Access Control

Outside of hashing, encryption and general privacy, 0:00 it's best to think about who has access to what pieces of your data. 0:03 It seems like a really easy topic, but 0:06 it's one that often requires a lot more thought than you might have expected. 0:08 Let's start at the beginning, you have users and 0:11 they have accounts that they can log into, but how do they do that logging in? 0:13 This process, known as authentication, can have a lot of different implementations. 0:17 It could be done through a standard log in form, 0:21 where they enter a user name or e-mail address and a password. 0:22 They can be logging in through a third-party site, like Facebook or Octa. 0:25 Or maybe you authenticate users against an internal service, 0:29 like LDAP, which allows for an internal collection of user names and 0:31 passwords, like you might find on a LAN or intranet. 0:34 This is a good place to talk about two factor authentication. 0:37 You've probably heard of this, and likely even used it. 0:40 But if you haven't, here's the general idea. 0:42 You log into a service with your username and password. 0:44 That service then expects a time sensitive code from you, that you get through either 0:46 a code generator, like Google's authenticator app, or by SMS. 0:50 There's an old adage about authentication that should require three things. 0:54 Something you are, something you have and something you know. 0:57 Two factor auth covers as you might expect, two of these things. 1:00 There's something you know, is your password. 1:03 There's something you have, is your phone or 1:05 device that gives you the two factor auth code. 1:07 If you get your code from your phone and your phone requires a finger print 1:09 to access it, that could fulfill the third requirement something you are. 1:12 There are also modern devices like UB key that uses a bio-metric print 1:15 like your thumb print to generate a two factor off code, 1:20 some systems even use other bio-metric items like voice or 1:22 face recognition too but the security of these systems is still in flex. 1:25 Okay, so there are authenticated, logged in. 1:29 Now comes the second consideration in this arena, authorization. 1:32 Now that you know who the user is, what are they allowed to do and see? 1:35 For example, once you log into your Google account, 1:39 you're only allowed to see the documents you have created in Google Docs or 1:41 those that have been explicitly shared with you. 1:44 Two modern solutions to this are database based access control lists, 1:47 or ACLs, and role based access control, or RBAC. 1:50 These two systems assign users different access levels or roles, and then based on 1:54 the level or role, determine if the user can access a given object or area. 1:59 Roles simply define access in a way that lets you assign one or 2:03 more roles to a specific user. 2:06 This allows you to control access for 2:07 groups or teams in a more organized way, rather than having to explicitly define 2:09 every single thing an individual needs to access. 2:13 When working with OAuth authentication services, the authorization information 2:16 that you receive about a particular user is expressed as a set of claims. 2:20 A claim can be a role these are belongs to, a resource they can access, or 2:23 an action they can perform. 2:27 Probably the most common ACL that most people encounter is the granting of 2:29 privileges and a database like Postgrass or MySQL. 2:32 You grant read, write, or both accesses to particular user or 2:36 role on a particular table, tables, or databases, 2:39 ensuring that your database users only have privileges on tables that they need 2:42 access to, is one of the first steps you can take on ensuring that data. 2:46 Obviously the implementation of such a system is beyond the scope of this course 2:50 but their common components and many modern day frameworks and CMSs. 2:54 Using and enforcing SCL and RBAC systems, helps to minimize 2:57 the damage that can happen when a single account is compromised. 3:01 If the account doesn't have access to all of your data and 3:04 really what account should? 3:06 The damage done should be constrained to just what the compromised account has 3:07 access to, if you're using such a system, be sure to do an audit 3:10 of your user accounts, roles, and what each has access to. 3:14 It's rare that any one account should have total and 3:17 complete access to all of your data. 3:19