Access Control & Authorization

Transcript

1. Access Control,
   Authorization, and
   Authentication
   Adam Englander Ijeoma Ezeonyebuchi Eric Mann
   

   View Slide

2. Hello.
   Adam Englander
   Architect, iovation
   Ijeoma Ezeonyebuchi
   Mobile Quality Assurance
   Engineer, NPR
   Eric Mann
   Director of Engineering,
   Vacasa
   

   View Slide

3. Today’s Session
   Terminology
   Access Control Systems
   Role-based Systems
   Attribute-based Systems
   Risk-based Systems
   Things to Consider
   

   View Slide

4. Terminology
   Authorization is the function of specifying
   access rights/privileges to resources. (Wikipedia)
   Authentication is the act of confirming the
   truth of an attribute of a single piece of data
   claimed true by an entity. (Wikipedia)
   

   View Slide

5. Terminology
   Access control is the selective restriction of
   access to a place or other resource. (Wikipedia)
   

   View Slide

6. For example ...
   if (! isset($_SESSION['user_id'])) {
   header('HTTP/1.1 403 Forbidden');
   exit;
   }
   $filename = basename($_POST['filename']);
   $file = sprintf('/var/www/support/uploads/%s', $filename);
   if (file_exists($file)) {
   header('Content-Description: File Transfer');
   header('Content-Type: application/octet-stream');
   header(sprintf('Content-Disposition: attachment; filename="%s"', $filename));
   header(sprintf('Content-Length: %d', filesize($file)));
   readfile($file);
   exit;
   }
   

   View Slide

7. For example ...
   if (! isset($_SESSION['user_id'])) {
   header('HTTP/1.1 403 Forbidden');
   exit;
   }
   $filename = basename($_POST['filename']);
   $file = sprintf('/var/www/support/uploads/%s', $filename);
   if (file_exists($file)) {
   header('Content-Description: File Transfer');
   header('Content-Type: application/octet-stream');
   header(sprintf('Content-Disposition: attachment; filename="%s"', $filename));
   header(sprintf('Content-Length: %d', filesize($file)));
   readfile($file);
   exit;
   }
   

   View Slide

8. Terminology
   Authorization is not
   Authentication is not
   Access Control
   

   View Slide

9. Authorization -vs- Authentication
   Authentication - proving a user is who they say they are
   Authorization - proving a user is allowed to do what
   they are attempting to do
   

   View Slide

10. Authorization -vs- Access Control
    Authorization - proving a user is allowed to do what
    they are attempting to do
    Access Control - actually enforcing authorization
    controls on systems or resources
    

    View Slide

11. Strong Security Requires all Three
    Authentication Authorization
    Access Control
    SECURITY
    

    View Slide

12. Role-based Access Control (RBAC)
    RBAC separates the concepts of Users, Roles and
    Permissions. Roles are defined in a system, then
    Permissions defined separately. Then the security
    administrator decides what role should be permitted to
    do what action, by assigning that role to the permission.
    Finally users are assigned to roles. The system does the
    rest. (PHP-RBAC)
    

    View Slide

13. Role-based Access Control
    Users are each assigned to one or more role
    Each role will have one or more permission
    Operations are restricted based on role membership
    (Based on the permissions that role grants)
    

    View Slide

14. Role-based Access Control (RBAC)
    

    View Slide

15. For example ...
    if (! isset($_SESSION['user_id'])) {
    header('HTTP/1.1 403 Forbidden');
    exit;
    }
    $rbac = new \PhpRbac\Rbac();
    $rbac->enforce('downloads_manager', 105);
    $filename = basename($_POST['filename']);
    $file = sprintf('/var/www/support/uploads/%s', $filename);
    if (file_exists($file)) {
    header('Content-Description: File Transfer');
    header('Content-Type: application/octet-stream');
    header(sprintf('Content-Disposition: attachment; filename="%s"', $filename));
    // ...
    

    View Slide

16. For example ...
    if (! isset($_SESSION['user_id'])) {
    header('HTTP/1.1 403 Forbidden');
    exit;
    }
    $rbac = new \PhpRbac\Rbac();
    $rbac->enforce('downloads_manager', $_SESSION['user_id']);
    $filename = basename($_POST['filename']);
    $file = sprintf('/var/www/support/uploads/%s', $filename);
    if (file_exists($file)) {
    header('Content-Description: File Transfer');
    header('Content-Type: application/octet-stream');
    header(sprintf('Content-Disposition: attachment; filename="%s"', $filename));
    // ...
    

    View Slide

17. Attribute-based Access Control (ABAC)
    Attribute-based access control, also known as
    Policy-based access control, defines an access control
    paradigm whereby access rights are granted to users
    through the use of policies which combine attributes
    together. (Wikipedia)
    

    View Slide

18. Attribute-based Access Control
    Users can still be assigned to one or more role
    Resources (and users) have specific attributes
    Users (or roles) have applied policies that use these
    attributes to allow or block access
    Policies are evaluated at request time based on current
    attributes
    

    View Slide

19. Attribute-based Access Control
    

    View Slide

20. For example ...
    if (! isset($_SESSION['user_id'])) {
    header('HTTP/1.1 403 Forbidden');
    exit;
    }
    $user = new \User($_SESSION['user_id']);
    $filename = basename($_POST['filename']);
    $download = new \Download($filename);
    $abac = \PhpAbac\AbacFactory::getAbac();
    $attributes = ['dynamic-attributes' => ['report-author' => $user->getId()]];
    if ($abac->enforce('downloads-access', $user, $download, $attributes) !== true) {
    header('HTTP/1.1 403 Forbidden');
    exit;
    }
    // ...
    

    View Slide

21. For example ...
    if (! isset($_SESSION['user_id'])) {
    header('HTTP/1.1 403 Forbidden');
    exit;
    }
    $user = new \User($_SESSION['user_id']);
    $filename = basename($_POST['filename']);
    $download = new \Download($filename);
    $abac = \PhpAbac\AbacFactory::getAbac();
    $attributes = ['dynamic-attributes' => ['report-author' => $user->getId()]];
    if ($abac->enforce('downloads-access', $user, $download, $attributes) !== true) {
    header('HTTP/1.1 403 Forbidden');
    exit;
    }
    // ...
    

    View Slide

22. For example ...
    if (! isset($_SESSION['user_id'])) {
    header('HTTP/1.1 403 Forbidden');
    exit;
    }
    $user = new \User($_SESSION['user_id']);
    $filename = basename($_POST['filename']);
    $download = new \Download($filename);
    $abac = \PhpAbac\AbacFactory::getAbac();
    $attributes = ['dynamic-attributes' => ['report-author' => $user->getId()]];
    if ($abac->enforce('downloads-access', $user, $download, $attributes) !== true) {
    header('HTTP/1.1 403 Forbidden');
    exit;
    }
    // ...
    

    View Slide

23. Risk-based Access Control
    In general, built upon an attribute-based system
    Leverages attributes that quantify risk
    ● How did the user authenticate?
    ● When and from where did they authenticate?
    ● How risky is the operation being performed?
    Effectively adds environmental info to the system
    

    View Slide

24. Final Items to Consider
    What does your application do?
    Who has access to the application?
    What is the potential impact of a breach?
    What is your overall threat model?
    

    View Slide

25. Questions?
    

    View Slide

26. Thank you!
    Please rate our talk:
    https://joind.in/talk/8b428
    

    View Slide