I took them out of the title, because otherwise it was going to be huge, with lots of polysyllabic words. You might, therefore, expect a complicated post – but that’s not my intention*. What I’d like to do it try to explain these five important concepts in security, as they’re often confused or bound up with one another. They are, however, separate concepts, and it’s important to be able to disentangle what each means, and how they might be applied in a system. Today’s words are:
Let’s start with responsibility.
Confused with: function; authority.
If you’re responsible for something, it means that you need to do it, or if something goes wrong. You can be responsible for a product launching on time, or for the smooth functioning of a team. If we’re going to ensure we’re really clear about it, I’d suggest using it only for people. It’s not usually a formal description of a role in a system, though it’s sometimes used as short-hand for describing what a role does. This short-hand can be confusing. “The storage module is responsible for ensuring that writes complete transactionally” or “the crypto here is responsible for encrypting this set of bytes” is just a description of the function of the component, and doesn’t truly denote responsibility.
Also, just because you’re responsible for something doesn’t mean that you can make it happen. One of the most frequent confusions, then, is with authority. If you can’t ensure that something happens, but it’s your responsibility to make it happen, you have responsibility without authority***.
Confused with: responsibility, authorisation.
If you have authority over something, then you can make it happen****. This is another word which is best restricted to use about people. As noted above, it is possible to have authority but no responsibility*****.
Once we start talking about systems, phrases like “this component has the authority to kill these processes” really means “has sufficient privilege within the system”, and should best be avoided. What we may need to check, however, is whether a component should be given authorisation to hold a particular level of privilege, or to perform certain tasks.
Confused with: authority; authentication.
If a component has authorisation to perform a certain task or set of tasks, then it has been granted power within the system to do those things. It can be useful to think of roles and personae in this case. If you are modelling a system on personae, then you will wish to grant a particular role authorisation to perform tasks that, in real life, the person modelled by that role has the authority to do. Authorisation is an instantiation or realisation of that authority. A component is granted the authorisation appropriate to the person it represents. Not all authorisations can be so easily mapped, however, and may be more granular. You may have a file manager which has authorisation to change a read-only permission to read-write: something you might struggle to map to a specific role or persona.
If authorisation is the granting of power or capability to a component representing a person, the question that precedes it is “how do I know that I should grant that power or capability to this person or component?”. That process is authentication – authorisation should be the result of a successful authentication.
Confused with: authorisation; identification.
If I’ve checked that you’re allowed to perform and action, then I’ve authenticated you: this process is authentication. A system, then, before granting authorisation to a person or component, must check that they should be allowed the power or capability that comes with that authorisation – that are appropriate to that role. Successful authentication leads to authorisation. Unsuccessful authentication leads to blocking of authorisation******.
With the exception of anonymous roles, the core of an authentication process is checking that the person or component is who he, she or it says they are, or claims to be (although anonymous roles can be appropriate for some capabilities within some systems). This checking of who or what a person or component is authentication, whereas the identification is the claim and the mapping of an identity to a role.
Confused with: authentication.
I can identify that a particular person exists without being sure that the specific person in front of me is that person. They may identify themselves to me – this is identification – and the checking that they are who they profess to be is the authentication step. In systems, we need to map a known identity to the appropriate capabilities, and the presentation of a component with identity allows us to apply the appropriate checks to instantiate that mapping.
Bringing it all together
Just because you know whom I am doesn’t mean that you’re going to let me do something. I can identify my children over the telephone*******, but that doesn’t mean that I’m going to authorise them to use my credit card********. Let’s say, however, that I might give my wife my online video account password over the phone, but not my children. How might the steps in this play out?
First of all, I have responsibility to ensure that my account isn’t abused. I also have authority to use it, as granted by the Terms and Conditions of the providing company (I’ve decided not to mention a particular service here, mainly in case I misrepresent their Ts&Cs).
“Hi, darling, it’s me, your darling wife*********. I need the video account password.” Identification – she has told me who she claims to be, and I know that such a person exists.
“Is it really you, and not one of the kids? You’ve got a cold, and sound a bit odd.” This is my trying to do authentication.
“Don’t be an idiot, of course it’s me. Give it to me or I’ll pour your best whisky down the drain.” It’s her. Definitely her.
“OK, darling, here’s the password: it’s il0v3myw1fe.” By giving her the password, I’ve performed authorisation.
It’s important to understand these different concepts, as they’re often conflated or confused, but if you can’t separate them, it’s difficult not only to design systems to function correctly, but also to log and audit the different processes as they occur.
*we’ll have to see how well I manage, however. I know that I’m prone to long-windedness**
**ask my wife. Or don’t.
***and a significant problem.
****in a perfect world. Sometimes people don’t do what they ought to.
*****this is much, much nicer than responsibility without authority.
******and logging. In both cases. Lots of logging. And possibly flashing lights, security guards and sirens on failure, if you’re into that sort of thing.
*******most of the time: sometimes they sound like my wife. This is confusing.
********neither should you assume that I’m going to let my wife use it, either.*********
*********not to suggest that she can’t use a credit card: it’s just that we have separate ones, mainly for logging purposes.
**********we don’t usually talk like this on the phone.