Access Control & Authorization

Access Control & Authorization

Proving the identity of a user isn’t the end of an application’s responsibilities: you must also verify the user is allowed to perform the actions they’re attempting. Conflating authentication (the act of identifying users) with authorization (the act of verifying their level of access within the system) is one of the most common ways applications have been breached in the recent past. Don’t fall victim to simple oversights and instead keep your application – and your users – safe.

46093583d8895095adb1b0071c505af2?s=128

Eric Mann

May 21, 2019
Tweet

Transcript

  1. Access Control, Authorization, and Authentication Adam Englander Ijeoma Ezeonyebuchi Eric

    Mann
  2. Hello. Adam Englander Architect, iovation Ijeoma Ezeonyebuchi Mobile Quality Assurance

    Engineer, NPR Eric Mann Director of Engineering, Vacasa
  3. Today’s Session Terminology Access Control Systems Role-based Systems Attribute-based Systems

    Risk-based Systems Things to Consider
  4. Terminology Authorization is the function of specifying access rights/privileges to

    resources. (Wikipedia) Authentication is the act of confirming the truth of an attribute of a single piece of data claimed true by an entity. (Wikipedia)
  5. Terminology Access control is the selective restriction of access to

    a place or other resource. (Wikipedia)
  6. For example ... if (! isset($_SESSION['user_id'])) { header('HTTP/1.1 403 Forbidden');

    exit; } $filename = basename($_POST['filename']); $file = sprintf('/var/www/support/uploads/%s', $filename); if (file_exists($file)) { header('Content-Description: File Transfer'); header('Content-Type: application/octet-stream'); header(sprintf('Content-Disposition: attachment; filename="%s"', $filename)); header(sprintf('Content-Length: %d', filesize($file))); readfile($file); exit; }
  7. For example ... if (! isset($_SESSION['user_id'])) { header('HTTP/1.1 403 Forbidden');

    exit; } $filename = basename($_POST['filename']); $file = sprintf('/var/www/support/uploads/%s', $filename); if (file_exists($file)) { header('Content-Description: File Transfer'); header('Content-Type: application/octet-stream'); header(sprintf('Content-Disposition: attachment; filename="%s"', $filename)); header(sprintf('Content-Length: %d', filesize($file))); readfile($file); exit; }
  8. Terminology Authorization is not Authentication is not Access Control

  9. Authorization -vs- Authentication Authentication - proving a user is who

    they say they are Authorization - proving a user is allowed to do what they are attempting to do
  10. Authorization -vs- Access Control Authorization - proving a user is

    allowed to do what they are attempting to do Access Control - actually enforcing authorization controls on systems or resources
  11. Strong Security Requires all Three Authentication Authorization Access Control SECURITY

  12. Role-based Access Control (RBAC) RBAC separates the concepts of Users,

    Roles and Permissions. Roles are defined in a system, then Permissions defined separately. Then the security administrator decides what role should be permitted to do what action, by assigning that role to the permission. Finally users are assigned to roles. The system does the rest. (PHP-RBAC)
  13. Role-based Access Control Users are each assigned to one or

    more role Each role will have one or more permission Operations are restricted based on role membership (Based on the permissions that role grants)
  14. Role-based Access Control (RBAC)

  15. For example ... if (! isset($_SESSION['user_id'])) { header('HTTP/1.1 403 Forbidden');

    exit; } $rbac = new \PhpRbac\Rbac(); $rbac->enforce('downloads_manager', 105); $filename = basename($_POST['filename']); $file = sprintf('/var/www/support/uploads/%s', $filename); if (file_exists($file)) { header('Content-Description: File Transfer'); header('Content-Type: application/octet-stream'); header(sprintf('Content-Disposition: attachment; filename="%s"', $filename)); // ...
  16. For example ... if (! isset($_SESSION['user_id'])) { header('HTTP/1.1 403 Forbidden');

    exit; } $rbac = new \PhpRbac\Rbac(); $rbac->enforce('downloads_manager', $_SESSION['user_id']); $filename = basename($_POST['filename']); $file = sprintf('/var/www/support/uploads/%s', $filename); if (file_exists($file)) { header('Content-Description: File Transfer'); header('Content-Type: application/octet-stream'); header(sprintf('Content-Disposition: attachment; filename="%s"', $filename)); // ...
  17. Attribute-based Access Control (ABAC) Attribute-based access control, also known as

    Policy-based access control, defines an access control paradigm whereby access rights are granted to users through the use of policies which combine attributes together. (Wikipedia)
  18. Attribute-based Access Control Users can still be assigned to one

    or more role Resources (and users) have specific attributes Users (or roles) have applied policies that use these attributes to allow or block access Policies are evaluated at request time based on current attributes
  19. Attribute-based Access Control

  20. For example ... if (! isset($_SESSION['user_id'])) { header('HTTP/1.1 403 Forbidden');

    exit; } $user = new \User($_SESSION['user_id']); $filename = basename($_POST['filename']); $download = new \Download($filename); $abac = \PhpAbac\AbacFactory::getAbac(); $attributes = ['dynamic-attributes' => ['report-author' => $user->getId()]]; if ($abac->enforce('downloads-access', $user, $download, $attributes) !== true) { header('HTTP/1.1 403 Forbidden'); exit; } // ...
  21. For example ... if (! isset($_SESSION['user_id'])) { header('HTTP/1.1 403 Forbidden');

    exit; } $user = new \User($_SESSION['user_id']); $filename = basename($_POST['filename']); $download = new \Download($filename); $abac = \PhpAbac\AbacFactory::getAbac(); $attributes = ['dynamic-attributes' => ['report-author' => $user->getId()]]; if ($abac->enforce('downloads-access', $user, $download, $attributes) !== true) { header('HTTP/1.1 403 Forbidden'); exit; } // ...
  22. For example ... if (! isset($_SESSION['user_id'])) { header('HTTP/1.1 403 Forbidden');

    exit; } $user = new \User($_SESSION['user_id']); $filename = basename($_POST['filename']); $download = new \Download($filename); $abac = \PhpAbac\AbacFactory::getAbac(); $attributes = ['dynamic-attributes' => ['report-author' => $user->getId()]]; if ($abac->enforce('downloads-access', $user, $download, $attributes) !== true) { header('HTTP/1.1 403 Forbidden'); exit; } // ...
  23. Risk-based Access Control In general, built upon an attribute-based system

    Leverages attributes that quantify risk • How did the user authenticate? • When and from where did they authenticate? • How risky is the operation being performed? Effectively adds environmental info to the system
  24. Final Items to Consider What does your application do? Who

    has access to the application? What is the potential impact of a breach? What is your overall threat model?
  25. Questions?

  26. Thank you! Please rate our talk: https://joind.in/talk/8b428