Just got back from an auditing seminar (I’m a Certified IS Auditor – talk to me if you are having issues!) and we were discussing something that touches home to many of us. We were working in the context of AWS, but it applies directly to ISM or almost any complex system. We went over the distinction between authentication and authorization.
Authentication is the process where you prove that you are who you say you are. This can be done in hundreds of ways, using everything from simple passwords, multi factors all the way up to biometrics.
Authorization is the list of privileges you have and it affects the ways you can move through the product as well as the actions/operations you can undertake within it.
Just by seeing these descriptions, you can see that they are obviously separate items. Your role within a system (your authorizations) should have nothing to do with who you are (your authentication). In other words, just because you have logged in as John Smith, there is nothing magical about that name that automatically gives you administrator rights.
When designing an ISM system where there will be partitioned secure data, such as an HR workflow may require, then it becomes critical to the system that you carefully plan the interactions between your data classes, your authorization levels and ability to authenticate effectively.
If you’re an Ivanti Service Manager customer, then you should be happy to know that we support several forms of authentication as well as the ability to segregate data and actions based upon roles set by your system administrator. If you’ve got an interest in these, features, reach out and we can show them to you!
-Jeffrey Bromberger, Consultant & CISA, CRISC