Skip to main content.
Information Technologies Security Program
IT Security Program Home > Information Technologies Security Program Home Page > Authentication, Authorization and Encryption

Authentication, Authorization and Encryption

Authentication is process of verifying the identity of a user. Authorization is the process of establishing and enforcing a user's rights and privileges to access specified resources. Encryption is the process of converting computer data and messages to something incomprehensible by means of a key, so that it can be reconverted only by an authorized recipient holding the matching key.

Authentication answers the question, "Are you who you say you are?" It is a means of establishing the validity of a claimed identity to the system, which becomes the basis for individual accountability. There are three means of authenticating a user's identity, which can be used alone or in combination:

  • validating something the individual knows (e.g., a password, a Personal Identification Number (PIN), or a cryptographic key),
  • validating something the individual possesses, referred to as a "token" (e.g., an ATM card or a smart card), and
  • validating something the individual "is", referred to as a "biometric" (e.g., fingerprints or voice patterns).

Once authenticated, logical access controls are utilized to authorize and enforce a user's access to and actions towards specified resources. This authorization may be based on identity, roles (e.g., data entry clerk, administrator, supervisor) location, time, types of transactions, service constraints (e.g., number of concurrent users), access mode (e.g., read, write, delete), or a combination of these criteria. Both internal authorization safeguards (such as Access Control Lists) and external controls (such as secure gateways/firewalls) can be deployed. Another mechanism that can be used for strong access control is encryption, whereby encrypted information can only be decrypted by those possessing the appropriate cryptographic key.

[Adapted from materials provided by the Virginia Alliance for Secure Computing
and Networking (VA SCAN -- see http://www.vascan.org )]

 

University Standards for Authentication, Authorization and Encryption

  • Whenever a user is interacting with University of Mary Washington systems in ways that require confidence about the user's identity, the user must be authenticated prior to accessing the systems.
  • The University of Mary Washington maintains formal authentication control policies specific to individual systems that establish the criteria for administering authentication safeguards.(e.g., a formal password policy that includes the criteria for password aging, history, length and composition).
  • Each University of Mary Washington system must store all sensitive data used in authenticating the user, including passwords, in protected files.
  • Any public key certificates used in University of Mary Washington must be based on the most current IETF X509 standards.
  • All University of Mary Washington systems authorize and enforce a user's access to and actions towards their resources based on the principle of least privilege, within the limitations of the hardware and software involved. Least privilege states that a user is given only that set of privileges necessary to perform his/her job.
  • All use of cryptology technologies in University of Mary Washington systems for data communications (transmission of data) and storage of institutional data must be based on open standards.
  • The University of Mary Washington does not encrypt for storage any data whose loss cannot be tolerated.  For that reason, the University does not have an encryption key management policy or procedure to address the integrity and recovery of such keys.