User Tools

Site Tools



Carefully implement an authentication mechanism to control which users are allowed to access which data. The keyword here is the “carefully”, so as to introduce as little new holes in the Emmental cheese as possible.

Authentication provides a way to collect credentials and determine the identity of a user. During authentication with a web application for example, Web Agents communicate with a Policy Server to determine the proper credentials that must be retrieved from the user who is requesting resources, potentially introducing a larger attack surface.

  • When for example, insiders can gain unauthorised access the authentication scheme being used is broken. If the attributes associated with authorised users, along with the attributes associated with the object, action, and environment, satisfy the policy of the data being attacked, the adversary would be able to access the information. The strength of the access control model to guard against unauthorised access depends on the robustness of the authentication scheme being used. In role based access control, an inside attacker is likely to have access to a large subset of information due to its lack of granularity.
  • Authorised users may be able to perform improper operations over information using their own credentials. Such improper access may be relatively easy when the system is regulated using roles. Once a set of users are assigned to a role, all users assigned to this role will be assigned to the same permission set, making improper access possible.

Access to data and resources is commonly classified as:

  • Authorised access: A person has access rights to data according to the security policies.
  • Unauthorised access: A person has no access rights to a set of data or resources, but has deliberately circumvented the system to gain access.
  • Improper access: A person has access rights to the data granted to them by the system, but use their access to perform operations they are not truly entitled to.

en/security/software/authentication/start.txt · Last modified: 2019/10/26 22:04 by Digital Dot