身份验证与授权:Authentication vs. Authorization
Authentication vs. Authorization
Authentication and authorization are two vital information security processes that administrators use to protect systems and information. Authentication verifies the identity of a user or service, and authorization determines their access rights. Although the two terms sound alike, they play separate but equally essential roles in securing applications and data. Understanding the difference is crucial. Combined, they determine the security of a system. You cannot have a secure solution unless you have configured both authentication and authorization correctly.
身份验证与授权
身份验证和授权是管理员用来保护系统和信息的两个重要信息安全过程。 【身份验证】验证用户或服务的身份,而【授权】确定其访问权限。 尽管这两个术语听起来都一样,但它们在保护应用程序和数据中扮演着单独但同样重要的角色。 了解差异至关重要。 结合在一起,它们决定了系统的安全性。 除非您正确地配置了身份验证和授权,否则您将没有安全的解决方案。
What is Authentication (AuthN)?
Authentication (AuthN) is a process that verifies that someone or something is who they say they are. Technology systems typically use some form of authentication to secure access to an application or its data. For example, when you need to access an online site or service, you usually have to enter your username and password. Then, behind the scenes, it compares the username and password you entered with a record it has on its database. If the information you submitted matches, the system assumes you are a valid user and grants you access. System authentication in this example presumes that only you would know the correct username and password. It, therefore, authenticates you by using the principle of something only you would know.
什么是身份验证(AuthN)?
身份验证(AuthN)是一个验证某人或某物(与系统中存储的信息相匹配)就是(系统中的)这个人或物的过程。 技术系统通常使用某种形式的身份验证来确保访问应用程序或其数据的访问。 例如,当您需要访问在线网站或服务时,通常必须输入用户名和密码。 然后,在幕后,它将您输入的用户名和密码与其数据库中的记录进行了比较。 如果您提交的信息匹配,则系统假定您是有效的用户,并且授予您访问的访问。 在此示例中,系统身份验证假定只有您才能知道正确的用户名和密码。 因此,它通过使用只有您知道的东西的原理来验证您。
What is the Purpose of Authentication?
The purpose of authentication is to verify that someone or something is who or what they claim to be. There are many forms of authentication. For example, the art world has processes and institutions that confirm a painting or sculpture is the work of a particular artist. Likewise, governments use different authentication techniques to protect their currency from counterfeiting. Typically, authentication protects items of value, and in the information age, it protects systems and data.
身份验证的目的是什么?
身份验证的目的是验证某人或某物是他们声称的是谁或什么。 有多种形式的身份验证。 例如,艺术界拥有确认绘画或雕塑的过程和机构是特定艺术家的作品。 同样,政府使用不同的身份验证技术来保护其货币免于伪造。 通常,身份验证保护有价值的项目,并且在信息时代,它保护系统和数据。
What is Identity Authentication?
Identity authentication is the process of verifying the identity of a user or service. Based on this information, a system then provides the user with the appropriate access. For example, let's say we have two people working in a coffee shop, Lucia and Rahul. Lucia is the coffee shop manager while Rahul is the barista. The coffee shop uses a Point of Sale (POS) system where waiters and baristas can place orders for preparation. In this example, the POS would use some process to verify Lucia or Rahul's identity before allowing them access to the system. For instance, it may ask them for a username and password, or they may need to scan their thumb on a fingerprint reader. As the coffee shop needs to secure access to its POS, employees using the system need to verify their identity via an authentication process.
什么是身份身份验证?
身份身份验证是验证用户或服务的身份的过程。 基于此信息,系统然后为用户提供适当的访问。 例如,假设我们有两个人在咖啡店露西亚(Lucia)和拉胡尔(Rahul)工作。 露西亚(Lucia)是咖啡店经理,而拉胡尔(Rahul)是咖啡师。 咖啡店使用销售点(POS)系统,服务员和咖啡师可以下订单进行准备。 在此示例中,POS将使用一些过程来验证Lucia或Rahul的身份,然后才能访问系统。 例如,它可能会要求他们提供用户名和密码,或者他们可能需要在指纹读取器上扫描拇指。 由于咖啡店需要确保访问其POS,因此使用该系统的员工需要通过身份验证过程来验证其身份。
Common Types of Authentication
Systems can use several mechanisms to authenticate a user. Typically, to verify your identity, authentication processes use: - something you know - something you have - or something you are
Passwords and security questions are two authentication factors that fall under the something-you-know category. As only you would know your password or the answer to a particular set of security questions, systems use this assumption to grant you access.
Another common type of authentication factor uses something you have. Physical devices such as USB security tokens and mobile phones fall under this category. For example, when you access a system, and it sends you a One Time Pin (OTP) via SMS or an app, it can verify your identity because it is your device.
The last type of authentication factor uses something you are. Biometric authentication mechanisms fall under this category. Since individual physical characteristics such as fingerprints are unique, verifying individuals by using these factors is a secure authentication mechanism.
常见的身份验证类型
系统可以使用多种机制来验证用户。 通常,要验证您的身份,身份验证过程使用: - 您知道的东西 - 您拥有的东西或您是某物
密码和安全问题是两个您知道类别的身份验证因素。 由于只有您知道您的密码或特定安全问题集的答案,因此系统使用此假设来授予您访问。
另一种常见的身份验证因素使用您拥有的东西。 USB安全令牌和手机等物理设备属于此类别。 例如,当您访问系统并通过SMS或应用程序向您发送一次性PIN(OTP)时,它可以验证您的身份,因为它是您的设备。
最后类型的身份验证因素使用了您的事物。 生物识别身份验证机制属于这一类别。 由于诸如指纹之类的个人物理特征是独特的,因此使用这些因素来验证个体是一种安全的身份验证机制。
What is Authorization (AuthZ)?
Authorization is the security process that determines a user or service's level of access. In technology, we use authorization to give users or services permission to access some data or perform a particular action. If we revisit our coffee shop example, Rahul and Lucia have different roles in the coffee shop. As Rahul is a barista, he may only place and view orders. Lucia, on the other hand, in her role as manager, may also have access to the daily sales totals. Since Rahul and Lucia have different jobs in the coffee shop, the system would use their verified identity to provide each user with individual permissions. It is vital to note the difference here between authentication and authorization. Authentication verifies the user (Lucia) before allowing them access, and authorization determines what they can do once the system has granted them access (view sales information).
什么是授权(authz)?
授权是确定用户或服务访问级别的安全过程。 在技术中,我们使用授权授予用户或服务许可,以访问某些数据或执行特定操作。 如果我们重新访问咖啡店的例子,Rahul和Lucia在咖啡店中扮演着不同的角色。 由于拉胡尔(Rahul)是咖啡师,他只能放置并查看命令。 另一方面,露西亚(Lucia)担任经理,也可能可以访问日常销售总额。 由于Rahul和Lucia在咖啡店有不同的工作,因此该系统将使用其经过验证的身份为每个用户提供个人权限。 重要的是要注意身份验证和授权之间的区别。 身份验证在允许用户访问之前验证用户(Lucia),并确定系统授予他们访问的授权(查看销售信息)。
Common Types of Authorization
Authorization systems exist in many forms in a typical technology environment. For example, Access Control Lists (ACLs) determine which users or services can access a particular digital environment. They accomplish this access control by enforcing allow or deny rules based on the user's authorization level. For instance, on any system, there are usually general users and super users or administrators. If a standard user wants to make changes that affect its security, an ACL may deny access. On the other hand, administrators have the authorization to make security changes, so the ACL will allow them to do so.
Another common type of authorization is access to data. In any enterprise environment, you typically have data with different levels of sensitivity. For example, you may have public data that you find on the company's website, internal data that is only accessible to employees, and confidential data that only a handful of individuals can access. In this example, authorization determines which users can access the various information types.
常见授权类型
授权系统以多种形式存在于典型的技术环境中。 例如,访问控制列表(ACL)确定哪些用户或服务可以访问特定的数字环境。 他们通过根据用户的授权级别执行允许或拒绝规则来完成此访问控制。 例如,在任何系统上,通常都有一般用户,超级用户或管理员。 如果标准用户想进行影响其安全性的更改,则ACL可能会拒绝访问权限。 另一方面,管理员有权更改安全性,因此ACL将允许他们这样做。
授权的另一种常见类型是访问数据。 在任何企业环境中,您通常都具有具有不同灵敏度的数据。 例如,您可能会在公司网站上找到的公共数据,只有员工才能访问的内部数据以及只有少数个人才能访问的机密数据。 在此示例中,授权确定哪些用户可以访问各种信息类型。
The Difference Between Authentication and Authorization
As mentioned, authentication and authorization may sound alike, but each plays a different role in securing systems and data. Unfortunately, people often use both terms interchangeably as they both refer to system access. However, they are distinct processes. Simply put, one verifies the identity of a user or service before granting them access, while the other determines what they can do once they have access.
The best way to illustrate the differences between the two terms is with a simple example. Let's say you decide to go and visit a friend's home. On arrival, you knock on the door, and your friend opens it. She recognizes you (authentication) and greets you. As your friend has authenticated you, she is now comfortable letting you into her home. However, based on your relationship, there are certain things you can do and others you cannot (authorization). For example, you may enter the kitchen area, but you cannot go into her private office. In other words, you have the authorization to enter the kitchen, but access to her private office is prohibited.
身份验证和授权之间的区别
如前所述,身份验证和授权听起来可能相似,但是每个人在保护系统和数据中起着不同的作用。 不幸的是,人们通常会互换使用这两个术语,因为他们都指系统访问。 但是,它们是不同的过程。 简而言之,一个人在授予用户或服务访问权限之前验证用户或服务的身份,而另一个则确定访问权限后可以做什么。
说明两个术语之间差异的最佳方法是一个简单的示例。 假设您决定去参观朋友的家。 到达后,您敲门,您的朋友打开它。 她认识您(身份验证)并向您致意。 正如您的朋友对您的身份验证一样,她现在很乐意让您进入她的家。 但是,根据您的关系,您可以做些事情,而其他您无法做的事情(授权)。 例如,您可以进入厨房区域,但您不能进入她的私人办公室。 换句话说,您有权进入厨房,但禁止使用她的私人办公室。
What are the Similarities Between Authorization and Authentication?
Authentication and authorization are similar in that they are two parts of the underlying process that provides access. Consequently, the two terms are often confused in information security as they share the same "auth" abbreviation. Authentication and authorization are also similar in the way they both leverage identity. For example, one verifies an identity before granting access, while the other uses this verified identity to control access.
Authentication and Authorization in Cloud Computing
Security is a vital component in any cloud computing solution. As these services provide a shared access model where everything runs on the same platform, they need to separate and protect customer systems and data. Cloud service providers use authentication and authorization to achieve these security goals. In fact, cloud computing platforms could not provide economies of scale via their shared resourcing model without authentication and authorization.
For example, when a user tries to access a particular cloud service, the system will prompt them for some form of authentication. This challenge could ask them to enter a username and password or use another identity verification factor, such as accepting a notification on an app. Once the user successfully authenticates, the cloud platform will then use authorization to ensure the user can only access their systems and data. Without authentication and authorization, the separation of customer environments on the same platform would not be possible.
授权和身份验证之间有什么相似之处?
身份验证和授权相似,因为它们是提供访问权限的基础过程的两个部分。 因此,两个术语在信息安全性上通常会混淆,因为它们共享相同的“ auth”缩写。 身份验证和授权在他们俩都利用身份的方式上也相似。 例如,一个人在授予访问权限之前先验证身份,而另一个则使用此验证的身份来控制访问。
云计算中的身份验证和授权
安全是任何云计算解决方案中的重要组件。 由于这些服务提供了共享的访问模型,其中一切都在同一平台上运行,因此他们需要分开并保护客户系统和数据。 云服务提供商使用身份验证和授权来实现这些安全目标。 实际上,云计算平台无法通过其共享资源模型提供规模经济,而无需认证和授权。
例如,当用户尝试访问特定的云服务时,系统将提示他们进行某种形式的身份验证。 这个挑战可能要求他们输入用户名和密码,或使用其他身份验证因素,例如接受应用程序上的通知。 一旦用户成功身份验证,云平台将使用授权来确保用户只能访问其系统和数据。 如果没有身份验证和授权,则不可能在同一平台上分离客户环境。
Which Comes First, Authentication or Authorization?
Authentication and authorization both rely on identity. As you cannot authorize a user or service before identifying them, authentication always comes before authorization. Again, we can refer back to our coffee shop example to illustrate this point.
As mentioned, baristas can only create and view orders, while managers can also access daily sales data. If the POS system cannot identify which user is accessing the system, it cannot provide the correct level of access. Authentication provides the verified identity authorization needs to control access. When Rahul or Lucia sign into the system, the application knows who has signed in and what role it should assign to their identity.
首先是身份验证、还是授权?
身份验证和授权都取决于身份。 由于您无法在识别用户或服务授权之前授权,因此始终在授权之前进行身份验证。 同样,我们可以参考我们的咖啡店示例来说明这一点。
如前所述,咖啡师只能创建和查看订单,而经理也可以访问每日销售数据。 如果POS系统无法识别哪个用户正在访问系统,则无法提供正确的访问级别。 身份验证提供了控制访问的验证身份授权所需的需求。 当Rahul或Lucia登录系统时,应用程序知道谁签名了,以及它应该为其身份分配的角色。
Access control vs. Authentication?
People often use the terms access control and authorization interchangeably. Although many authorization policies form part of access control, access control is a component of authorization. Access control uses the authorization process to either grant or deny access to systems or data. In other words, authorization defines policies on what a user or service may access. Access control enforces these policies.
If we compare authentication and access control, the comparison between authentication and authorization still applies. Authentication verifies the user's identity, and access control uses this identity to grant or deny access.
访问控制与身份验证?
人们经常互换使用术语访问控制和授权。 尽管许多授权政策构成了访问控制的一部分,但访问控制是授权的组成部分。 访问控制使用授权过程来授予或拒绝对系统或数据的访问。 换句话说,授权定义了用户或服务可以访问的内容的策略。 访问控制执行这些政策。
如果我们比较身份验证和访问控制,则身份验证和授权之间的比较仍然适用。 身份验证验证用户的身份,访问控制使用此身份来授予或拒绝访问。
-ref
https://www.onelogin.com/learn/authentication-vs-authorization
