Importance of Identification and Authentication

Previous page
Table of content
Next page

The database security process flow can be summarized by the following three steps:

  1. First, a user presents an identity to the database. For example, they enter their username.

  2. The user proves that the identity just presented is valid. For example, they provide a password. The password is checked by the database to determine if it’s the correct password for the username presented.

  3. Assuming the password is correct, the database assumes the identity can be trusted. The database will then determine, based on the identity, what privileges and authorizations the user has. Data access is regulated by the user’s privileges and authorizations.

Typically, people spend the majority of their time and security efforts implementing the processes needed for the third step. The first two steps are important because they form the foundation of security; you need them to get to step three. Step one is identification. Step two is authentication.

Tip 

There is an often overlooked fact about designing and implementing security solutions: security cannot be based on anonymity.

You must first identify yourself. To do this securely requires authentication or proof that you are in fact who you say you are. If an application or database doesn’t know who you are, it can’t grant you the proper authorizations, apply the necessary access controls, and audit your actions. This seems obvious, but in countless database application designs, this point is lost. Most, if not all, database security is based on knowing who the user is.

As a validation of this principle, consider an e-mail application where all the e-mail is stored in a single database. The security policy for e-mail is simply that users can only access their personal e-mail. How would the security be implemented if the user’s identity is unknown? It couldn’t. Clearly, identifying the user has to be done.

The authentication has to be provided as well to ensure that users aren’t trying to impersonate other users. If the authentication is not provided, or is provided weakly, the entire security processes in the application and database will be negated. The application and database will not prevent the nefarious user from carrying out their actions (meaning accessing someone else’s e-mail) because the application and database think it is the authorized user.

Let’s explore the various ways identification can be implemented to determine how to do it best.


Previous page
Table of content
Next page
Effective Oracle Database 10g Security by Design
Effective Oracle Database 10g Security by Design
ISBN: 0072231300
EAN: 2147483647
Year: 2003
Pages: 111
Authors: David Knox, McGraw-Hill
BUY ON AMAZON
Cisco IOS in a Nutshell (In a Nutshell (OReilly))
Managing Enterprise Systems with the Windows Script Host
Pocket Guide to the National Electrical Code(R), 2005 Edition (8th Edition)
Microsoft WSH and VBScript Programming for the Absolute Beginner
Web Systems Design and Online Consumer Behavior
Telecommunications Essentials, Second Edition: The Complete Global Source (2nd Edition)
flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net
Privacy policy