150 6.1 The basics
6.1 The basics
Let's imagine that I worked for NASA (spaceships are cool). I would get a
key card and a nametag that I could show off to other people and use as
bragging rights. Additionally, the keycard and nametag would tell every-
body how important I was within NASA. This might work for me and
against me, in that I'd be authenticated to enter the building, but not
authorized to enter every room. This is essentially the same way in which
the internet works. As businesses implement networked information strate-
gies that call for controlling access to information resources in the networked
environment, authentication and access management are emerging as major
issues that must be developed, implemented, and supported. There are two
primary access issues that must be dealt with: authentication and authoriza-
tion. Authentication and authorization have very specific definitions.
"Authentication" is the process where a user (via any type of physical
access~PC, network, remote) establishes a right to an identity. I log in to a
system with my user name and password, and the system now knows who I
am.
User name - Bubba Joe Smith
"Authorization" is the process of determining whether a user is permit-
ted to perform some action or access to a resource. I log in to a system with
my user name and password, and the system knows who I am and now can
grant or deny access to certain databases.
User name - Bubba Joe Smith
Access to the Fishing Database = Bubba Joe Smith
Figure 6.1 shows you the difference. Bubba Joe has authenticated with
the server, and the server now knows who Bubba Joe is. With this informa-
tion the server can control access to each resource. Within each database
(DB) the server administrator can control via "authorization." Bubba Joe is
not authorized to open the payroll and accounting DB, but he is authorized
to open the fishing D B.
This whole process sounds really simple but, unfortunately, it is not.
Authentication and authorization are very complex subjects that take a lot

Get Internet Security now with O’Reilly online learning.

O’Reilly members experience live online training, plus books, videos, and digital content from 200+ publishers.