You've visited a building where you need an access card. Without the card, you don't get in. But the card doesn't (or shouldn't) open all doors once you are in the building. Some areas must be off-limits. That's physical access control.
Digital access control works on the same principle. It controls who can access the system, and what they can see once they are in.
Authentication vs authorisation
Access control is about deciding who is allowed to do what. It consists of two main components:
- Authentication
- Authorization
First you need credentials to access the system - a valid username and password, and maybe an OTP. That's authentication: the security guard gives you the access card after checking your ID.
But those credentials don't mean you can go anywhere or do anything. That depends on your authorisation.
When authorisation goes wrong
What happens if your app checks authentication, but doesn't control authorisation?
The United States Postal Service (USPS) had this problem in 2017 and 2018. Anyone who had an account at usps.com could view any one else's account. They could even change some data. That put 60 million users at risk.
This vulnerability is so common that it is listed in the OWASP Top Ten: Identification and Authentication Failures.
Don't trust anyone
The key to proper authentication and authorization is Zero Trust.
The basic principle of Zero Trust is that you cannot trust anything or anyone. It doesn't matter if they are inside or outside your network. This means you must verify everything and everyone before granting access.
Zero trust has another principle: least-privilege access. This means giving users only as much access as they need.
I like to ask this: Who are you and can you prove it?
Quick reminder
Do you develop web apps? Remember our Security Spotlight series, which is about web application security.
Resources
Here are some resources for further reading: