Security — AuthN vs AuthZ
IT security is a broad term that includes network, internet, endpoint, API, cloud, application, container security, and much more. It is about establishing a set of security strategies that work together to help protect your digital data or maybe your web application and even your cloud data using various IAM (Identity and Access Management) policies.
Not so long ago, IT security was a checkpoint at the end of a development cycle. Companies and Businesses today are looking for ways to create an integrated security program so that they can adapt faster and more efficiently. It is rather, “security that is built-in, rather than bolted on!”
Authentication and Authorization both play important roles in any defined security systems whether it is On-premise or Cloud . They confirm the identity of users and then grant access to your website or application. It’s vital that you understand their differences so that you can determine which best suits your security needs.
Both these terms are often used in conjunction with each other in terms of security, especially when it comes to gaining access to the system. They are very crucial topics often associated with the web as key pieces of its service infrastructure. However, these terms are very different with totally different concepts. While it is true that they are often used in the same context with the same tool, but they are completely distinct from each other.
What is Authentication ?
Authentication confirms who you are, and using a password is the most common authentication factor each one of us uses daily. For example, you log in to your system, your bank account, your Unix server using ssh client, or access your cloud server using root password. Typically, PAM (Pluggable Authentication Modules) is used as a low-level authentication scheme into a high-level application programming interface (API), which allows programs that rely on authentication to be written independently of the underlying authentication scheme.
Other technologies, which could be used in authentication includes OTP, Biometrics or MFA (Multi-factor Authentication) which is deployed to increase security beyond just passwords.
What is Authorization ?
Authorization is the process to confirm what you are authorized to perform. For example, you are allowed to log in to your Unix server via ssh client, but you are not allowed to browse to other file systems. Authorization occurs after authentication is successful. It is a way of making sure an authenticated user has the necessary privileges to access a specific resource or operation within an application.
Authorization is mostly implemented through the following elements:
· Privileges: Privileges grant access to specific operations. For instance, administrators have the privilege to create or disable other user accounts, while normal users will only be granted the privilege to change their own password and profile information.
· Access Control Lists (ACL): ACLs specify which users have access to any particular resources. For instance, a user must be included in the ACL of a specific file or folder in order to be able to access or modify it.
To assign accessibility and ACLs to users in batches, applications might implement “roles” and “groups,” which would enable the organization to categories users based on roles they would perform or groups they would belong to (e.g admin, security team, developers, QA associate)
Looking at implementation of same in application development, OAuth is an open-standard authorization protocol or framework that describes how unrelated servers and services can safely allow authenticated access to their assets without actually sharing the initial, related, single logon credential
It is important in both application and digital technologies world to give utmost importance to security considerations and choose the best authentication and authorization tools/frameworks to protect organization and customer data and comply with all rules and regulations
Authentication and Authorization in AWS
To work with AWS services and resources, you need both authentication and access control.
Authentication — To sign in to AWS, you must use credentials: root user credentials (not recommended and prone to security breach), IAM user credentials, or temporary credentials using IAM roles.
Access control — AWS administrators use IAM policies to control access to AWS resources and all access can be controlled based on what policies (managed/custom) assigned to IAM user, roles or groups.
Understanding the Basics of IAM
IAM (Identity and Access Management) is the key to understanding how AWS deals with Authentication and Authorization.
To help you understand the basics of how IAM works, review the following terms:
· Resources — AWS services, such as AWS Elemental MediaConvert, Amazon S3, and IAM, are made up of objects called resources. You can create, manage, and delete these resources from the service. IAM resources include users, groups, roles, and policies:
o Users — An IAM user represents the person or application that uses its credentials to interact with AWS. A user consists of a name, a password to sign in to the AWS Management Console, and up to two access keys that can be used with the AWS CLI or AWS API.
o Groups — An IAM group is a collection of IAM users. You can use groups to specify permissions for its member users. This makes it easier for you to manage permissions for multiple users.
o Roles — An IAM role doesn’t have any long-term credentials (password or access keys) associated with it. A role can be assumed by anyone who has the right permissions. An IAM user can assume a role to temporarily take on different permissions for a specific task. Federated users can assume a role by using an external identity provider that is mapped to the role. Some AWS services can assume a service role to access AWS resources on your behalf.
o Policies — Policies are JSON policy documents that define the permissions for the object that they are attached to. AWS supports identity-based policies that you attach to identities (users, groups, or roles). Some AWS services allow you to attach resource-based policies to resources to control what a principal (person or application) can do with that resource. AWS Elemental MediaConvert does not support resource-based policies.
· Identities — Identities are IAM resources for which you can define permissions. These include users, groups, and roles.
· Entities — Entities are IAM resources that you use for authentication. These include users and roles.
· Principals — In AWS, a principal is a person or application that uses an entity to sign in and make requests to AWS. As a principal, you can use the AWS Management Console, the AWS CLI, or the AWS API to perform an operation (such as deleting a job). This creates a request for that operation. Your request specifies the action, resource, principal, principal account, and any additional information about your request. All of this information provides AWS with context for your request. AWS checks all the policies that apply to the context of your request. AWS authorizes the request only if each part of your request is allowed by the policies.
References : https://docs.aws.amazon.com/
