March 29, 2024

SamTech 365

PowerPlatform, Power Apps, Power Automate, PVA, SharePoint, C#, .Net, SQL, Azure News, Tips ….etc

Protecting personal credentials used for authentication, access control, and user session support.

Security as a major concern can be addressed from different angles, even the security specialists might have different definitions and visions. One important aspect that we should all agree on is the fact that securing data is a shared responsibility and we have all a crucial role to play. In the past, data was stored locally, no inter-connexion,  no door from/to the external word, getting access to that data was only possible by accessing physically the machine holding it. With the advent of the internet systems have been developed or redeveloped allowing different connexions and a lot of communications are being exchanged between objects. Without doubt, this has a major positive impact. However, as any technology, it has a down side which can be simply described as the loss of control over our data. We have no or few assurance that our personal and critical. Different actors share the responsibility of securing data:

–          The owner needs to take the appropriate measures, by using strong passwords, making attention where data is submitted …etc.

–          In the case of a company computer, the system administrator or network engineers need to make sure that the firewall is properly configured, the OS rules do not allow the run of any other process than those authorized by the company, correct configuration of proxy …etc.

–          The ISP should make sure that the connexions are secure and attacks such MITM or Phishing should be avoided.

–          The developers of the used website should ensure that their code is safe and not exposed to attacks such cross site scripting, injection of code …etc.

–          If the web site is hosted in another company, other considerations should be reviewed.

We can easily see in this example that for a simple site transaction, different actors play important roles at different levels. A good article published in the New York Times raised the following question: “when personal identity information is altered, misappropriated, or attached to another user, what are the rights or duties of the custodian organization on the behalf of the person who in effect “owns” the identifier? Should there be some form of authentication (involving a hard-to-duplicate element) for such a restricted operation?(John, 2009).

At this level, we are not looking at the responsibility but securing the data, it is important to make sure that user credentials and sensitive data are properly saved. While platform credentials must remain attached to their host computer, user credential usage goes beyond platform boundaries.  In their day-to-day activities, users are interacting more and more with many different computing environments, even to perform the same operation (George, 2001). One of the biggest problems of protecting personal credential is described as follow : “Confidentiality protects data only against wiretappers and other outsiders; it does nothing to prevent the parties to a communication or transaction, or anyone with authorized access to stored data, from tracing, linking, selling, or misusing the data in whatever manner they see fit.” (TNS, 2003).

Avoiding suck threats can be partially accomplished by the use of smart cards, which could be similar to the first example of having data stored physically in your machines, it won’t for sure secure 100% of the data, however, stealing this information will require more efforts and another type of attacks.

References

–          John Markoff (2009), “Weakness in Social Security Numbers is found”.  New York Time, July 6, 2009. Available at: http://www.nytimes.com/2009/07/07/us/07numbers.html?_r=0

–          Patrick George (2001). User Authentication With Smart Cards In Trusted Computing Architecture

–          TNS Opinion & Social (2003). Special Eurobarometer 359 Attitudes on Data Protection and Electronic Identity in the European Union

Security as a major concern can be addressed from different angles, even the security specialists might have different definitions and visions. One important aspect that we should all agree on is the fact that securing data is a shared responsibility and we have all a crucial role to play. In the past, data was stored locally, no inter-connexion,  no door from/to the external word, getting access to that data was only possible by accessing physically the machine holding it. With the advent of the internet systems have been developed or redeveloped allowing different connexions and a lot of communications are being exchanged between objects. Without doubt, this has a major positive impact. However, as any technology, it has a down side which can be simply described as the loss of control over our data. We have no or few assurance that our personal and critical. Different actors share the responsibility of securing data:

–          The owner needs to take the appropriate measures, by using strong passwords, making attention where data is submitted …etc.

–          In the case of a company computer, the system administrator or network engineers need to make sure that the firewall is properly configured, the OS rules do not allow the run of any other process than those authorized by the company, correct configuration of proxy …etc.

–          The ISP should make sure that the connexions are secure and attacks such MITM or Phishing should be avoided.

–          The developers of the used website should ensure that their code is safe and not exposed to attacks such cross site scripting, injection of code …etc.

–          If the web site is hosted in another company, other considerations should be reviewed.

We can easily see in this example that for a simple site transaction, different actors play important roles at different levels. A good article published in the New York Times raised the following question: “when personal identity information is altered, misappropriated, or attached to another user, what are the rights or duties of the custodian organization on the behalf of the person who in effect “owns” the identifier? Should there be some form of authentication (involving a hard-to-duplicate element) for such a restricted operation?(John, 2009).

At this level, we are not looking at the responsibility but securing the data, it is important to make sure that user credentials and sensitive data are properly saved. While platform credentials must remain attached to their host computer, user credential usage goes beyond platform boundaries.  In their day-to-day activities, users are interacting more and more with many different computing environments, even to perform the same operation (George, 2001). One of the biggest problems of protecting personal credential is described as follow : “Confidentiality protects data only against wiretappers and other outsiders; it does nothing to prevent the parties to a communication or transaction, or anyone with authorized access to stored data, from tracing, linking, selling, or misusing the data in whatever manner they see fit.” (TNS, 2003).

Avoiding suck threats can be partially accomplished by the use of smart cards, which could be similar to the first example of having data stored physically in your machines, it won’t for sure secure 100% of the data, however, stealing this information will require more efforts and another type of attacks.

References

–          John Markoff (2009), “Weakness in Social Security Numbers is found”.  New York Time, July 6, 2009. Available at: http://www.nytimes.com/2009/07/07/us/07numbers.html?_r=0

–          Patrick George (2001). User Authentication With Smart Cards In Trusted Computing Architecture

–          TNS Opinion & Social (2003). Special Eurobarometer 359 Attitudes on Data Protection and Electronic Identity in the European Union