Security - General
Basics
Confidentiality - prevent unauthorised disclosure
Encryption
Access Controls
Identification
Claiming an Identity - I am Jodie Miners
Authentication
Proving the Identity - telling the bank your 4 pieces of information that apparently only you know, but they happened to have just emailed it all to you when you submitted a ticket.
Authorization
Accounting (Audit)
Steganography (hide the data)
Integrity - data can not be modified in an unauthorised manner
Hashing
Digital Signatures
Certificates
Availability - information needs to be readily available
Redundancy
Patching
Authentication - login
Username / Password (don’t use this, use OAuth)
OAuth
Factors
Something you know
Something you have
Something you are (biometrics)
Somewhere you are (geolocation, IP address ranges)
Something you do (handwriting)
Concepts
SSO
SSO
Access to multiple systems in one organisation
Federation
Across organisations
Eg social sign-on - log into Medium with a Twitter account
Federation gives SSO but SSO doesn’t automatically give Federation
Transitive Trust
If A trusts B and B trusts C then A automatically trusts C
You may have more access than you need by authenticating to one account
Kerberos
LDAP
An X.500 directory protocol
VPN
Permissions
Use a separate User
API Only