top of page

Identification, Authorization, Access control

  • Writer: richard vonk
    richard vonk
  • Nov 15, 2024
  • 5 min read

Updated: Jan 3

"Do you have an email? I can grant you access to this application “

This statement is made pretty frequently, which exposes the association of email with identity and access! Not wrong, but also not right. 

 

For people who have been using technology for a while, you might remember that accessing a computer usually required a specific login name and password, and then you logged into your email to read/send messages. This made is very clear that your identity (aka your login and password) is not the same as your email. But with the evolution of personal online activity, email became a key part of the identity verification process. 


email is not your identity
email is not your identity




The Airport experience 


My easiest way to explain identity and access management is using an airport experience. 

Travelling with a plane requires 2 critical checkpoints: 

  1. Boarder control to identify who you are and if you are entitled to leave the country and get access the departure area.

  2. Gate to verify your access and seat in the plane.    

For the boarder control verification process, you provide your password (a valid identity document) and the boarder control officer verifies if the document belongs to you by checking your picture with you being there. This means the verification process contains 2 identification steps: valid document and picture matching you. 


The gate verification process requires a boarding pass to identify if you are allowed to board the aircraft. And your passport to make sure you are the person matching the person who is on the boarding pass. The Gate verification process is not purposed to verify your identity. It is purposed to make sure your access is valid to the plane.  


Technology Identity and Access

Identity Management

Let's translate this to how technology works. 


In most modern applications your identity is tied to your email. This is mainly driven by the fact that it is easy to remember, and it is easy to share access with. In this case the email is actually your tied to a digital identity. 

An example of a digital identify is an UPN - User Principal Name, which is a standard mechanism to identify online identity. 

When you get prompted to sign in, you will enter your email to identify yourself. This identification used to be sufficient, but with continuous evolution of technology there is also increased risk, meaning people will attempt to impersonate you.

There is no security officer to check your picture for digital verification

 


secondary identification
secondary identification

There is a need for secondary identification, similar to boarder control. This secondary identification is usually done in the form of another mechanism that belongs to you. For example, an authorization app, an SMS process or getting a phone call, to verify you are really you. It is assumed in this way that the authentication app or SMS or phone call can only be accessed by you, with your access control to your phone. 

 

This secondary verification can sometimes be annoying but is essential to make sure you are not being impersonated and someone is trying to gain access to information which they are not entitled to. 


Streamlined identification process

With modern identity management, identification to multiple applications is also more streamlined. 

You might have experience when you sign into your computer, you have to login to individual applications and sometimes with different logins (identities). In this way your identity is not applied to all the applications you use. And needs its own identification process to kick in.  

More often single identity is linked to multiple applications, meaning when you identify yourself on your computer, you automatically identify yourself for the applications you have access to. This is referred to as Single Sign On (SSO). 

In your personal online experience, you notice when you sign up at a website or service, you get a prompt to use your existing identity. These are usually identity profiles you might already have, such as LinkedIn, Facebook, Microsoft, Apple, etc.  This is intended to simplify your identification process and avoiding the need to remember multiple logins & passwords.


Identification verification prompts

In certain occasions, you are getting prompted to re-authenticate, which is usually based on an authentication protocol. The purpose to re-authenticate is usually when there is a rule that allows you to work without authentication for a period of time. This means you can access the same systems multiple times before it will trigger a verification if you are still the person you say you. For example, if you never lock your computer, the system can't verify when you require verification to unlock.    

Therefore, identification prompts can be triggered, also when the system identifies an anomaly in your behavior 

 

“ What anomaly? “

ree

For example, your typical behavior is to login between 9 and 5, on Monday to Friday.

And out of nowhere someone is trying to access on Saturday at 2am in the morning. 

This can be considered as a trigger to request identity verification. 


Access Management

The identity process is to identify who you are, and make sure when you try to gain access that you are really you. 

Access Management is when you access an application to do something. The to-do can be to view data, update data, generate a report, etc. 

This access control is tied to your identity. So, when you have identified who you are, and the access control has been setup to only view information, your access is then defined to only view information. 


This access control is often referred to as Security Roles

Identity management can be used across many various applications, while security roles usually are tied to 1 application. So, if you use 2 different applications which contain customer data. It could very well be that in 1 system you can edit, while in another system you can only view the information. This difference of access is related to the security controls within the applications, not related to your identity. 


Share access with email

Going back to the introduction statement: do you have email, so I can grant you access

 Deconstructing how identity and access management works. This statement is correct in the fact that identity is often linked an email. But grant access is actually unrelated to the email but related to the permissions you grant by sharing your content. 

For example, you share an online folder with an email address and that grants them access. But under the hood, when you click share and grant access, you are actually granting that email identity a security role to view or edit content in your folder. 

How do you know that email grants the right person access. And do you check what level of access you grant when you hit the share button… 


“ Next time you share access to something, before you hit the share button, take a moment to see if you understand what you are actually granting access to. You will be surprised how easily you click the share button and actually haven't verify what access you granted “


In Summary

ree

Comments

bottom of page