Year Of Security for Java – Week 33 – Access Control (3)

No Gravatar

What is it and why should I care?
We defined access control in part 1 of the access control sub-series, so let’s move on to talk more about what we do about it.

What should I do about it?

In part 1 we discussed limiting your users’ interactions with your application by functionality. In part 2 we discussed adding data access as a criteria. This time I’d like to discuss an additional consideration for limiting interaction: other. Yes, I mean to be generic. There are many other specific data points we can use to generate context in order to make decisions about access control. I’ll outline a few below for your consideration, but consider this a starting list to get you going. You should definitely expand this list and make it specific to your environment.

The following are a few ideas to provide additional context to your access control decision matrix.

Date / Time
The time of day can be a critical factor for deciding whether or not to allow access in certain environments. A simple example might be that you only allow access to employees M-F 8-6. Outside of those hours, the employee may have little to no access within the system. Another example might be that you only perform certain tasks once a quarter at a certain time. You can set your policy to only allow a small window wherein those changes can be made.

Physical Location
If you expect a given user to only login from the UK and they start showing up logged in from Australia, you may not want to allow access. This geo-location capability becomes all the more important with mobile devices. You could theoretically limit a user to only logging in when they are at home or work, and nowhere else. The granularity of location differs depending on your geo-location provider, but many services are starting to get pretty accurate, particularly in the mobile device space.

Type of Device
You might want to limit certain applications to only be used from a mobile device or to never be used from a mobile device.

IP Address
You may want to limit access by specific IP addresses or ranges.

Browser Type / Version
People have been limiting applications by browser type/version for a long time. It’s only been in the last few years, though, that I’ve heard of people doing it for security as opposed to functionality. I’ve seen apps now block older browser versions because they don’t support the security capabilities required for a given application.

These are just a few ideas I’ve seen implemented to help make access control decisions. Some of these data points are logical and simple to get. Some are more difficult to find. Some have higher accuracy than others. The point of this article is to point out that there are additional data points that can be used to make access control decisions. Decide which ones make sense for your application and then use them.

In conclusion, we saw that we can use additional contextual data to make access control decisions that are more sophisticated than the norm. We can use data points that we already have access to in order to limit access to our systems in a more granular way. Done properly, this can greatly improve the security of our applications.

References
———–
https://www.owasp.org/index.php/Category:Access_Control
https://www.owasp.org/index.php/Guide_to_Authorization
https://www.owasp.org/index.php/Access_Control_Cheat_Sheet

Be Sociable, Share!

Technorati Tags: , ,

Leave a Reply

Your email address will not be published. Required fields are marked *