Heads up! To view this whole video, sign in with your Courses account or enroll in your free 7-day trial. Sign In Enroll
Preview
Start a free Courses trial
to watch this video
One of the first steps for security is making sure that only authorized people can access appropriate areas in your app and database.
Access Control List and Role-based Access Control on Wikipedia are great places for a more thorough explanation.
Outside of hashing,
encryption and general privacy,
0:00
it's best to think about who has
access to what pieces of your data.
0:03
It seems like a really easy topic, but
0:06
it's one that often requires a lot more
thought than you might have expected.
0:08
Let's start at the beginning,
you have users and
0:11
they have accounts that they can log into,
but how do they do that logging in?
0:13
This process, known as authentication, can
have a lot of different implementations.
0:17
It could be done through
a standard log in form,
0:21
where they enter a user name or
e-mail address and a password.
0:22
They can be logging in through
a third-party site, like Facebook or Octa.
0:25
Or maybe you authenticate users
against an internal service,
0:29
like LDAP, which allows for
an internal collection of user names and
0:31
passwords, like you might find on a LAN or
intranet.
0:34
This is a good place to talk
about two factor authentication.
0:37
You've probably heard of this,
and likely even used it.
0:40
But if you haven't,
here's the general idea.
0:42
You log into a service with
your username and password.
0:44
That service then expects a time sensitive
code from you, that you get through either
0:46
a code generator, like Google's
authenticator app, or by SMS.
0:50
There's an old adage about authentication
that should require three things.
0:54
Something you are, something you have and
something you know.
0:57
Two factor auth covers as you
might expect, two of these things.
1:00
There's something you know,
is your password.
1:03
There's something you have,
is your phone or
1:05
device that gives you
the two factor auth code.
1:07
If you get your code from your phone and
your phone requires a finger print
1:09
to access it, that could fulfill
the third requirement something you are.
1:12
There are also modern devices like
UB key that uses a bio-metric print
1:15
like your thumb print to
generate a two factor off code,
1:20
some systems even use other
bio-metric items like voice or
1:22
face recognition too but the security
of these systems is still in flex.
1:25
Okay, so there are authenticated,
logged in.
1:29
Now comes the second consideration
in this arena, authorization.
1:32
Now that you know who the user is,
what are they allowed to do and see?
1:35
For example,
once you log into your Google account,
1:39
you're only allowed to see the documents
you have created in Google Docs or
1:41
those that have been
explicitly shared with you.
1:44
Two modern solutions to this
are database based access control lists,
1:47
or ACLs, and
role based access control, or RBAC.
1:50
These two systems assign users different
access levels or roles, and then based on
1:54
the level or role, determine if the user
can access a given object or area.
1:59
Roles simply define access in
a way that lets you assign one or
2:03
more roles to a specific user.
2:06
This allows you to control access for
2:07
groups or teams in a more organized way,
rather than having to explicitly define
2:09
every single thing
an individual needs to access.
2:13
When working with OAuth authentication
services, the authorization information
2:16
that you receive about a particular
user is expressed as a set of claims.
2:20
A claim can be a role these are belongs
to, a resource they can access, or
2:23
an action they can perform.
2:27
Probably the most common ACL that most
people encounter is the granting of
2:29
privileges and
a database like Postgrass or MySQL.
2:32
You grant read, write, or
both accesses to particular user or
2:36
role on a particular table,
tables, or databases,
2:39
ensuring that your database users only
have privileges on tables that they need
2:42
access to, is one of the first steps
you can take on ensuring that data.
2:46
Obviously the implementation of such a
system is beyond the scope of this course
2:50
but their common components and
many modern day frameworks and CMSs.
2:54
Using and enforcing SCL and
RBAC systems, helps to minimize
2:57
the damage that can happen when
a single account is compromised.
3:01
If the account doesn't have
access to all of your data and
3:04
really what account should?
3:06
The damage done should be constrained to
just what the compromised account has
3:07
access to, if you're using such a system,
be sure to do an audit
3:10
of your user accounts, roles,
and what each has access to.
3:14
It's rare that any one
account should have total and
3:17
complete access to all of your data.
3:19
You need to sign up for Treehouse in order to download course files.
Sign up