mastery 4: Authentication, Access Control and Security Policies

What is authorization and access control?

Authentication is the process of identifying an individual based on their credentials (usually username and password)

The purpose of authentication is to decide if “someone is who they say they are”. There are three ways to recognize a user, which are known as factors:

1.-Something they know, like a password or PIN

2.-Something they have, such as a driver’s license or credit card

3.-Something that they are, like fingerprints or inserting patterns

Access control is the process of deciding whether the user has permission to execute something or not.

Also called authorization, it refers to the management of access to protected resources and the process of determining if a user is authorized to access a particular resource. For example, many web applications have resources that are only available to authenticated users, resources that are only available to administrators, and resources that are available to all. Thus, when establishing user access privileges we can ensure confidentiality and availability of information; but, in addition, we can:
That only authorized people can access certain resources (systems, equipment, programs, applications, databases, networks, etc …) for their job functions.
They allow us to identify and audit the accesses made, establishing internal security controls.

Document the access procedures to the different applications that process personal data.
In short, control access from different sources: network, systems and applications.
Nowadays, privilege escalation is very common, which is nothing more than obtaining the privileges of the administrator. Therefore, there must be a specific policy or regulation that establishes the use of mechanisms to prevent attempts to escalate privileges in our web applications. It is considered that a system applies policies to avoid privilege escalation when: It is not possible to access information of the privilege. system that can be used for the escalation of privileges, it is not possible to execute actions pretending to be another user, etc.

Thinking about data security and building defenses from the first moment is of vital importance. Security engineering covers a lot of ground and includes many measures, from security tests and regular code reviews to the creation of security architectures and threat models to keep a network locked and secure from a “perfect” point of view. Understanding the risk of sensitive data is key. Data risk analysis includes discovering, identifying and classifying data, so data administrators can take tactical and strategic measures to ensure data is secure.

This topic is essential in our project, since as we are doing an anonymous voting system the security, authentication and access control is the most important thing that we have to ensure that it is well structured.  Something I like about the project is that we are going to implement double factor authentication which will make the application more secure and it is something that I am interested in learning more about the forms or techniques that we can use for the security part

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s