Access Management is the set of practices that enables, only those permitted, the ability to perform an action on a particular resource. The three most common Access Management services you encounter every day perhaps without realizing it are: Policy Administration, Authentication, and Authorization.
POLICY ADMINISTRATION is the process by which l rules, corporate access policies and somes rules/regulation (think HIPAA or PII) are put into effect. These policies may be extremely simple, extremely complicated, or anywhere in between. This also includes creating and maintaining the rule sets that govern access to protected resources.
AUTHENTICATION is the process by which a claimed identity is confirmed, generally through the use of a credential (physical and/or digital). Authentication also includes the on-going verifying that a claimed identity is genuine based on valid credentials.
Authentication is generally a two-step process:
Step 1. Authenticate the credential itself:
Was the credential issued by a trusted organization?
Has the credential expired?
Has the credential been revoked, voided, or tampered?
Step 2. Ensure that the individual the credential was issued to is the same individual that is presenting it:
Does the photo and height/weight on the driver’s license match the person who presented it?
Does the person know the PIN for the ATM card that was presented?
Does the person have a pin or private key for the certificate presented ?
Authentication is how you confirm who you are. Identity proofing is performed to establish an identity, whereas authentication is performed to use an identity.
AUTHORIZATION is the adjudication of requests. Authorization is the decision portion of Access Management: the process by which a request to perform an action on a resource is decided, typically based on a policy. The range of possible requests is very broad:
• A request to read a certain document.
• A request to receive a benefit.
• A request to enter a facility or location.
In some cases, it is necessary to perform authentication in order to perform authorization:
When you present your driver’s license at a bar, you are simultaneously authenticating (the bartender ensures the photo on the license matches the person) and authorizing (the bartender ensures you are old enough).
In other cases, authorization can occur without authentication:
When you unlock your car, the car is authorizing you without knowing who is holding your keys. If you give your keys to a friend, he or she is just as able to unlock your car as you are, and the car does not know the difference.
Authorization is how your request for a resource is decided.
Above and beyond Policy Administration, Authentication, and Authorization we also need to deal with other parts of Access Management. This additional functions include things like
Provisioning – Linking and unlinking access permissions for a person or entity to a protected resource.
Validation – Two-Factor, Multi-Factor authentication
Policy Enforcement – Granting or denying access requests to protected resources based on a policy determination