From the course: CISSP Cert Prep (2021): 5 Identity and Access Management
Identification, authentication, and authorization
From the course: CISSP Cert Prep (2021): 5 Identity and Access Management
Identification, authentication, and authorization
- [Instructor] As security professionals, one of the most important things that we do is to ensure that only authorized individuals gain access to information, systems, and networks under our protection. The access control process consists of three steps that you must understand. These steps are identification, authentication, and authorization. During the first step of the process, identification, an individual makes a claim about their identity. The person trying to gain access doesn't present any proof at this point, they simply make an assertion. It's important to remember that the identification step is only a claim, and the user could certainly be making a false claim. Imagine a physical world scenario where you want to enter a secure office building where you have an appointment. During the identification step of the process, you might walk up to the security desk and say, "Hi, I'm Mike Chapel." Proof comes into play during the second step of the process, authentication. During the authentication step, the individual proves their identity to the satisfaction of the access control system. In our office building example, the guard would likely want to see my driver's license to confirm my identity. And just proving your identity isn't enough to gain access to a system, however. The access control system also needs to be satisfied that you are allowed to access the system. That's the third step of the access control process, authorization. In our office building example, the security guard might check a list of that day's appointments to see if it includes my name. When you get ready for the exam, it's very important that you remember the distinction between the identification and authentication phases. Be ready to identify the phase associated with an example of a mechanism. And so far, we've talked about identification, authentication, and authorization in the context of gaining physical access to a building. Let's talk about how these concepts apply in the digital world. When we go to log into a system, we most often identify ourselves using a username, most likely composed of some combination of the letters from our name. When we reach the authentication phase, we're commonly asked to enter a password. There are many other ways to authenticate, and we'll talk about those later in this course, as well as how strong access control systems combine multiple authentication approaches. Finally, in the digital world, authorization often takes the form of access control lists that itemize the specific permissions granted to an individual user or group of users. Users proceed through the identification, authentication, and authorization processes when they request access to a resource. In addition to this process, access control systems also provide accounting functionality that allows administrators to track user activity and reconstruct it from logs. Together, the activities of authentication, authorization, and accounting are commonly described as AAA. As you design access control systems, you'll need to think about the mechanisms that you use to perform each of these tasks. You'll also want to consider the environment supported by identity and access management mechanisms. In a modern computing environment where organizations combine resources from both cloud and on-premises systems, you'll want an identity and access management system that can work across both cloud and on-premises environments.
Download courses and learn on the go
Watch courses on your mobile device without an internet connection. Download courses using your iOS or Android LinkedIn Learning app.