These days, with just about everything being computerised, and everything being so accessible, information security is kind of a big deal. After all, there’s money to be made from other people’s data (as the growing incidences of privacy breaches attest to), and the motivations of revenge for perceived ills from current or former employees can’t ever be ruled out.
Fundamental to securing your organisation are the concepts of authentication and authorisation. These might sound similar, but they aren’t the same thing. They should also work in concert if your company’s crown jewels are to be adequately protected.
Step 1: Let’s authenticate
Let’s start by defining authentication. That’s an easy one: ‘Prove to me you are who you claim to be’. Do that, and you are authenticated.
In the good old days, your face and a firm handshake generally did a pretty good job of authentication, but in today’s digital age, it’s a bit more involved (notwithstanding the new facial recognition technology being introduced into smartphones…or Microsoft Windows, for that matter).
Cloud systems which are made to be accessed from anywhere, for example, are particularly sensitive to this. You don’t want any Tom, Dick and/or Harry logging on and causing who knows what kind of havoc, so any employees who need to get in there to do their work must be properly authenticated. Especially if they are working remotely.
This is where things start getting a bit complicated. One of the ‘challenges’, if it could be called that, with authentication is that it’s seen as a hassle. After all, you just want to get in and get on with it; you might be tempted, then, to make authentication easy.
Don’t.
Or, rather, make it easy for the right people to get in, but impossibly hard for anyone else to do it. That’s really the holy Grail of authentication (and, coming back to faces, this is something Microsoft has done very well with Windows Hello; in fact Microsoft has a very good set of recommendations for passwords).
The way to do it these days is to employ multi-factor authentication. This goes beyond the ‘email and password’ combo we all know. It goes a step further from something you know (the username/password) and includes either something you have (a phone call or a TXT message sent to your mobile, or, a dedicated authentication device), or something you are.
Something you are can include fingerprints, voice recognition and yes indeed, your face.
Step 2: Let’s authorise
So far, so good. Having done all of the above, you now know with a high level of confidence who is getting into your systems.
But do you have a clear idea of what each person is permitted to do once in?
This is where authorisation comes in to play. Authorisation is the setting of permissions (as is strongly implied in the word: you authorise who has access to what, and what they are allowed to do with it).
The authorisation component of information security is easily and quite frequently overlooked, particularly in smaller organisations which have grown or are growing into larger ones. For many, security stops at the door. Once authenticated, you are in… and can get to whatever you want.
The only thing stopping you (theoretically) is not knowing where things are. This is referred to as Security Through Obscurity and it might as well just be called ‘obscurity’ because it doesn’t work.
Imagine, for example, a sales rep stumbling across the file server holding all the HR records. If no-one has ensured that only authorised personnel can access those records, the rep won’t be stopped. And that could cause trouble.
If either authentication or authorisation is weak, then your data is not secure. You’ll get a C+, maybe a B, maximum, for security, at a time when an A+ is really quite necessary.
