- Authentication - Is a user actually who they claim to be?
- A username and password are a good way to control this
- Secret/temporary access keys can also prove this
- Authorization - Is the user allowed to do what they're trying to do?
- eg. in Google Docs, only some people can access some docs
- Accounting - Is there a record of who is doing what?
- Useful for after-the-fact breach analysis
- Also good for debugging, troubleshooting, and understanding issues. Or sometimes just keeping a record
3 / 23