Differences

This shows you the differences between two versions of the page.

Link to this comparison view

it:ad:patterns:triplea_s_strategy [2019/03/24 12:02] (current)
Line 1: Line 1:
 +# IT:​AD:​Patterns:​TripleA'​s Strategy #
 +
 +
 +
 +<callout type="​Navigation"​ class="​small">​
 +* [[../​|(UP)]]
 +{{indexmenu>​.#​2|nsort tsort}}
 +
 +
 +</​callout>​
 +
 +
 +<panel title="​Summary">​
 +
 +Triple A stands for Authentication,​ Authorisation,​ Auditing.
 +
 +
 +</​panel>​
 +
 +
 +#### Authentication ####
 +
 +Never ever ever ever keep your user's authentication information (username/​pwd/​contactinfo/​challenge) in your applicaition. ​ You can guarantee that you as a general application developer know far less about security than a hacker that spends his/her day with this subject matter as their only concern. ​  Use a [[IT/​AD/​Patterns/​Single Sign On Strategy/​]]. ​
 +
 +#### Authorisation ####
 +
 +Choose an authorisation system appropriate to your application'​s requirements.
 +
 +Personally, I think that Role Base Authentication is awful, and not suitable for anything beyond the trivial.
 +
 +Consider Operations/​Permissions based Authentication (see [[IT/​AD/​NETSQLAzMan/​]] for one example) that can be grouped and managed as Roles, but deliver more finegrain control.
 +
 +Also, ACL based Authorisation is often not thought of as an option, because it's harder to implement and manage. But oh so useful...
 +
 +#### Auditing ####
 +
 +Always left out. Yet essential for forensic reasons. Without auditing you cannot catch anybody doing anything unless you wait for them to repeat the action *while* you both are online. Good luck with that. Auditing every action gives you the ability to understand what happened *after* it happened. And plug holes if need be.
 +
 +