User Security

  • One common way to think about security in terms of users is the AAA model
  • Authentication - Is a user actually who they claim to be?
    • A username and password are a good way to control this
    • Secret/temporary access keys can also prove this
  • Authorization - Is the user allowed to do what they're trying to do?
    • eg. in Google Docs, only some people can access some docs
  • Accounting - Is there a record of who is doing what?
    • Useful for after-the-fact breach analysis
    • Also good for debugging, troubleshooting, and understanding issues. Or sometimes just keeping a record

3 / 23