Authentication and authorisation are two important processes of a software’s logical access controls (also known as technical access controls)* to determine who gets access to what and when, which is a key part of keeping software and its assets secure. These concepts are known as the subject-object-rule principles (Joint Task Force, 2020):
- Subject: Who gets access
- Object: What can they access
- Rule: How and when they can access
*Other types of access controls include physical (barriers blocking physical access to a building or location) and administrative (policies, rules and procedures governing access).
Authentication is the process of identifying the user or other entity is who they say they are. This is important in software security, because anyone attempting to use the system without identification or under the guise of someone else could cause problems related to repudiation, makes it difficult to audit use or be fraudulent. Any software that requires users to identify themselves achieves this via one or more different authentication methods (Stouffer et al., 2015).
Anonymity is the opposite of authentication, and is used by software where users or other entities are free to access the system without confirming their identity. This is useful when users or other software entities don’t need to confirm their identity, or to do so brings no value, costs time or resources, or would be considered an unnecessary invasion of privacy. Software that doesn’t require authentication could be general information websites or public-access services such as calendars.
Authorisation is the process of assigning permissions and privileges (also known as access rights) to a user, which typically follows authentication, though default authorisations may exist for non-authenticated (anonymous) users. These could specify what the user can access within the software and what they can do with that access. This could include elements like features, functions and data, and processes like viewing, altering, creating or deleting (Stouffer et al., 2015).
Administration can be seen as the opposite of authorisation, in which privileged users have greater access to a software product, system or service than typical users. Root access or system administration refers to complete access to the software to access and alter anything as needed. Such accounts are used only by a handful of trusted users and have extra security protection to prevent misuse.
The main approach to testing authentication and authorisation is to first identify where it is (or isn’t) needed. Missing authentication and authorisation means the software could be open to misuse by those who the project team deem shouldn’t have access. Unnecessary authentication could mean unnecessary steps, invasion or privacy or too restricted to perform necessary tasks.
The next step is then to try and bypass any authentication or authorisation process. For authentication, this would involve finding ways to gain access to the system without confirming your identity or by using another user’s identity. For authorisation, this would involve finding ways to perform tasks to which access hasn’t been granted, particularly where administration access can be obtained.
- Stouffer, K. et al. (2015) Guide to industrial control systems (ICS) security. NIST Computer Security and Resource Center. Available at: Link (pp. 72, 92)
- Joint Task Force (2020) Security and Privacy Controls for Information Systems and organizations. NIST Computer Security and Resource Center. Available at: Link (pp. 25–26)