Building secure service by default.
By Yasmin Abdi, Founder and CEO, NoHack
Feb 28, 2023

An introduction to this article appeared in the monthly Creating Connections newsletter put together by the women of The CyberWire. This is a guest-written article. The views and opinions expressed in this article are those of the authors, not necessarily the CyberWire, Inc.

Building secure service by default.

Information security is a complex, multifaceted discipline built upon many foundational principles. Recently, the most important principle - least privilege, limits permission that users have on a system or network. According to the Identity Defined Security Alliance (IDSA)’s study, 84% of organizations have experienced a data breach, and 79% which were breached in the last two years had poor access control frameworks. With least privilege users are only given minimal access to the information they need to do their jobs and nothing more. For example, a user account created for reading data from a database does not need admin rights while a programmer whose job is to write code doesn’t need access to financial records - by limiting access to only what is necessary, the chances of harmful activity, security breaches, and insider risk are reduced significantly.  

When developing a new service, it is important to ensure the safety for all of your customers by ensuring your engineers are building with authentication and authorization as your core product principles. This story is all about these two foundational security mechanisms - authentication and authorization, what they are and how they work.

What is authentication?

Generally speaking, authentication is the process of determining whether someone or something is, in fact, who or what it says. The term comes from the Greek word for authentic (= αυθεντικός) meaning genuine. In computer science, authentication refers to the process of verifying the identity of a user or system before granting access to a building or specific areas within it. Let’s take a look at this diagram.

Source: Forbes

When you create an account for an application, you typically have a combination of a userID and password and this combination is often referred to as user credentials. UserIDs are most often email addresses, phone numbers and usernames whereas passwords are a string of characters used as a secret key to get access to a computer system. Once user credentials have been created, (e.g email and password) these credentials get stored in a database. Every time you try to sign into an application, the system must verify the validity of the provided credentials against the database. If the credentials are valid, the system grants access to the requested resource and if the credentials are invalid, the system denies access and may prompt the user to try again. These are the basic principles on how authentication login works.

To use authentication, first, you need to determine what type of authentication is appropriate for your specific use case. There are various methods of authentication, including passwords, biometrics, security tokens, and smart cards. Once you have selected the appropriate authentication method, you can then configure the system to require authentication before granting access. 

Adding an extra layer of security by requiring users to provide two forms of authentication (2FA), typically makes it much harder for attackers to gain access to an account, even if they have the user’s password. A report from Microsoft concluded that 2FA bolsters security, blocking 99.9% of automated attacks. Another report from Google saw a 50% decline in compromised accounts by adding 2FA. This huge achievement speaks volumes about the positive impact 2FA can have on a login process versus using a traditional username and password to authenticate.

Source: Okta

So what is authorization and how is it different from authentication?

Most of us are familiar with the concept of authorization. A good example is house ownership. The owner has full access rights to the property and can grant other people the right to access it. You say that the owner authorizes people to access it.

Authentication happens before authorization: it’s the first step in access control. You first need to know who or what the identity is before giving it permission to a resource. Once the user or system has been authenticated, the authorization process can begin. Authorization is the process of verifying the identity of a user or system and determining whether they are allowed to access a particular resource, perform a specific action, or execute a command within a system or network. Authorizing entities involves checking permissions, roles, and privileges to determine whether the entity is authorized to access the requested resource or perform the requested action. Authorization decisions are typically based on a set of policies and rules that define who can access what resources and what actions they are allowed to perform. Let’s consider a collaboration application - Google Docs.

Source: Auth0

The application allows you to create, edit, and share documents with friends, colleagues, and family members. There are also other actions like deleting and adding comments to documents. If you are the owner of a document, you can authorize what actions users can do by defining policies on each resource.

​​In this scenario:

Resource: the document

Resource Owner: this is the user that creates a document / the owner of the document

Authorized User: the user who is given comment rights by the Resource Owner

The most typical form of authorization is role-based access control (RBAC). RBAC, on the other hand, treats authorization as permissions associated with roles and not directly with users. A role is nothing but a collection of permissions. Once the user has authenticated, the system uses RBAC to determine the level of access the user should have within the application. RBAC is a method of restricting access to resources based on the roles assigned to individual users. For example, an employee of a company might be assigned the role of "manager," which would give them access to certain resources and functions within the application, while an employee with the role of "salesperson" would have access to a different set of resources and functions.

Conclusion. 

In a constantly changing technology environment, providing strong authentication and authorization is imperative for many reasons. With a strong access control structure, users’ data is always protected and resilient against attack. By restricting access for those who don't need to use certain apps or files, organizations can better secure sensitive data as well as enable project managers to have a clearer picture of which users are associated with which projects. Not only does it increase the overall cyber security posture, but it also sustains compliance with the work of privacy and security regulations. Controlling user access allows organizations to eliminate instances of identity theft, data breaches and illegal access to sensitive corporate information.