Subtitles of the Movie

Now let's talk about two other security principles, two other terms that we may have heard before. Frequently we might get these two terms confused and those two terms are authentication and authorization. Again, they are frequently confused because people think that being authenticated and being authorized are the same thing and they're really not. Authentication in the security world means to be positively identified as a user. Authorization, on the other hand, means to be allowed to perform an action or perform an action, a privilege rather, after you are authenticated. And we're going to talk about both of those in depth. First of all, let's talk about authentication. Now, this is what happens first when we present our credentials to a computer system. Authentication is the act of presenting identity of some form to the system and having the system confirm that identity. Now, our identity could be presented using a variety of mechanisms. Most common might be user name and password combination. All of us who have used computers probably have used user name and password combinations. Other methods exist, such as smartcards, personal identification numbers and biometrics. We'll cover all these methods later on in the course, but those are essentially the ways we most commonly authenticate to a computer system. So we present this identity, user name and password, biometrics or whatever to the system and it takes this information and compares it to information that's stored in a system database such as a user accounts database. It verifies that information with what it has in the system and then based upon that information, if it's verified as being the same, then you're authenticated. If it's not, then you're not authenticated and you're not allowed to log on to the system. Now, if the user is in fact authenticated, they're issued a token or some other mechanism, depending upon the operating system and how it works, to track this activity and provide access only to authorized information. Now, speaking of authorization, again, that takes place after authentication. Once I'm authenticated in the system, that's where authorization has to come into play because even if I'm authenticated into the system, I still have to be authorized to access certain data; files, folders and so forth and normally the system administrator or someone else has authorized me to do that. Normally we implement authorization through permissions, rights or privileges to an object or the ability to perform certain actions, such as shut down the system or create user accounts for example. Those are things that have to be authorized to do because technically I could be authenticated to the system and not really be authorized to do anything. So those are two separate processes you need to be aware of. And once again, authentication and authorization normally is granted by system administrators or managers. My credentials are fed into the system, into the user accounts database, maybe my account is created, someone authorizes that. Then I authenticate and someone else has to authorize me to access certain resources. Now, authorization specifies what I can do to what object. Can I read a file? Can I write to that file? Do I have permission to delete that file and so forth? That essentially is authentication and authorization in a nutshell. Again, two separate terms that don't means the same thing and unfortunately, sometimes are used interchangeably and sometimes there's some confusion over what they mean. But you as a security professional need to know that there is a difference. ity professional need to know that there is a difference.