Authorisation (AuthZ)

Authorisation, often referred to by the abbreviation ‘AuthZ’, is the third and final step of the IAM process (Identity and Access Management). It is a process in which roles and rights play a central role, a crucial element in securely using applications, networks, devices and digital environments. But what exactly does authorisation mean? How does it differ from the concept of authentication? In this article, we delve deeper into the concept of authorisation, unravel its complexities and highlight the pivotal role it plays in the world of cybersecurity.

What is authorisation?

Authorisation, also referred to as ‘AuthZ’, is the process that follows authentication within the Identity and Access Management (IAM) framework. Once authenticated, authorisation determines which actions a user may perform within a system, network, device or digital environment. It signifies the phase where permissions and privileges are allocated to individual users or user groups.

In the realm of authorisation, roles and rights take centre stage. Each role defines a particular set of permissions that a user is granted within a system. For instance:

  • An ‘administrator’ role might have the right to:
    • Create and delete user accounts
    • Modify system settings
    • Manage access permissions
  • A ‘user’ role might solely have the right to:
    • View and edit their personal account information
    • Perform specific tasks pertinent to their role

Authorisation is, therefore, a cornerstone of a robust security framework. It’s designed to guarantee that only qualified individuals access the right information and tools, and that they can only perform actions required for their designated role. This helps preserve the integrity and confidentiality of critical information and reduces the risk of unauthorised access and misuse.

How do you regulate authorisation?

Authorisation is a delicate process, especially when it touches upon business-critical or privacy-sensitive information. This is why one must be exceedingly cautious about granting access to a particular file or online environment. Consequently, most organisations employ a system with clearly defined roles and permissions. However, the exact manner in which organisations manage authorisation can vary, reflecting their unique demands and governance models. Common strategies encompass:

  • Defining roles and permissions: This is the initial step in the process. It involves determining the various roles within your organisation (such as administrator, user, guest, etc.) and assigning the respective permissions to each role.
  • Implementation of access control models: Several models can be utilised to manage authorisation, including:
    • Role Based Access Control (RBAC): In this method, users are allocated to specific roles, and access is granted based on the user’s role. For instance, a user with the ‘administrator’ role might have full access to all systems, whereas a user with a ‘guest’ role might only have access to particular information.
    • Attribute Based Access Control (ABAC): This approach uses user attributes, such as the department or location of the user, to decide their authorisation for accessing specific resources. A user might be granted access to certain customer data if they are in the ‘sales’ department but not if they are in the ‘finance’ department.
    • Risk Based Conditional Access: This involves defining precise rules that determine whether a user has access to certain resources. One rule might state that users with the ‘manager’ role can access specific resources, but only when on the company network and only between 9 am and 5 pm.
  • Enforcing the authorisation policy: This involves ensuring consistent compliance with the set roles and permissions. This can be achieved through frequent audits, combined with automated tools designed to identify and prevent unauthorised access attempts.
  • Ongoing review and adjustment: Authorisation policies should be periodically reviewed and updated to maintain their effectiveness and to respond to changing circumstances and threats.

Based on the role, department, function or project within an organisation, you determine who has what permissions and abilities. Some individuals might only be allowed to read files, while others can modify those same documents. For instance, a manager or board member will likely have more rights than someone on the shop floor. There are several points to consider when developing and implementing a sound authorisation policy:

  • Assign access rights by team, function or role, and not on an individual basis. Roles and access rights often change when individuals take on different roles within the organisation.
  • Ensure that all systems containing personal data or information about roles or rights use the same data sources or are at least interlinked.
  • Ensure that employees do not have multiple accounts. This can lead to confusion and increases the risk of errors in authorisation.
  • Building on the previous point, it’s crucial to use individual accounts instead of group accounts.
  • Implement clear, well-defined procedures for onboarding, transitions and offboarding of staff members.

By following these steps, you can set up a robust and efficient authorisation process that helps protect your organisation against unauthorised access and misuse.

PAM and the principle of least privilege

Two concepts vital in the realm of authorisation are privileged access management (PAM) and the ‘principle of least privilege’. The former refers to the discipline that helps secure, monitor, manage and oversee privileged access to the IT infrastructure and network. Only a select group of users has such extensive rights, and they don’t always require them.

The principle of least privilege entails that every user, every program and every process should only have the absolute minimum rights necessary to perform their tasks. This implies that users should only be granted access to the resources and functions they need to do their job, and nothing more. This helps reduce the risk of security vulnerabilities and unintentional or malicious damage.

The difference between authentication and authorisation

Authentication is often confused with authorisation. The two terms certainly overlap and both are part of the IAM (Identity and Access Management) process. However, they truly have distinct meanings.

To clarify the difference between authentication and authorisation, let’s use an analogy. Imagine you are going on holiday and you ask your neighbour to feed your cat and water the plants in your house. A key that allows your neighbour to open your front door represents authentication, similar to the login credentials that grant users access to a digital system or a secure online environment.

Authorisation, on the other hand, pertains to what the neighbour is allowed to do inside your house. Of course, he can take the cat food out of the cupboard and get water from the tap. However, you would probably prefer for him not to rummage extensively through your filing cabinet or email inbox. In IAM terms, this means that authorisation determines exactly what someone can do with a specific file or application within a given system.

Authentication vs. authorisation: A deep dive

Authentication, often referred to as ‘AuthN’, is the first step in the access management process. It is the process by which a system verifies a user’s identity. This is typically done using a username and password, but it can also include other methods such as biometric data, one-time passwords (OTP’s) or multi-factor authentication (MFA). The purpose of authentication is to confirm that the user is who they claim to be.

Authorisation, on the other hand, is the next step after authentication. As we discussed earlier, authorisation is the process that determines what actions an authenticated user is permitted to perform within a system, network, device or digital environment. It involves granting rights and privileges to individual users or groups of users, based on their role.

It is important to understand that authentication and authorisation go hand in hand – you can’t have effective authorisation without first having robust authentication. However, while authentication is about verifying the identity of a user, authorisation is about managing their access to resources once their identity has been verified.

By understanding the difference between these two concepts, you can implement a more effective and secure access management policy.

The importance of authorisation in cybersecurity

In today’s digital world, cybersecurity is of the utmost importance. With the growing amount of sensitive information stored and exchanged online, it is crucial to ensure this information is protected from unauthorised access and misuse. This is where authorisation plays a pivotal role.

Authorisation is a crucial component of an effective cybersecurity policy. It helps to safeguard the integrity and confidentiality of sensitive information by determining who has access to which resources and under what conditions. Here are some reasons why authorisation is so vital in cybersecurity:

  1. Safeguarding sensitive information: By setting clear guidelines on access rights, authorisation ensures that sensitive information is shielded from unauthorised access and potential misuse.
  2. Containing damage during a security breach: Should an intruder breach a system, a well-defined authorisation framework can curtail the damage by limiting the intruder’s access to different system segments.
  3. Complying with legal and regulatory requirements: Many industries and jurisdictions have laws and regulations mandating that organisations implement specific security measures, including effective authorisation.
  4. Building trust with customers and partners: A robust authorisation policy can assist in gaining the trust of customers and partners by demonstrating that you take their data seriously and are taking measures to protect it.

In summary, authorisation is a cornerstone of cybersecurity and plays a pivotal role in protecting sensitive information from unauthorised access and misuse.

Use cases of authorisation

Authorisation is relevant in a wide range of scenarios, particularly in settings where access to information and resources must be supervised and managed. Here are some instances of authorisation use cases:

  1. Company networks: Within a company network, authorisation can be utilised to determine which employees can access certain resources. For example, an HR department staff member might need access to personnel files, while an employee in the finance department may need access to financial data.
  2. Cloud services: Many companies utilise cloud services for purposes such as data storage, collaboration and software development. Authorisation can be employed to determine which users have access to specific services and data.
  3. Mobile apps: Mobile applications often use authorisation to decide which users can access certain features and data. For instance, a banking app might have different authorisation levels for customers, bank staff and system administrators.
  4. E-commerce websites: On an e-commerce site, authorisation can be used to determine which users have access to specific features. For example, a customer might need access to product pages and the shopping cart, while a site administrator might need access to inventory management and order processing.
  5. Healthcare systems: In healthcare, authorisation can be used to decide which healthcare providers have access to certain patient data. This is particularly important to protect the privacy of patients and to comply with laws and regulations such as GDPR.

These examples highlight how versatile and essential authorisation is in different environments and applications.