Monday, December 26, 2011

Identification, Authentication, and Authorization

If you're studying for one of the security certifications like CISSP, SSCP, or Security+ it's important to understand the difference between identification, authentication, and authentication. These concepts are intertwined, but have specific differences. When looking at these topics, especially for the SSCP and CISSP exams, it's important to understand the differences between subjects and objects.
  • Subject. A subject is the active entity that accesses an object. For example, when a user accesses a file, the user is the subject. Other subjects include programs, processes, and any entity that can access a resource.
  • Object. An object is a passive entity that is being accessed by a subject. For example, when a user accesses a file, the file is the object. Other objects include databases, computers, printers, or any other resource that can be accessed by a subject.

Pass the Security+ exam the first time you take it.
CompTIA Security+: Get Certified Get Ahead: SY0-301 Study Guide


Identification occurs when a user (or any subject) claims or professes an identity. This can be accomplished with a username, a process ID, a smart card, or anything else that can uniquely identify a subject. Security systems use this identity when determining if a subject can access an object.

Looking for quality Practice Test Questions for the SY0-301 Security+ exam?
CompTIA Security+: Get Certified Get Ahead- SY0-301 Practice Test Questions


Authentication is the process of proving an identity and it occurs when subjects provide appropriate credentials to prove their identity. For example, when a user provides the correct password with a username, the password proves that the user is the owner of the username. In short, the authentication provides proof of a claimed identity.

There are several methods of authentication that I'll cover in another post, but in short they are:
  • Something you know, such as a password or PIN
  • Something you have, such as a smart card, CAC, PIV, or RSA token
  • Something you are, using biometrics

Studying SSCP?
This book covers the new objectives effective Feb 1, 2012.
SSCP Systems Security Certified Practitioner All-in-One Exam Guide


Once a user is identified and authenticated, they can be granted authorization based on their proven identity. It's important to point out that you can't have separate authorization without identification and authentication. In other words, if everyone logs on with the same account you can grant access to resources for everyone, or block access to resources for everyone. If everyone uses the same account, you can't differentiate between users. However, when users have been authenticated with different user accounts, they can be granted access to different resources based on their identity.

In summary, it's important to understand the differences between identification, authentication, and authorization when studying for security exams such as the Security+, SSCP, or CISSP exams. Identification occurs when a subject claims an identity (such as with a username) and authorization occurs when a subject proves their identity (such as with a password). Once the subject has a proven identity, authorization techniques can grant or block access to objects based on their proven identities.