There are many definitions of authorization, but the one in RFC 4949 has the benefit of brevity.
“An approval that is granted to a system entity to access a system resource.”
Non-person Entities Require Authorization
Note that it uses the word “entity.” It does NOT use the word “person.” Because the entity requiring authorization may be a non-person entity.
I made this point in a previous post about attribute-based access control (ABAC), when I quoted from the 2014 version of NIST Special Publication 800-162. Incidentally, if you wonder why I use the acronym NPE (non-person entity) rather than the acronym NHI (non-human identity), this is why.
“A subject is a human user or NPE, such as a device that issues access requests to perform operations on objects. Subjects are assigned one or more attributes.”
If you have a process to authorize people, but don’t have a process to authorize bots, you have a problem. Matthew Romero, formerly of Veza, has written about the lack of authorization for non-human identities.
“Unlike human users, NHIs operate without direct oversight or interactive authentication. Some run continuously, using static credentials without safeguards like multi-factor authentication (MFA). Because most NHIs are assigned elevated permissions automatically, they’re often more vulnerable than human accounts—and more attractive targets for attackers.
“When organizations fail to monitor or decommission them, however, these identities can linger unnoticed, creating easy entry points for cyber threats.”
Veza recommends that people use a product that monitors authorizations for both human and non-human identities. And by the most amazing coincidence, Veza offers such a product.
People Require Authorization
And of course people require authorization also. They need authorization:
- To drive. Are unified digital IDs a thing?
- To satisfy health regulations (which may come back). Update on Covishield and the EUDCC, as long as you can prove you were born.
- To participate in the Federal Risk and Authorization Management Program (FedRAMP®). A Few Thoughts on FedRAMP.
- For the aforementioned ABAC. On Attribute-Based Access Control.
- For healthcare needs such as prescriptions. Saving Money When Filling Prescriptions: Not You, The Companies.
- When assessing TPRM. Driver’s License Data and Third Party Risk Management.
- To verify legal capability for employment. What is the Form I-9?
- To talk to customer support. HP Instant Ink Users and Identity: 1:1 Person-to-NPE Binding Isn’t Always Enough.
- To launch nuclear weapons. Biscuit-based Identity Authentication and Authorization.
- Oh yeah…and to access privileged resources on corporate networks.
It’s not enough to identify or authenticate a person or NPE. Once that is done, you need to confirm that this particular person has the authorization to…launch a nuclear bomb. Or whatever.
Your Customers Require Information on Your Authorization Solution
If your company offers an authorization solution, and you need Bredemarket’s content, proposal, or analysis consulting help, talk to me.
Bredemarket 