Authorisation Flashcards
Authorisation
security mechanism which grants/denies access to system based on identity and permissions
Why is authorisation difficult to implement?
Users may fall into a number of groups or roles with different abilities or privileges
Authorisation conflicts can occur and stop production
Users may try and bypass authorisation methods
Policy Enforcement Phase
Done by a reference monitor which takes as input the access request and current security policy, then decides if the access request complies with the security policy.
Should always be NEAT: non-bypassable, evaluable, always-invoked, tamperproof
Difficulty of Authorisation
Developers frequently underestimate the difficulty of implementing authorisation schemes. Often they simply evolve along with the application which can make it very difficult to comprehend once an application nears deployment (flawed).
Flawed Authorisation
Many flawed authorisation schemes are not difficult to discover and exploit - devastating consequences as attackers can delete, edit, exploit etc.
Administrative Interfaces
Allows web admins to manage users, data and content efficiently. However due to their power it makes them a frequent prime target for attack - both inside and outside the organisation.
Path Traversal
The Path Traversal attack allows an attacker to access files, directories and commands that reside outside the web root directory.
Attackers could manipulate a URL in such a way that the app will reveal contents of files anywhere on the server. dot dot slash (../) attack as it uses a special character to alter resource location in the URL.
Role Based Access Control
RBAC is a method for controlling access based on roles assigned to users. Means lower level roles can’t access sensitive information or perform high-level tasks.
Principle of Least Privilege
Limit users to the absolute minimum required role necessary for them to complete assigned tasks
Benefits of RBAC - Improving operation efficiency
Decrease need for paperwork and password changes.
Lets organisations quickly assign and change roles.
Can integrate third party users much easier
Benefits of RBAC - Enhancing Compliance
RBAC systems help meet the regulatory and statutory requirements for confidentiality as it effectively manages how data is accessed and used.
Benefits of RBAC - Giving Admins Increased Visibility
RBAC gives network administrators more visibility and oversight into the business.
Benefits of RBAC - Reducing Costs
Organisations can conserve or more cost effectively use resources such as network bandwidth, memory and storage.
Benefits of RBAC - Decreasing Risk
Restricted access to sensitive information reduces the potential for data breaches or leakage.
RBAC Issues - Role Explosion
When the granularity needed for access control is too detailed. Difficult and costly to manage and makes control confusing and complicated, reducing effectiveness.
More roles can lead to security holes that are difficult to find and close.
RBAC Issues - Security Risk Tolerance
If an organisation is averse to security risks, RBAC may not be the optimal way to secure access.
Once deployed it is hard to react to changing threats and risks.
RBAC Issues - Scalability and Dynamism
When RBAC is first deployed it is known exactly what roles need to be defined. However as an organisation grows, new job definitions may not be updated or clearly defined - RBAC becomes difficult to manage and maintain.
RBAC Issues - Expensive and Difficult
If an organisation chooses to upgrade to a RBAC, there is added cost and risk with migrating users while phasing out older ones. Migrations often have a variety of difficulties and unforeseen challenges, resulting in security holes along with costly defects - data loss and unplanned downtime.
RBAC vs Access Control List
RBAC is superior to ACL in terms of security and administrative overhead.
ACL is better for implementing security at the user level and for low-level data.
RBAC vs Attribute Based Access Control
ABAC is more dynamic and uses relation-based access control. RBAC can determine broad access while ABAC offers more granularity.
RBAC system can grant access to all managers but an ABAC policy will only grant access to managers that are part of a certain department. ABAC is more complex, in both processing power and time, so only needed when RBAC is insufficient.
