User Authentication vs. Authorization: What’s the Difference?
In the following blog post, April Bourne, “LSS Black Belt” for Xerox Manager Sales Enablement and Training, Research & Product Development, describes the difference between user authentication and user authorization for printers and copier/MFPs – and why they matter:
“There’s a big difference between gaining successful entrance to the king’s castle (Authentication) and what you are allowed to do once you are inside (Authorization). Chances are, as a visitor, your actions and movement will be restricted and for good reason. Just because you got through that big iron door does not mean you are allowed to do whatever you please.
This article talks about the differences between authentication and authorization, and how, when used together, they further protect your information security environment. We also discuss how the Xerox® AltaLink® printer helps provide such a layered security solution to support efforts to guard your organization’s information security.
Exactly What Is Authentication?
Authentication is proving who you are in order to gain access to a system or application (in most cases). It can require something you know (a password), something you are (a fingerprint) or something you have (a one-time-use token).
You were probably already familiar with the process of authentication, because most of us perform it most every day, whether at work (logging onto your PC) or at home (logging into a website). The truth is, in order to access most “things” that face the Internet, you have to prove who you are by supplying credentials. However, once you authenticate, there are many decisions that happen seamlessly in the background, thanks to the secret powers of an administrator.
Once you authenticate, you are then granted authorization or permissions to perform certain allowed tasks. In most cases, an administrator of that system provides permission through use of controls. What do we mean by allowed? An example would be authenticating to your bank website. Successful authentication will not give you the ability to look into other customer accounts or withdraw money that is not your own. Authentication does not give “keys to the castle”, as you are only authorized to access a room in the castle and not the moat.
To summarize, authentication grants you consideration of sorts. If you can’t authenticate successfully you are no longer going to be considered. The conversation between you and the application you want to access will be very short, resulting in denied access and possibly account lockout.
Authorization however, gives you the actual ability to perform allowed functions once you authenticate. A bank customer representative logged on as a bank employee (and not as a customer) can access many accounts and perform additional functions that you, as a bank customer, cannot and for good reason. Hopefully you now “care” that there is such a thing as authorization and are eager to know more.
How Multifunction Printers Protect Information Security Environments
The good news is that the AltaLink multifunction printer can be configured by an administrator to use Authentication and Authorization. Authentication can be enabled by configuring Local Authentication on the device or validation of credentials using Network Authentication. For local authentication, the administrator can set up the device database with user credentials that don’t require additional equipment, since it is the administrator who sets up the credentials on the device used to authenticate.
Authentication can also be required for activities such as printing performed on the desktop in addition to scan to e-mail or fax at the MFD that a walk up user may perform. There are various options for network authentication where servers or databases on a network (e.g. Kerberos, Lightweight Directory Access Protocol (LDAP), etc.) are required to provide the authentication on the Xerox AltaLink. The AltaLink also has other authentication options such as Common Access Cards (CAC), SmartCards via readers and other methods not listed here. For more on the various authentication methods available and configuring authorization options, refer to your model Administrator User Guide and the Secure Installation Guide as all features and functions may not be available in all models.
How Can Authorization Help with Information Security?
Consider this: Should an employee who is about to quit (and such employees don’t give prior notice on these matters!) be able to print the company’s customer directories on Saturday morning, so they can take a list of prospects with them to their new job along with the secret proprietary formula? This may be an extreme example, but scenarios similar to this can happen, they just don’t always make the news.
Users have access to what has been allowed on any MFD on purpose or by default. Authorization permissions can be very simple, such as authenticated users are authorized to perform any function at any time on the MFD and non-authenticated users can’t do anything except add paper to the trays for all the authenticated users! Authorization can also be extremely granular by defining user roles and assigning very specific permissions to those roles. Remember the permissions authorized for bank customers and those of customer service reps discussed earlier, they are surely not the same.
Get Granular with Authorization
Authorization can be very specific, such as certain users not allowed to scan to e-mail and fax. Other restrictions might not allow printing of certain applications like Excel or PowerPoint. It also can be more granular, such as art department users can only print from 8am to 5pm weekdays and Saturday from 9am to 12pm. These are only a few examples of the levels of granularity. The Administrator User Guide gives all the details and options available for authorization.
Using Authentication and Authorization together provides greater information security protection, since many AltaLink functions can be uniquely authorized to users at a granular level.
Authentication and Authorization may not be required today within your organization, but that could change as soon as tomorrow. The Xerox AltaLink has many capabilities to implement additional security controls such as authorization and authentication, allowing you to secure your MFD for changing information security needs. Recall that the keys to the castle do not have to include access to the moat!”