It’s one of the questions we’ve long wondered about IT security. What is the difference between authorization and authentication? View in browser »
The New Stack Update

ISSUE 284: Authentication and Authorization

Talk Talk Talk

“We know supply chain security is under attack today, and there are a variety of interesting and exotic attacks out there. We need to protect the developers and the communities that are doing that work.”

Mike Hanley, chief security officer, GitHub
Add It Up
Reason Data/AI Pros Took Part in Training and/or Certification Last Year

Training: Hard Work Pays off for Data/AI Pros. Data and artificial intelligence (AI) professionals are not particularly worried about their jobs or money, but that hasn’t stopped them from learning new skills.

The “2021 Data/AI Salary Survey” polled over 3,000 subscribers of O’Reilly’s Data & AI Newsletter and found that its mostly US audience makes on average $146,000 per year. Still, 64% of this self-motivated group participated in some type of training or certification program in the last year.

What's Happening

In this latest episode of The New Stack Makers podcast, Abby Kearns, Puppet‘s chief technology officer and head of research and development, and Chip Childers, Puppet's chief architect, discussed what automation for infrastructure management for cloud native deployments means for Puppet and for the IT industry. Alex Williams, founder and publisher of TNS, hosted this interview.

Puppet’s New Mission: Automating Cloud Native Infrastructure

Authentication and Authorization

It’s one of the questions we’ve long wondered about IT security. What is the difference between authorization and authentication? So we asked our U.K. correspondent Mary Branscombe. She came back with a one-sentence answer:

Authentication is verifying that a user is who they say they are; authorization is giving them permission to access a resource or perform a specific function.

But like much in IT, things are more complicated than they first appear.

As Branscome writes, “Authentication and authorization sound similar. They’re often mentioned together, they’re often both implemented with tokens, and the terms are sometimes used almost interchangeably.”

Authorization is something the security or application administrator handles and it’s based on what permissions are available for the system being accessed. “Users can’t change their authorization options and won’t see authorization happening,” she wrote.

An organization uses authentication techniques (passwords, temporary tokens) to set the level of confidence they want to give to their authorizations. Passwords are the perhaps easiest methods for authentication — and the easiest to break. Multifactor authentication ups the confidence level of knowing the person, or machine, is who they say they are, by requiring multiple factors. But it requires more resources — and demands more — from the user.

Yet, as Branscombe herself later tweeted, the question revealed many interesting ways in which the two interrelate in the age of zero-trust security. As organizations start to move their security measures away from centralized services such as firewalls, they need to rethink how and where to authorize and authenticate, their users.

Like so much of IT, what was once simple but brittle is now complex but robust.

Data Management Strategy Is More Strategic than You Think

Kendall Clark, CEO and founder of Stardog, explains how Knowledge Graphs empower CDOs, CAOs, and CIOs to use the enterprise’s most irreplaceable asset — its unique data universe — to gain deeper insight faster than ever. “The most reliable way to transform the enterprise is by changing the way the enterprise manages data and, specifically, changing the way the enterprise integrates disparate data,” he writes.

SPDX Software Supply Chain Spec Becomes an ISO Standard

The Linux Foundation and businesses such as Intel, Microsoft and VMware have been pushing SPDX, a format for companies to standardize their license and component information into ‘bills of material,’ to become an International Standards Organization (ISO) standard. They were successful! It is now ISO/IEC 5962:2021. “Armed with universal SBOMs we can track and trace components across software supply chains. This lets us much more easily identify software component issues and risks,” TNS security reporter Steven J. Vaughan-Nichols writes.

An Introduction to AWK

Whether you are trying to extract and format some textual data or build a nifty command to make your life easier, the universal Unix command-line tool awk can really help you get the job done. This contributed post from LogDNA’s Francesc Vendrell shows how awk is actually a powerful Turing-complete language, one that you can use to write any kind of program with it.

Party On

TNS Features Editor Heather Joslyn (bottom) hosted a conversation with Cockroach Labs' Michelle Gienow and Jim Walker about how Kubernetes wasn’t built to run stateful applications, and yet many organizations want to — need to — run them.

On The Road
Puppetize Digital ’21 // SEPT. 29-30 // VIRTUAL

SEPT. 29-30 // VIRTUAL

Puppetize Digital ’21

Puppetize Digital, Puppet’s annual user conference, is a free, virtual, one-day event spanning multiple regions where you can connect with other Puppet community members, contributors, customers, partners and employees. Register now!

Click here to download the ebook: Cloud Native Observability for DevOps Teams
Now more than ever, it’s vital to know how your systems are performing. Outages can cripple e-commerce and alienate customers. Unpredicted surges in web traffic can cause havoc. Hackers can grind your business to a halt— and even hold it for ransom.

The best defense against all of these scenarios is observability—not just monitoring, but a holistic approach that includes metrics, logs, and tracing. These days, the responsibility for paying attention to all of this falls not just on operations engineers, but on the whole DevOps team.

In the ebook, you’ll learn about:
  • The role of observability in cloud native applications.
  • Why observability isn’t just metrics, tracing, and logs.
  • How observability enables DevOps.
  • Kubernetes observability challenges and how to overcome them.
  • Why developers should learn Kubernetes.
  • An overview of Kubernetes logging.
Download Ebook
Thanks to our exclusive ebook sponsor, LogDNA for making this work possible!

Copyright © 2021 The New Stack, All rights reserved.

Want to change how you receive these emails?
You can update your preferences or unsubscribe from this list

Email Marketing Powered by Mailchimp