Access Control & Authorization

Transcript

1. Access Control, Authorization, and Authentication Adam Englander Ijeoma Ezeonyebuchi Eric

   Mann

2. Hello. Adam Englander Architect, iovation Ijeoma Ezeonyebuchi Mobile Quality Assurance

   Engineer, NPR Eric Mann Director of Engineering, Vacasa

3. Today’s Session Terminology Access Control Systems Role-based Systems Attribute-based Systems

   Risk-based Systems Things to Consider

4. Terminology Authorization is the function of specifying access rights/privileges to

   resources. (Wikipedia) Authentication is the act of confirming the truth of an attribute of a single piece of data claimed true by an entity. (Wikipedia)

5. Terminology Access control is the selective restriction of access to

   a place or other resource. (Wikipedia)

6. For example ... if (! isset($_SESSION['user_id'])) { header('HTTP/1.1 403 Forbidden');

   exit; } $filename = basename($_POST['filename']); $file = sprintf('/var/www/support/uploads/%s', $filename); if (file_exists($file)) { header('Content-Description: File Transfer'); header('Content-Type: application/octet-stream'); header(sprintf('Content-Disposition: attachment; filename="%s"', $filename)); header(sprintf('Content-Length: %d', filesize($file))); readfile($file); exit; }

7. For example ... if (! isset($_SESSION['user_id'])) { header('HTTP/1.1 403 Forbidden');

   exit; } $filename = basename($_POST['filename']); $file = sprintf('/var/www/support/uploads/%s', $filename); if (file_exists($file)) { header('Content-Description: File Transfer'); header('Content-Type: application/octet-stream'); header(sprintf('Content-Disposition: attachment; filename="%s"', $filename)); header(sprintf('Content-Length: %d', filesize($file))); readfile($file); exit; }

8. Terminology Authorization is not Authentication is not Access Control

9. Authorization -vs- Authentication Authentication - proving a user is who

   they say they are Authorization - proving a user is allowed to do what they are attempting to do

10. Authorization -vs- Access Control Authorization - proving a user is

    allowed to do what they are attempting to do Access Control - actually enforcing authorization controls on systems or resources

11. Strong Security Requires all Three Authentication Authorization Access Control SECURITY

12. Role-based Access Control (RBAC) RBAC separates the concepts of Users,

    Roles and Permissions. Roles are defined in a system, then Permissions defined separately. Then the security administrator decides what role should be permitted to do what action, by assigning that role to the permission. Finally users are assigned to roles. The system does the rest. (PHP-RBAC)

13. Role-based Access Control Users are each assigned to one or

    more role Each role will have one or more permission Operations are restricted based on role membership (Based on the permissions that role grants)

14. Role-based Access Control (RBAC)

15. For example ... if (! isset($_SESSION['user_id'])) { header('HTTP/1.1 403 Forbidden');

    exit; } $rbac = new \PhpRbac\Rbac(); $rbac->enforce('downloads_manager', 105); $filename = basename($_POST['filename']); $file = sprintf('/var/www/support/uploads/%s', $filename); if (file_exists($file)) { header('Content-Description: File Transfer'); header('Content-Type: application/octet-stream'); header(sprintf('Content-Disposition: attachment; filename="%s"', $filename)); // ...

16. For example ... if (! isset($_SESSION['user_id'])) { header('HTTP/1.1 403 Forbidden');

    exit; } $rbac = new \PhpRbac\Rbac(); $rbac->enforce('downloads_manager', $_SESSION['user_id']); $filename = basename($_POST['filename']); $file = sprintf('/var/www/support/uploads/%s', $filename); if (file_exists($file)) { header('Content-Description: File Transfer'); header('Content-Type: application/octet-stream'); header(sprintf('Content-Disposition: attachment; filename="%s"', $filename)); // ...

17. Attribute-based Access Control (ABAC) Attribute-based access control, also known as

    Policy-based access control, defines an access control paradigm whereby access rights are granted to users through the use of policies which combine attributes together. (Wikipedia)

18. Attribute-based Access Control Users can still be assigned to one

    or more role Resources (and users) have specific attributes Users (or roles) have applied policies that use these attributes to allow or block access Policies are evaluated at request time based on current attributes

19. Attribute-based Access Control

20. For example ... if (! isset($_SESSION['user_id'])) { header('HTTP/1.1 403 Forbidden');

    exit; } $user = new \User($_SESSION['user_id']); $filename = basename($_POST['filename']); $download = new \Download($filename); $abac = \PhpAbac\AbacFactory::getAbac(); $attributes = ['dynamic-attributes' => ['report-author' => $user->getId()]]; if ($abac->enforce('downloads-access', $user, $download, $attributes) !== true) { header('HTTP/1.1 403 Forbidden'); exit; } // ...

21. For example ... if (! isset($_SESSION['user_id'])) { header('HTTP/1.1 403 Forbidden');

    exit; } $user = new \User($_SESSION['user_id']); $filename = basename($_POST['filename']); $download = new \Download($filename); $abac = \PhpAbac\AbacFactory::getAbac(); $attributes = ['dynamic-attributes' => ['report-author' => $user->getId()]]; if ($abac->enforce('downloads-access', $user, $download, $attributes) !== true) { header('HTTP/1.1 403 Forbidden'); exit; } // ...

22. For example ... if (! isset($_SESSION['user_id'])) { header('HTTP/1.1 403 Forbidden');

    exit; } $user = new \User($_SESSION['user_id']); $filename = basename($_POST['filename']); $download = new \Download($filename); $abac = \PhpAbac\AbacFactory::getAbac(); $attributes = ['dynamic-attributes' => ['report-author' => $user->getId()]]; if ($abac->enforce('downloads-access', $user, $download, $attributes) !== true) { header('HTTP/1.1 403 Forbidden'); exit; } // ...

23. Risk-based Access Control In general, built upon an attribute-based system

    Leverages attributes that quantify risk • How did the user authenticate? • When and from where did they authenticate? • How risky is the operation being performed? Effectively adds environmental info to the system

24. Final Items to Consider What does your application do? Who

    has access to the application? What is the potential impact of a breach? What is your overall threat model?

25. Questions?

26. Thank you! Please rate our talk: https://joind.in/talk/8b428