it:ad:patterns:triplea_s_strategy

IT:AD:Patterns:TripleA's Strategy

Summary

Triple A stands for Authentication, Authorisation, Auditing.

Authentication

Never ever ever ever keep your user's authentication information (username/pwd/contactinfo/challenge) in your applicaition. You can guarantee that you as a general application developer know far less about security than a hacker that spends his/her day with this subject matter as their only concern. Use a IT:AD:Patterns:Single Sign On Strategy.

Authorisation

Choose an authorisation system appropriate to your application's requirements.

Personally, I think that Role Base Authentication is awful, and not suitable for anything beyond the trivial.

Consider Operations/Permissions based Authentication (see IT:AD:NETSqlAzMan for one example) that can be grouped and managed as Roles, but deliver more finegrain control.

Also, ACL based Authorisation is often not thought of as an option, because it's harder to implement and manage. But oh so useful…

Auditing

Always left out. Yet essential for forensic reasons. Without auditing you cannot catch anybody doing anything unless you wait for them to repeat the action while you both are online. Good luck with that. Auditing every action gives you the ability to understand what happened after it happened. And plug holes if need be.

  • /home/skysigal/public_html/data/pages/it/ad/patterns/triplea_s_strategy.txt
  • Last modified: 2023/11/04 03:29
  • by 127.0.0.1