What is the difference between authentication and access control

Some people are unaware of the differences between authentication, authorization, and access control, this course will clearly explain the differences here allowing you to use the correct terms to describe your security solutions.

This makes CloudTrail a strong tool in tracking, identifying, and monitoring a user's actions within your AWS environment. To get the most out of this course, you should have a basic understanding of identity and access management IAM , Amazon EC2, Amazon S3 storage, networking fundamentals, and the virtual private cloud service.

When talking about security, I find that there is always a lot of confusion around the definition and meaning of the words authentication, authorization, and access control.

Many people believe they all mean the same thing with no clear distinction between them. This is, however, untrue, and, as a result, people often use the wrong term to describe their security mechanisms.

In this lecture I want to cover each of these to help you understand the differences. It's important to know these differences in order to control access to your cloud resources effectively and with the appropriate level of security. Let's start by looking at authentication. The authentication process is comprised of two parts of information. The first part of this process is to define who you are, effectively presenting your identity. An example of this would be your login username to your AWS account or environment.

This identification is a unique value within the system that you are trying to authenticate to and in this example AWS would not allow two identical user accounts to be created within this same single AWS account. The second part of the authentication process is to verify that you are who you say you are in the first step. This is achieved by providing additional information which should be kept private and secret for security purposes.

However, this private information does not have to be unique value within the system. So in the example I just gave whereby you provide your identity in the form of a username to your AWS account, which will be a unique value, the next step would be to verify that identity by providing a password. Putting AWS and the cloud to one side for a moment, usernames and passwords are not the only forms of authentication for an identity and verification process.

In our everyday lives we are presented with multiple forms of authentication methods. For example, credit and debit cards and pin numbers. So, when we use these to pay for something we authenticate to our banks. In this process we first identify ourselves by providing the credit card details with our personal information on it and then verify this identification by entering a private, secret pin number.

This combination then allows us to authenticate to our banks. Authentication is not just for verifying human access to systems. Authentication takes place by systems that require access to other systems.

For example, one AWS service requiring access to another to perform a function. In this instance, the same authentication principles and process is followed. Identity first, and then verification of that identity. Now that we have a clear definition of authentication, let's take a look at authorization and see how authentication and authorization differ from each other.

Authorization only takes place once an identity has been authenticated, so there is a clear order as to which these two operate. Authentication takes place before the correct level of authorization can be attained. Authorization is the process in which a system you have authenticated to establishes what you can access and at what level. Note that lack of adequate access control is more often the cause of security vulnerabilities in applications than faulty authentication or authorisation mechanicms, simply because access control is more complex to implement and becomes more complex as the application being secured becomes more complex itself.

The following articles are worth reading for further details on the subject. Authentication Authentication is a process by which you verify that someone is who they claim they are. Authorisation Authorisation is the process of establishing if the user who is already authenticated , is permitted to have access to a resource.

Access Control Access Control is the process of enforcing the required security for a particular resource. Further Reading The following articles are worth reading for further details on the subject. Leave a Comment Name required. E-mail required. Authentication Authentication is the first step of the process. Its aim is simple — to make sure the identity is who they say they are. Access Control Access control is the addition of extra authentication steps to further protect important segments.

Once the identity proves they are who they say they are, access is granted.