1) What is the difference between authentication and authorization and
access control explain in details?
Ans:
Authentication
In the authentication process, the
identity of users are checked for
providing the access to the system.
In the authentication process, users
or persons are verified.
It is done before the authorization
process.
It needs usually the user’s login
details.
Authentication determines whether
the person is user or not.
Generally, transmit information
through an ID Token.
The OpenID Connect (OIDC)
protocol is an authentication
protocol that is generally in charge
of user authentication process.
Popular Authentication Techniques-
 Password-Based
Authentication
 Passwordless
Authentication
 2FA/MFA (Two-Factor
Authentication / Multi-
Factor Authentication)
 Single sign-on (SSO)
 Social authentication
Authorization
While in authorization process, a the
person’s or user’s authorities are
checked for accessing the resources.
While in this process, users or
persons are validated.
While this process is done after the
authentication process.
While it needs the user’s privilege or
security levels.
While it determines What permission
does the user have?
Generally, transmit information
through an Access Token.
The OAuth 2.0 protocol governs the
overall system of user authorization
process.
Popular Authorization Techniques-
 Role-Based Access
Controls (RBAC)
 SON web token (JWT)
Authorization
 SAML Authorization
 OpenID Authorization
 OAuth 2.0 Authorization
 Authentication Authorization

The authorization permissions cannot

be changed by user as these are
The authentication credentials can granted by the owner of the system
be changed in part as and when and only he/she has the access to
required by the user. change it.

The user authentication is visible at The user authorization is not visible at

user end. the user end.

The user authentication is identified The user authorization is carried out

with username, password, face through the access rights to
recognition, retina scan, fingerprints, resources by using roles that have
etc. been pre-defined.

Example: After an employee

Example: Employees in a company successfully authenticates, the
are required to authenticate through system determines what information
the network before accessing their the employees are allowed to
company email. access.

Access control:
Access control identifies users by verifying various login credentials, which can
include usernames and passwords, PINs, biometric scans, and security tokens.
Many access control systems also include multifactor authentication (MFA), a
method that requires multiple authentication methods to verify a user’s identity.
Once a user is authenticated, access control then authorizes the appropriate level of
access and allowed actions associated with that user’s credentials and IP address.
There are four main types of access control. Organizations typically choose the
method that makes the most sense based on their unique security and compliance
requirements. The four access control models are:
1. Discretionary access control (DAC): In this method, the owner or
administrator of the protected system, data, or resource sets the
policies for who is allowed access.
2. Mandatory access control (MAC): In this nondiscretionary model,
people are granted access based on an information clearance. A
central authority regulates access rights based on different security
levels. This model is common in government and military
environments.
3. Role-based access control (RBAC): RBAC grants access based on
defined business functions rather than the individual user’s identity.
 The goal is to provide users with access only to data that’s been
deemed necessary for their roles within the organization. This widely
used method is based on a complex combination of role
assignments, authorizations, and permissions.
4. Attribute-based access control (ABAC): In this dynamic method,
access is based on a set of attributes and environmental conditions,
such as time of day and location, assigned to both users and
resources.
Q2 What is Modern access management?

As businesses embrace more remote users and a hybrid work model,

managing user identity and access is more important than ever. Add
authentication for millions of third parties and non-employees, and
thousands of applications and IoT devices to the mix and you start to
understand how important identity and access management (IAM) is.

What Exactly Is IAM?

IAM is the process of securing access to resources, devices and systems by
managing who can access what. It enables admins to control who has
access to what information and systems, and prevent unauthorized users
from gaining access. By restricting access to specific users or groups of
users, admins can prevent malicious actions and protect digital resources.

IAM also helps enforce compliance with security policies. A central

component of IAM is defining user roles and the rights required to perform
specific tasks. A role defines the access level — or privilege — that a user
has with respect to a particular resource.

IAM users can be sorted into roles, top-level categories of user access to a
particular system or app.

View the Case Study

IAM Challenges
Today, employees and third parties alike access a seemingly endless stream
of data, apps and resources. Access control methods like zero trust are
critical for security, but with more access to manage, staying safe becomes
more difficult.
Often, authentication services need to be modified. This means you need to
consolidate infrastructure to deliver large-scale reliability and security. To
achieve robust IAM, organizations must make a foundational change in
capturing, engaging, managing and administering user identity and access
across their users.

Capturing your identity and access requirements is not an easy task, but it’s
an essential piece of the puzzle. Once complete, you can undertake a
competitive analysis of the leading solution providers.

However, the hurdles don’t end when an IAM vendor is chosen. The
strategy must include how you will handle replacing any previous IAM
solutions. Finding the right balance between security and user-friendliness
is key, but is often the most difficult IAM challenge.

The primary goal in most cases should be to leverage a standard, cloud-

based authentication and identity services platform for employees and
customers at scale.

Benefits of IAM
Outside of the numerous security benefits that a robust IAM solution
provides, you can expect several other perks:

A transformed user experience without (or with many fewer) passwords

Enhanced protection for privileged users across multicloud environments
Flexible multi-factor authentication methods, improved password
management and user ID self-care and life cycle management
Integration with devices and mobile device management solutions to
support zero-trust strategies
Improved solution fault tolerance and scalability
Continued focus on the user and branding experience with a strengthened
commitment to security and privacy
Approaching IAM: Best Practices and a Case Study
The best approach to putting a modern IAM solution in place is to perform
an audit of existing and legacy systems. Identify gaps and opportunities, and
work with stakeholders early and often. Map out all user types and access
scenarios, and define a core set of objectives the IAM solution must meet.
Put simply, planning time spent upfront should pay off a lot.

Now, imagine having to provide identity and access authentication services

for over half a million employees around the world, with a highly
customized, single-tenant, on-premises platform. And at the same time,
having to provide similar identity and access services for over 26 million
global external clients with a separate, antiquated first-generation identity
as a service (IDaaS) solution. This case study shows how one company made
it possible to modernize IAM even at this mega-scale and in a
relatively short time.
Q3 What is Web Access Management?

According to Gartner, Web Access Management (WAM) provides

integration of identity and access management for Web-based applications.
While initially focused on external user access using username and
password key pairs, the expansion of web portals for employee access has
spurred the development of WAM software solutions that feature several
capabilities such as:

Self-service password reset

Delegated administration (including user self-service)
Role-based access control model
Automated processes to fulfill access requests
WAM tools are generally considered a subset of access and identity
management designed to control access to web resources such as web
servers and secure servers using policy-based authorization for
authentication. In many cases, they also provide auditing and reporting.

How does Web Access Management work?

Web Access Management tools typically verify a user’s identity by asking for
a username and a password. However, other methods may use access
tokens to generate a one-time password or digital certificate.

Once the user’s identity has been confirmed, they can request access to a
particular web resource subject to policy-based authorization applied to
that user. The system matches the user authorization level to the policy of
the requested resource to grant or deny access. Policies take the form of
rules that specify who can access a specific information resource. For
example, is the user an administrator with wider access or a general user
(employee) with more limited access?
Legacy web access management vs. modern access management

As access to web resources has evolved with cloud-based services, the

traditional legacy model for Web Access Management has not kept pace
with the latest technologies. Instead of one user getting access to a specific
machine or application, you might find many different instances of cloud-
based applications throughout your IT infrastructure. Containers may also
complicate the picture since users commonly need granular access to
services or sub-services within a distributed application. User identities also
encompass many more types than the typical full-time employee, including
contractors and third parties whose access must be strictly controlled for
security and compliance requirements.

WAM technologies have not always kept up with these changes and
challenges as newer identity access management solutions have come to
the forefront. As such, legacy WAM systems can be costly to maintain while
posing security vulnerabilities from incompatibility with newer
authentication methods.
Q4 Explain the principles of Authorization, grant Authorizations?

Indeed, Authorization is broken. What would a great developer solution

look like? We believe authorization for developers should follow five
principles:

Separation of policy and code. Authorization policy should be lifted out of

the application and expressed in its own textual representation that is
independent of the application’s language and framework. This “policy as
code” should be stored and versioned in its own git repository, which is
controlled by the application administrator. Authorization policy should be
able to change without a redeploy of the application.
Secure by default. Policy decisions should default to “no” (a closed system),
and should be evaluated in real-time, as opposed to being tied to the
lifetime of an authentication token that may have been created hours
earlier.
Service, not library. Delivering a developer solution as a library instead of a
service is like delivering server software instead of SaaS - which is to say,
quickly becoming extinct. A developer service provides a central point of
control, and takes care of the operational burdens of running at scale - both
critical reasons why developers trust services like Stripe for payments or
Auth0 for authentication.
Open, standards-based. Much like we have JWT, OAuth2, and OpenID for
authentication, we need open standards for authorization. A good
developer solution should have a multi-vendor open source underpinning,
and be part of a broad ecosystem.
Easy to integrate. A great authorization service helps you fall into the “pit of
success” with sensible conventions that are prioritized over complex
configuration. It integrates with your existing identity and directory
providers, and offers a variety of hosting models. It has bindings and
samples for every language and framework, so you get it integrated in five
minutes, or your next one’s free.
 5) Define authorization and explain effectiveness and multiple
factor authorization?

Authorization:
Authorization is the process of giving someone permission to do or have
something. In multi-user computer systems, a system administrator
defines for the system which users are allowed access to the system
and what privileges of use (such as access to which file directories,
hours of access, amount of allocated storage space, and so forth).
Assuming that someone has logged in to a computer operating
system or application, the system or application may want to identify
what resources the user can be given during this session. Thus,
authorization is sometimes seen as both the preliminary setting up of
permissions by a system administrator and the actual checking of the
permission values that have been set up when a user is getting access.

What is cyber security effectiveness?

Simply put, cyber security effectiveness refers to the efficiency, strengths
and weaknesses of any measures you have taken in order to protect the
information and digitalized assets of your organization.
Let’s go with an analogy and think of your organization as a house. In this
house, you store sensitive data like the personal information of your
customers, the sales reports of your organization and such. Also, you have
important assets there as well: servers, expensive devices, networks and
more. In order to protect your house from intruders that aim to steal your
assets and/or information, you build a wall all around your garden, install
CCTV cameras and hire security staff. This might seem enough, but if there
are cracks and holes in your walls, your CCTV cameras don’t work properly,
or if your security staff is slacking off, all these measures are of no use. Or
maybe, your CCTV cameras display the front door which is heavily guarded
by your security staff, as a result you are missing out on who enters
through the back door. With the help of cyber security effectiveness
measures, you can see if you are making use of your security measures in
the most efficient way possible and if those measures actually do what they
are supposed to do.

What are two approaches to the measurement of

cyber security effectiveness?
There are two different approaches when it comes to measuring the
effectiveness of your cyber security solutions: Dashboards and
benchmarking. Below you can find the details of these two.
Dashboards: You can create dashboards where you can view and assess
the meaningful metrics that are quantified in terms of cost, risk level and
time.
Benchmarking: This approach includes getting data from similar
organizations to create a benchmark and compare your organization’s
cyber security measures with the help of this benchmark.

What is Multi-Factor Authentication

(MFA)?
Multi-factor Authentication (MFA) is an authentication method that
requires the user to provide two or more verification factors to gain
access to a resource such as an application, online account, or a
VPN. MFA is a core component of a strong identity and access
management (IAM) policy. Rather than just asking for a username
and password, MFA requires one or more additional verification
factors, which decreases the likelihood of a successful cyber attack.
Why is MFA Important?
The main benefit of MFA is it will enhance your organization's security by
requiring your users to identify themselves by more than a username
and password. While important, usernames and passwords are
vulnerable to brute force attacks and can be stolen by third parties.
Enforcing the use of an MFA factor like a thumbprint or physical
hardware key means increased confidence that your organization will
stay safe from cyber criminals.

How Does MFA work?

MFA works by requiring additional verification information (factors). One
of the most common MFA factors that users encounter are one-time
passwords (OTP). OTPs are those 4-8 digit codes that you often receive
via email, SMS or some sort of mobile app. With OTPs a new code is
generated periodically or each time an authentication request is
submitted. The code is generated based upon a seed value that is
assigned to the user when they first register and some other factor which
could simply be a counter that is incremented or a time value.

Q6 Explain various types of Authorization in details?

Authorization is the process of verifying that an end user has authorization

to perform a requested action.
How do you define authorization? When applications provide some
mechanism for authorization, they are deciding whether or not authorized
users can access certain resources. For example, authorization could allow
users to access the following:

Certain websites on the internet

Specific files on your personal computer

Authorization comes in many different forms (forms of authorization may

be included in parenthetical examples below). What all these have in
common is that they're checking something about a user and then allowing
them to take an action based on what was checked. Authorization differs
from authentication , which refers to confirming a credential belongs to a
specific entity. In other words, authorization confirms that a person.

Although authorization and authentication are always mixed up with each

other, there is actually a big difference between authorization and
authentication. Authentication is the process of verifying who you are,
while authorization is the process of verifying what you are allowed to do.
You can learn more about Authentication and Its Types if you want to.
Authorization, on the other hand is often used in conjunction with
authentication, but it can also be used on its own. To learn the difference
between the two, you can read Authentication vs. Authorization.

There are a few different methods of authorization: API keys, Basic Auth,
HMAC, and OAuth. Each method has its own strengths and weaknesses.

API keys- They are a simple way to authorize access to an API. The key is
passed as part of the request, and the server checks it against a list of
authorized keys. This is a very simple system, but it can be easily abused if
the key falls into the wrong hands.

Basic Auth- This is a simple authentication method that uses usernames and
passwords. The username and password are sent as part of the request,
and the server checks them against a list of authorized users. This is a very
simple system, but it can be easily abused if the username and password
fall into the wrong hands.

HMAC- This is an authorization method that uses a secret key to sign

requests. This prevents attackers from tampering with the request, and
ensures that the request came from an authorized source. HMAC is often
used in conjunction with HTTPS to prevent man-in-the-middle attacks.

OAuth- This is a more complex authorization method that allows third-party

applications to access restricted resources. OAuth works by granting access
tokens to third-party applications. These tokens can then be used to
authorize requests on behalf of the user. OAuth is more complex than other
authorization methods, but it provides a greater level of security.

There are many different authorization methods, but the four mentioned
above are the most common. Each method has its own strengths and
weaknesses, so it's important to choose the right one for your application.

The most common problem in web application is authorization according to

OWASP Top 10:2021 Vulnerabilities. The right implementation can make all
the difference, and it’s important to know what you need before designing
your system for security purposes. In this blog post, we provided a
definition as well as some different types that are commonly used.