Unauthorized access to data and resources is one of the most significant and dangerous risks of the digital world. The OWASP Foundation, in their project about the Top 10 Application Security Risks – 2017, placed “Broken Authentication” as second, “Broken Access Control” as fifth.
Lately, we heard a lot about data breaches (which lead to unauthorized access), some of them happening to big companies like Facebook, which happened to have third parties exposing 540 million user records. And let’s not talk about password leaks, “unintentional” loading of user data without their consent or the Cambridge Analytica scandal.
As software engineers, we should always control who or what has access to resources. It’s our responsibility to build robust products with a high degree of security, including strong access control mechanisms.
Access control makes sure that only authenticated and authorized users can access resources. Sometimes there is a bit of confusion between access control and authorization, or between authentication and identification. Let’s clarify all of them and give some examples.
Identification happens when a user claims an identity. In the physical world, we could state our name. When I meet somebody for the first time, I introduce myself by saying “I’m Thomas”: that is me identifying myself.
In the digital world, instead, I would provide my username or email address, claiming the identity of my account, for example.
Identification is the first step of access control.
If I went to the airport to catch a flight and told the airport personnel “I’m Thomas”, for sure, they would ask me for some proof of my identity. That is the authentication process: verifying a claimed identity.
At the airport, I would prove my identity through my passport. When trying to get into my email account, I would provide my password to prove that I am who I’m claiming to be and that one is really my account. In case I had enabled a 2-factor authentication (and I should), I would also provide a second proof of my identity, for example, a code generated by a USB token or a dedicated app on my smartphone.
Verifying the user identity, i.e. authenticating them, is the second step of access control.
Once the airport personnel has authenticated my identity through my passport, that means they have proved my identity, but that doesn’t mean I can go wherever I want across the airport or catch whichever flight. Nope. I can only do what I have permissions for, i.e. what I’m authorized to do. Buying a ticket to Reykjavík grants me the right to fly to Iceland, as long as I identify myself as the owner of the ticket and prove my identity. (I know, I have simplified security airport procedures a lot, but it was for the sake of the example.)
If we consider the email account example again, after the authentication phase, the email provider will check for my permissions to figure out what I can or cannot do once got access to my email account. A necessary permission is the one granting me access to my, and only my, emails — not the ones from other email accounts. In a CMS application, I might have permissions to add new content, but not delete it. An administrator would have permissions to perform more operations than me.
Authorization is the third step of access control.
Access control systems grants access to resources only to users whose identity has been proved and having the required permissions. To accomplish that, we need to follow three steps:
Access control is paramount for security and fatal for companies failing to design it and implement it correctly.
What about you? Which process do you follow to ensure correct and secure access control to your resources and services?