Security forms a critical part of any software application. One crucial aspect of security is managing access to an application; for citizen-facing systems that the government commissions, this becomes mission-critical: any slip up can prove to be disastrous, as exemplified by multiple instances of the leakage of sensitive information such as a data leak that hit the State Bank of India in 2019 and a large breach of the labour department of the Government of Jharkhand in 2018.
Managing access involves two distinct processes-- authentication and authorisation; terms that are often used interchangeably. This blog is the first of a series on access management in government systems. This part is aimed at explaining what these terms mean and how they are distinct. It is also a simple introduction to the concept of a Single Sign On - SSO.
To better explain the difference between authentication and authorisation, we will draw an analogy to passports and visas (this might be the closest you will get to talking about visas during this period!). We end with an explanation of the current authentication scenario in legacy software systems and how SSO can improve this landscape. Future editions in this series will speak about the implementation of access management in Indian government systems, how Aadhaar fits – and does not fit – into this picture, and what various government entities can do to implement open source auth by themselves.