Identification,

Authentication,
Authorization, and
Auditing in
Information Systems
J. Kasiroori
Department of Analytics and Informatics
 Lecture Objective

• To discuss key components of

InfoSec which build controlled
access
• To discuss Identification,
Authentication, Authorization, and
Auditing
• What are they and how do they
contribute to InfoSec
Why is
Access
control
important?
 • Prevents Unauthorised
Access
• Protects Confidentiality
Importan • Maintains Integrity
ce of • Supports Compliance
• Reduces Insider Threats
Access • Enhances Accountability
control • Protects Against External
Threats
• Supports Business
Continuity
 Components of Access Control
A user accessing a computer system
would present credentials or
Identification – Who are you? identification, such as a username or
userid

Authentication – Prove that you Checking the user’s credentials to be

are who you say you are sure that they are authentic

A user is granted access to certain

Authorization – What you are
objects or applications in order to
allowed to access and do perform their duties

Accountability – Audit logs and

What was done and by whom?
monitors activities
 Identification
• The process of claiming an
identity or unique identifier
• Types of identities include
username, email, ID number
• Identification is the foundation for
access control
• Example of using identification is
on login forms, physical doors
Authentication
• Verifying claimed identity
against an existing data store
• Methods of verification include
passwords, biometrics, smart
cards, 2FA
• Example of authentication
includes password policies
• Popular authentication protocols
include Kerberos, RADIUS, LDAP
 Authorization
• Granting access to resources
• Models: MAC (Mandatory
Access Control), DAC
(Discretionary Access Control),
RBAC (Role-Based Access
Control)
• Examples of authorisation
include file permissions, access
control lists
Auditing

• Basically, means monitoring and

logging access
• Importance for accountability,
compliance, incident response
• Types of auditing includes logging
mechanisms, audit trails
• Example of auditing includes log
analysis
 Access control example

Action Description Scenario Example Computer process

Identification Review of Allan (a student) shows Trish Subject enters

credentials (Lab Assistant) ID Card username/ID

Authentication Validation of Trish reads the ID Card to Subject provides

credentials determine its authenticity password

Authorisation Permission granted Allan is allowed on into lab Subject is allowed to log
in

Access Right given to Allan can only use Subject is allowed to

access certain computers reserved for access only certain
resource students objects e.g., database

Accountability Action is logged Trish records Allan’s time of Login is recorded

entry into the lab
The process

Identificatio Authenticati Authorisatio

Auditing
n on n
END