Authentication, the process of proving an individual is who he or she claims to be, is one of the most critical components of your security infrastructure. Users need information, but you want to make sure you know who is accessing that information. Only specific persons should see your company’s payroll data or product source code, for example.
Although authentication is important, it does not exist in a vacuum. To be effective, authentication works together with identification and authorization. Identification, such as a username, determines whether a user is known to the system; authorization determines whether the user is allowed to access the requested resource or data. Authorization can take many forms, but Windows NT file permissions are the best example of authorization.
Identification, authentication, and authorization are often collectively referred to as access controls.
Identification, authentication, and authorization work in tandem to answer four significant questions:
Who are you?
Do you belong here?
What rights do you have?
How do I know you are who you say you are?
These questions must be answered before a user can access any protected resource, whether it be a Web server, workstation, or router.
Authentication can function at all levels of your security infrastructure. You are probably most familiar with authentication to a network operating system (NOS), such as a Windows NT domain. Every time you fire up your computer at work, you have to log on to the NT domain before you can access any resources.
You can require users to authenticate to almost anything, including your firewall to gain access to the Internet, your mail server to check e-mail, your Intranet Web server to gain access to the corporate intranet, the database to access customer data, and numerous other applications that enable users to go about their day-to-day activities.