Security - General

  • Basics

    • Confidentiality - prevent unauthorised disclosure

      • Encryption

      • Access Controls

        • Identification

          • Claiming an Identity - I am Jodie Miners

        • Authentication

          • Proving the Identity - telling the bank your 4 pieces of information that apparently only you know, but they happened to have just emailed it all to you when you submitted a ticket.

        • Authorization

        • Accounting (Audit)

      • Steganography (hide the data)

    • Integrity - data can not be modified in an unauthorised manner

      • Hashing

      • Digital Signatures

      • Certificates

    • Availability - information needs to be readily available

      • Redundancy

      • Patching

  • Authentication - login

    • Username / Password (don’t use this, use OAuth)

    • OAuth

    • Factors

      • Something you know

      • Something you have

      • Something you are (biometrics)

      • Somewhere you are (geolocation, IP address ranges)

      • Something you do (handwriting)

    • Concepts

      • SSO

        • SSO

          • Access to multiple systems in one organisation

        • Federation

          • Across organisations

          • Eg social sign-on - log into Medium with a Twitter account

          • Federation gives SSO but SSO doesn’t automatically give Federation

        • Transitive Trust

          • If A trusts B and B trusts C then A automatically trusts C

          • You may have more access than you need by authenticating to one account

      • Kerberos

      • LDAP

        • An X.500 directory protocol

      • VPN

  • Permissions

    • Use a separate User

    • API Only