What is it?
The implementation of policies, practices, and technology to enable positive identification of people, devices, and applications.
Why is it important?
Understanding authentication is critical for establishing a secure environment because you must reliably know the identity of the people, devices, and applications accessing your resources in order to properly govern access and permissions.
Why does a business professional need to know this?
Authentication lies at the core of cybersecurity. As business professionals, we constantly refer to our user community and the applications and resources they access. However, we often overlook the details of how we prove who our users are. If we don’t know who our users are, or we don’t have confidence in the process used to vet their identities, then how can we determine the appropriate level of access?
Authentication is a combination of policies, practices, and technology:
- Policies: a set of principles adopted by an organization to guide decisions and practices. Proper cybersecurity policies mandate that all users, devices, and applications shall be positively authenticated in order to access or share resources. In addition, depending on the environment, policies may mandate a particular authentication level of assurance. Level of assurance refers to how much confidence you have that the identity provided by the user, device, or application is true. That is, how strong is the binding between the asserted identity and the true identity?
- Practices: the methods used regularly to carry out activities. Often, best practices of an organization are documented, becoming formal policies. As business professionals, we need to ensure that our practices support reliable authentication.
- Technology: in this context, the software and hardware used to implement a particular authentication method. Depending on your policies, you may need to implement enhanced authentication techniques such as multi-factor authentication, which provide higher levels of assurance.
Many organizations now allow employees and visitors to access company networks using their own devices. Companies must be able to properly authenticate users and their devices, regardless of whether the devices are company-provided or employee-owned. To safely make such a shift, your authentication methods must account for every user, application, and device that accesses your infrastructure.