Job Aid

Authorization, Authentication, and Access Control
Authorization: I am an employee of Citi Bank, which means that I am allowed access to the bank’s facilities.
Authentication: I am an employee of Citi Bank and this is my Staff Identification that allows me entry into the company facilities.
Access Control: As an employee of Citi Bank, I am allowed or restricted to access specific areas of the company based on my position or duties. For example, I am employed at Citi Bank as a Sales Manager. While I have my employee ID that allows me access to the company facilities, I will obviously be denied access to the Bank’s Server room, because I am restricted access to that area.
Relationship: Authentication is a verification procedure that ensures that a user or person has specified credentials that help the user/person identify themselves or prove who they are. Once the credentials are valid, it leads to authorization, which means the user will have access to the resources or places by verifying those access rights. Both authentication and authorization act as access controls for either denying or granting specific permissions to an illegal or rightful user (Net Informations, n.d.). If the user’s credentials are validated, permission is granted, otherwise access is denied.
Importance of Authorization, Authentication, and Access Control to Citi’s Security
Authorization, authentication and access control are key ingredients necessary for achieving security at Citi Bank. Through the bank’s authorization policy, guidelines are set out on what a user’s identify permit them to do. A bank’s customer can create a username in order to log into the bank’s Online Service or Website, but the bank’s authorization policy will ensure the same user is allowed access to their online bank account only upon their identity being verified. Authentication can take the form of Single Sign On, Multifactor Authentication, or Consumer Identity Access Management (Gebel, 2018).
In respect to access controls, the bank’s authorization policy ought to define what a single user or group of users may access, this is known as privileges or permissions, which helps to protect information against unauthorized access, as well as protecting systems from misuse and abuse. For example, the bank stores customer information like names, addresses, telephone numbers, bank accounts, credit card and social security information. This information cannot be accessed by anyone in the bank. So the authorization and access controls will be restrictive in the following ways:
The Bank’s Database Administrators can have full access by performing actions like creating, modifying and deleting customer records based on their privileges. However, the accounting staff of the bank can only read any field of customer records like names, bank accounts, credit card information, but they cannot create, modify, or delete any records. Therefore, full access to the records is allowed, but they are denied modification or deleting privileges. On the other hand the marketing staff can only read restricted data of the customers and fields like credit card and social security information can be hidden from them (Piscitello, 2016).
Conversely, the bank achieves a greater leverage of security by implementing authorization, authentication, and access controls by granting different users privileges that are relevant to enable them perform their assigned duties, which is known as Role Based Access Control. By implementing all these methods, it helps the bank to monitor the activities of the employees because the systems have an audit trail that helps track all actions performed. By so doing, the systems, resources, data, and assets are adequately protected and secured.

References
Gebel, G. (2018). Why you need both authorization and authentication. Available at: https://www.csoonline.com/article/3269302/authentication/why-you-need-both-authorization-and-authentication.html
Net Informations (n.d.). Difference between Authentication and Authorization. Available at: http://net-informations.com/faq/asp/authentication.htm
Piscitello, D. (2016). Access Controls, User Permissions and Privileges. Available at: https://www.icann.org/news/blog/access-controls-user-permissions-and-privileges