. Let's talk about each one of them separately. Authentication is the process of recognizing a user's identity. This is done by validating who they claim to be. How do you validate who you are? Usually, it is some additional data that is specific to that person, and it should be hard to reproduce or guess. If you validate your credentials, such as a password correctly, you get access. If not, access is denied. Think of authentication as a two-part process. A good way of thinking of this is something you are and something you have. Check out the next video for a deep dive into authentication and the different ways to validate who you are. Just remember, others need to know who you are, and you have to prove it. Authentication is proving who you are. Authorization is determining what you are entitled to have access to. Authorization is defined as giving someone permission to do or have something. Another way to say that is giving the user access to a resource. An important note is that authorization always takes place after authentication. When you are on a site, say Globe Bank, and put in your username and password, which is authentication, you get access to your transaction history, which is giving you authorization to that information. Authorization is the key element that organizations can use to control permissions to important information. When organizations build proper access controls through authorization, their users can access what they need when they need it, but nothing more than they need. When implemented properly, it is one of the strongest security controls a company can implement, with the greatest impact. Once authentication and authorization are in place, the way to ensure they are working properly is the use of the third component of identity and access management, which is accounting. Accounting is the process of measuring the resource the user consumes while they have access. Some people call this monitoring when someone accesses a system. Examples can be the time logged into a system, the data they reviewed or changed while in the system, or even where they logged into the system from. The reason the practice of accounting is important is to ensure that the access you have granted to users is being used as intended, and to ensure that access to your systems by someone not granted access is not occurring. It should be done on a regular basis for your most critical systems, since these tend to be the most targeted places for hackers to try to take advantage. Now let's pull all three concepts together with an example. When you go into your workplace, you may have a badge to prove who you are, which is authentication. Once you swipe your badge to your office floor, if you have permission to access that particular area, the locked door will open, which is authorization. On a monthly basis, the security group will run a report to ensure that only authorized people have accessed the building. That is accounting. The three key concepts for identity and access management, authentication, authorization, and accounting help organizations maintain proper access to resources and provide a process for checking that it is accurate.