Where are your visitors?

Sign: Area closed. Keep out

You've visited a building where you need an access card. Without the card, you don't get in. But the card doesn't (or shouldn't) open all doors once you are in the building. Some areas must be off-limits. That's physical access control.

Digital access control works on the same principle. It controls who can access the system, and what they can see once they are in.

Authentication vs authorisation

Access control is about deciding who is allowed to do what. It consists of two main components:

  • Authentication
  • Authorization

First you need credentials to access the system - a valid username and password, and maybe an OTP. That's authentication: the security guard gives you the access card after checking your ID.

But those credentials don't mean you can go anywhere or do anything. That depends on your authorisation.

When authorisation goes wrong

What happens if your app checks authentication, but doesn't control authorisation?

The United States Postal Service (USPS) had this problem in 2017 and 2018. Anyone who had an account at usps.com could view any one else's account. They could even change some data. That put 60 million users at risk.

This vulnerability is so common that it is listed in the OWASP Top Ten: Identification and Authentication Failures.

Don't trust anyone

The key to proper authentication and authorization is Zero Trust.

The basic principle of Zero Trust is that you cannot trust anything or anyone. It doesn't matter if they are inside or outside your network. This means you must verify everything and everyone before granting access.

Zero trust has another principle: least-privilege access. This means giving users only as much access as they need.

I like to ask this: Who are you and can you prove it?

Quick reminder

Do you develop web apps? Remember our Security Spotlight series, which is about web application security.

Resources

Here are some resources for further reading:

Leave a Comment

Your email address will not be published. Required fields are marked *

Thank You

We're Excited!

Thank you for completing the form. We're excited that you have chosen to contact us about training. We will process the information as soon as we can, and we will do our best to contact you within 1 working day. (Please note that our offices are closed over weekends and public holidays.)

Don't Worry

Our privacy policy ensures your data is safe: Incus Data does not sell or otherwise distribute email addresses. We will not divulge your personal information to anyone unless specifically authorised by you.

If you need any further information, please contact us on tel: (27) 12-666-2020 or email info@incusdata.com

How can we help you?

Let us contact you about your training requirements. Just fill in a few details, and we’ll get right back to you.