IT Security Overview

This page was last update on 2 Jun 2024.

  • This section on IT security provides information on security in transit, i.e., security while going over the network.

  • The most common approach for providing secure access to a server or HTTP API involves a multi-pronged approach of SSL certificates and firewalls.

  • You can generate an SSL certificate and use its public key to verify that web requests are authenticated. This allows your API server to control and accept only requests that originate from clients who hold the public key, even if the API server is publicy accessible.

  • You should also have a security policy that has a predefined combination of minimum TLS version and the cipher suite used.

  • Different identity protocols such as OAuth 2.0, Open ID Connect (OIDC) and Security Assertion Markup Language (SAML) 2.0 were designed to solve slightly different aspects of authentication and authorisation.

Benefits of a Standard Identity Protocol

  • Open standard protocols have been scrutinised for flaws by many people, so they are less likely to have vulnerabilities.

  • Since they are widely used, it provides interoperability between customised applications and identity service providers that support this protocol.

  • Once authentication with a standard identity provider, you can access the user’s profile data in your application.

  • It provides an SSO mechanism for users of your application.

Are certificates better than passwords?

  • The “asymetric” nature of generating and decrypting certificates allows for the seperation of roles. With a password, whoever verifies the password implies that he knows the password and how to encrypt or decrypt the password.

  • The whole point with certificates is to seperate those who define the digital identity of the entity wanting authentication from those who authenticate users. With user certificates, the certificate is issued by the certification authority, who guarantees the link between a physical identity and the cryptographic public key. The verifier can thus verify the user’s identity without the ability to impersonate the user.

  • This is the reason why certificates are better than passwords.

The Three As

The three As that are very important for any network security are Authentication, Authorization and Auditing. Yet, the distinction between them is often unclear. These components are separate and have distinct responsibilities in a network security scheme, and are provided in more details below.

Authentication

Authentication is the process of verifying the identity of a particular user. To authenticate a user, the user would be asked information to prove his identity. There are generally three ways (or Factors) to do this as follows:

  • A secret password which the user can choose on his own or could be system generated.

  • A token, where every minute, an algorithm runs and updates the new six-digit code.

  • Biometric, where each human has distinguishing characters they can use to confirm who they are.

Authentication system nowadays combine the above authentication methods to enhance the whole authentication process - Multi Factor Authentication.

Authorization

Authorization refers to granting or denying access to specific resources based on the requesting user’s identity. This step is performed after a user is identified through authentication. Authorization is usually performed through access control lists and RBAC (Role Based Access Control), which associate the user’s identity with specific rights.

If for any reason the authentication cannot be trusted, then authorization ceases to work.

Auditing

The final A is Auditing. Auditing takes the results from authentication and authorization and records these results into an audit log. The audit log records all actions taken by the authentication and authorization steps for future review.