Archive 6 min read

Cybersecurity Basics #8 - Authentication, Authorization, & Need To Know

Authentication and authorization are two critical concepts that are intertwined. Understanding the difference and their purpose is key to understanding cybersecurity.

Cybersecurity Basics #8 - Authentication, Authorization, & Need To Know

Watch this episode on YouTube.

Reasonably Accurate 馃馃 Transcript

Morning, everybody hope you're having a fantastic start to your day. This is Mornings with Mark. We are going to continue the cyber security basics topics today with one that people mix up all the time. In fact, as you can see, I'm outside, I actually pre recorded this segment simply because of all the construction going on in my office as well as around the neighborhood.

And the first take, I actually got this one wrong. So thankfully, it wasn't live, but it's easy to get these two concepts mixed up. So we're going talk about authorization and authentication. So the unfortunate thing is they both shorten to off, but authorization is the concept of what somebody is allowed to do.

Authentication is making sure somebody is who they say they are. So let's start with authentication. So, authentication is something that we all use all the time any time you log in with a user name and a password and hopefully multi factor authentication, which we covered a bit in the passwords video.

That's an authentication that's verifying that I'm me. So when I log in with Mark and my super secret password, that's really long. It's actually pass phrase, right? Because we listen to the Mornings with Mark on passwords on the cyber security basics.

Then what's going to happen is that the system is going to authenticate that I am. In fact who I say I am. So it says, ok, pass phrase lines up with what I'm expecting. Your multi factor is valid.

You are, in fact, Mark, I have authenticated you to be Mark, I know who you are. That's the system, right? That's authentication. Verifying who somebody is. Now, the next concept authorization is a little bit trickier.

Authorization is now that the system knows I'm Mark. What am I allowed to do? So let's say I'm logging into my email when I log in as Mark, it says, ok, I know you're Mark, you've passed the test of having the right user name and pass phrase combination.

You have the correct multi factor authentication. Ok? You're Mark. Now what? Well, you're allowed to see Mark's inbox and his sent items and all of the data associated with Mark. But you can't see Fred's or Joe's or Bob's or Pauline or Francine, or whomever you are only authorized to see the data for that one user account.

So it's a pretty simple, easy, understandable explanation, but it gets far more complicated when you think of something like Facebook. So when you're making a post on Facebook, you've logged in, you've authenticated as yourself.

Now you're making a post and when you actually make a post, you're making an authorization decision. You're setting that post is available to the public, which means everybody is authorized to see this post or you could send it to friends.

And therefore Facebook is going to verify that Fred and Francine are in fact friends of Mark and now they are authorized to see that post. So you can see how the authentication and authorization work hand in hand.

Again, authentication is who you are, are you who we think you are? And authorization is what are you allowed to do? Now, there's another concept that applies more to operational security that's tied directly to authorization.

This is one that a lot of people struggle with because it goes against our nature of wanting to share things and that's a subset of sort of authorization is need to know. So simply if you're at a large clearance level, so if you're in an organization that has certain clearances need to know means you may be approved for that level of information, but you might not be on that particular project.

So it's a refinement of authorization just because I trust you doesn't mean I trust you with everything. There are certain things that operationally it makes more sense to keep it in a closed loop. So I'll give you an example if you're working with an and you have a partnership that you're working on and that's under something like a non disclosure agreement, that's a legal agreement between two parties saying that, ok, we are not going to share this information outside of these specific circumstances.

You may be tempted to talk to your teams about it and say, hey, we're doing this really great partnership. There's lots of cool stuff going on. We're really excited about it. The question is, do they need to know?

So they may be authenticated? They're internal employees, they may be authorized to know this information, But do they actually need to know it? So it's a refinement here because you say, well, yeah, of course, they need to know it.

We want them to be excited about the partnership. That's OK. That's great. That's wonderful. Obviously, it's a great business opportunity. But the question is, do they need to know about it now or can it wait?

There's this temptation to share information as quickly as possible and certainly that may be appropriate. Maybe in this case, you don't want to share it with everybody, but you want to let the head of marketing know and they might want one or two people working on this early, but not everybody in the team needs to know.

You might need somebody in product to know about it to make some features in. And then there's a squad of developers that are going to be working on that functionality and they should know, but maybe not everybody, not every engineer needs to know.

And the reason why you want to consider something like need to know on top of authorization is the fact that there's a risk if you have this partnership, maybe it's politically sensitive, maybe both companies are working towards some big announcement.

You don't want that coming out early and the more people you loop in, the more likely that is to leak out. So we've got these three concepts, the offer indication who you are. Can I make sure I know who you are authorization?

What are you allowed to do? And then the application of authorization in this concept of need to know, do you actually need to know this information even though you're authorized and I'm ok with you know it, you've tracked your background check, you're in the inner circle, whatever the case may be.

Do you need to know it now or can you know it later? So a little bit of tricky, but these are key core concepts for cyber security. Everything we do is built around authentication and then authorization.

Unfortunately, we get decently good at, we're not great at authorization. We tend to have very choppy blocks of it. So Facebook is a good example. Facebook has a very granular permission system that most people never access.

You can literally make a post that is only viewable by one person. Very simple to do. Very easy to do. If you know what to look for. Most people end up defaulting to public or friends, maybe friends of friends and that's it.

Because it's far easier to administer. And that's where authorization falls down is that it can be complicated to administer in narrow sort of very fine decisions. So people take these big broad decisions and they say, you know what, you're either inside the organization or you're out and that's all we're going to do.

I strongly encourage you diving deeper into this concept, especially how it's applied in your organization to try to be far more specific so that you can tailor that down. Because the more people that know an issue, the more information is shared.

So it can be a very positive boost, but it needs to be balanced with the risk of that sharing of the information. So what do you think? What do you deal with? Do you understand authentication, authorization?

Was this helpful? How do you apply need to know? Let me know online at marknca for those of you on the vlogs in the comments down below. And as always by email me at Markan dot ca, love to hear what you're thinking also on the broader sense of this series of cybersecurity basics.

What topics haven't we tackled? What should we be tackling? Let me know. I hope you are set up for a fantastic day. I will talk to you online and I'll see you on the show tomorrow.

Read next