What are authentication and authorization? Give your personal and professional experiences as it relates to authentication and authorization.
Authentication within information security can exist in many forms. Authentication and authorization are ways to control information access. Information security with authentication and authorization make sure that only
authorized people are the ones able to access specific information. According to the textbook, authentication is “a process by which people prove they are who they say they are” (p. 167). An example of this could be the authentication of an ATM card to withdraw money from a teller machine. The card is inserted in the machine.
Next, the machine reads the card and asks for a pin number. The card holder enters the pin number an authentication occurs when the correct pin is entered and money can be withdrawn from the money machine.
Another example of authentication would be a new employee for an auto part distribution center. When a new production employee is hired, human resources fills out the necessary information specific to that employee within the warehouse. For this example, the new employee is hired to work in receiving; receiving goods from tractor trailers, placing these items on pallets, and racking them in the warehouse, tying these items a specific warehouse slot location. Prior to this new hire being exposed to their new work environment, human resources will make a request for the information technology department to place the new hire in the warehouse management system as a receiving employee. Since this person will be working in receiving, this person will only need access to the receiving menu options and NOT anything dealing with inventory control,
shipping, reclamation, replenishing, or transportation. The information technology department will then create a username and password for the new receiving employee to access receiving information specific for that employee for job. Specific menu options may pertain to vendor receiving information and the ability to take palletized items off of the dock, tying them to a barcode, and tying that barcode to a slot in the warehouse, allowing other departments in the warehouse access when it comes time to inventory, replenish or even ship
to stores from those locations.
Within this example of a newly hired receiving employee, the information technology department gives this person a username and password for authentication purposes to access the warehouse management system. Once the employee enters the username with correct password, authentication takes place where privileges are assigned to this specific user as it relates to the specific menu options needed for this receiver to function efficiently and effectively in their position. Human resources will also make sure the employee signs an acceptable use policy as to what they will do with information that they are privileged to access, when they will access it, and how this employee will add value in preserving the integrity of the information.
Authorization is defined as the action of authorizing or being authorized. As an example a college may hire an information technology professor and a person that works in human resources at the same time. Even though the two employees both work for the college, they will probably have different levels of uthorization,
authorizing them to see specific information dealing with student and staff demographic information. With the newly hired professor, authorization may be given in the form of network access to individual shared directory information on the college file servers. It could also be authorization to specific applications that deal with learning management systems, being able to only access those online classes that this professor may teach.
It could also be authorization to the college’s student information system where the professor probably will not have access to all students’ information in the college, or even access to social security numbers, but may have access to those students specific to the classes that this instructor teaches for contact and grading purposes.
The other example involves the human resources new hire. There is a potential for this employee to have even more access to student and staff information because of the role this person may play in the human resources department. This person could potentially have access to all student demographic information,
including street addresses, ethnicity, and social security information. This human resources employee could also be authorized to access staff information such as street address and social security numbers for payroll purposes.
Within both of these examples of authorization being issued to a professor and a human resources employee, specific access is only given to those needing to see specific information to do their jobs. In the case of the professor, there is really no need to give this employee full access to student demographic information
because he or she is probably not going to teach every student at one time. Instead, the professor will only require access to online classes that he or she is currently teaching within the learning management system,
and to student information within the college student information system, as it relates to the classes that this instructor will teach. In the example of the human resources employee, this employee may need access to all student and staff demographic information for anything that deals with reporting for financial purposes at the state or federal level. Authorization for the human resources person may involve being able to access anything and everything needed within student and staff information systems to create those needed reports
for administration, to make those data-driven decisions to move that college forward.
Whether it be authentication or authorization, the two combined give privileges to access specific information needed to perform job functions as it relates to the two employee positions within the same college. Even though the two examples are with limited and and/or full access to student and staff information, both
employees must sign an acceptable use policy pertaining to access of information during specific times, and addressing what these two employees will do with the information that they have access to within the college.
The acceptable use policy addressing authentication and authorization is a form of protection that protects the professor, the human resources person and all students and staff within the college. This also directly and indirectly parallels guidelines as they relate to the federal laws of FERPA and HIPPA.
Securing unstructured data is securing electronic information that does not follow any format, yet there is a critical need to protect it in the military, industry, and education. Data is data, regardless if it is structured or unstructured. Unstructured data may reside in “applications, networks, computers, storage systems, and even structured databases” (p. 209). Being able to protect and secure information regardless of relevance is important because, “As with most security models, layering various security controls helps to close the gap by
providing a defense-in-depth approach to security” (p. 209). Authentication and authorization is a common approach to potentially securing unstructured data.
Data, whether it is structured or unstructured, needs to be secured through authentication and authorization measures which let only those who need to see information have access and authorization to see it.
Protecting unstructured data may seem unimportant, but neglecting it can possibly lead to the beginning of
UNIT STUDY GUIDE
identity theft, fraud, or any other malicious avenues where the unauthorized try to use this data to their advantage.
Rhodes-Ousley, M. (2013). Information security: The complete reference (2nd ed.). New York, NY: McGraw