After authentication goes authorization, right? WRONG!❌
Well… Not immediately. According to ZeroTrust methodologies, you have to dynamically make a decision of authorizing (or not) requests depending on state of your user / device / application and combinations of them🤔
Think of authorization decision as a control plane “brain”, which instead of granting permissions right after authentication considers a few factors:
- device type: mobile / laptop
- location of device and / or user
- history of user-agents
- application access history of the user
- NAC-compliane of device
- etc
Why
It makes your security less rigid than static policies, more flexible and context-rich. Also instead of simply denying request, you could ask for another auth-factor such as TOTP or SMS code.
Moreover, authentication protocols might provide caching such as authentication sessions, but it is the responsibility of authorization process to determine whether they could be trusted.
So it means that your device / user could be authenticated, but not authorized to do some actions. So keep that discrepancy in mind and try not to mix those concepts.