Identity and Access Control

Identity and Access Control

This lesson is about control access to computers, systems, applications and data. By the end of this lesson, you’ll be able to (1) explain parts of identity and access control and (2) identify common identity and access control protection techniques.

Identity and access control is about proving who you are. It starts with your identifier or user-id. This is usually an email address or some form of your name.

Next, you need to prove it's you which is authentication. This is often a password or pin or on some devices like your smart, it’s your fingerprint or face. The device itself can also be used to prove it’s you. All this to confirm to a remote computer that it’s really you and not some imposter.

For stronger security and to ensure it’s really you, we use something known as Multi-Factor Authentication (MFA). This is something you

• Know - e.g. Password
• Are - e.g. Fingerprint
• Have - e.g. Smartphone

Authorization:

• What are you allowed to do once you have access?
• Includes access rights/permissions - Read, Write, Delete, Execute
• Least Privilege limits access based on need

New terms:

• Authentication: Verifying the identity of a user, process, or device, often as a prerequisite to allowing access to resources in an information system.
• Multi-Factor Authentication (MFA): Authentication using two or more factors to achieve authentication.

Source: https://csrc.nist.gov/glossary/

Further research

• NIST SP800-63-3, Digital Identity Guidelines, https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-63-3.pdf