Authentication
- Deploy an SSO/LDAP server and integrate all applications with it. Distributed and siloed storage of user credentials is far more vulnerable than a centralized one.
- Ensure strong password policy (password format), control session longevity
- No default accounts or passwords, like root, admin, welcome, etc.
Authorization (Access Control)
- Function-level access control - who can do what. Role-based access control
- Data-access control - implement a framework for large enterprise applications (see next section)
- Row level access control
- Field (column) level access control
Data-Access Control Patterns
With clear understanding of access control patterns, a security framework can be built.
- I can access stuff belonging to me
- I can access stuff belonging to my company
- I can access stuff belonging to the groups i belong to
- I can access stuff belonging to my subordinates and their subordinates (hierarchical)
- I can access stuff assigned to me
No comments:
Post a Comment