Authorization: who can DO WHAT?

Having a good understanding and effective implementation of authorization is paramount to have adequate control over your information.

We will discuss some key principles, threats and what you can do to prevent these threats to materialize.

Knowing who interacts with your system

To have control over who can do what, it is important to clearly identify who is the user. This is achieved by adequate user authentication,. Wanna learn more? See our blogpost “Authentication: know who is who“.

What can a user do on the system?

So now we know who the user is. But what can the user do, or more important what is the user allowed to do on the system? This is where authorization comes into play.

Authorization defines what a user is allowed to do. Often this is obtained by granting users roles based upon group memberships, which are often nested in other groups… And this is where the true challenge slumbers, having clear insights in what a user is allowed to do, having that transparency is key to good governed information processing.

Threats

Which threats can be executed by compromising the authorization?

Persistence threats

The adversary is trying to maintain their foothold.

Persistence consists of techniques that adversaries use to keep access to systems across restarts, changed credentials, and other interruptions that could cut off their access. Techniques used for persistence include any access, action, or configuration changes that let them maintain their foothold on systems, such as replacing or hijacking legitimate code or adding startup code.

Privilege Escalation threats

The adversary is trying to gain higher-level permissions.

Privilege Escalation consists of techniques that adversaries use to gain higher-level permissions on a system or network. Adversaries can often enter and explore a network with unprivileged access but require elevated permissions to follow through on their objectives. Common approaches are to take advantage of system weaknesses, erroneous configurations, and vulnerabilities. Examples of elevated access include:

• SYSTEM/root level
• local administrator
• user account with admin-like access
• user accounts with access to specific system or perform specific function

These techniques often overlap with Persistence techniques, as OS features that let an adversary persist can execute in an elevated context.

Impact threats

The adversary is trying to manipulate, interrupt, or destroy your systems and data.

Impact consists of techniques that adversaries use to disrupt availability or compromise integrity by manipulating business and operational processes. Techniques used for impact can include destroying or tampering with data. In some cases, business processes can look fine, but may have been altered to benefit the adversaries’ goals. These techniques might be used by adversaries to follow through on their end goal or to provide cover for a confidentiality breach.

It is important to know that the functions becoming available to the hacker or adversary can all be exploited to achieve his objectives. These objectives can affect all aspects of your organization:

• Confidentiality: data leakage of (personal) information, intellectual property theft, …
• Integrity: defacement of e.g. website, data manipulation e.g. monetary theft, …
• Availability: the attacker succeeds to encrypt the data, revoke access for accounts, …

Some good practice principles

• Least required privilege: The principle of least privilege is a security concept in which a user is given the minimum levels of access or permissions needed to perform their job..
• By default no rights: a newly created user should not have any privileged access or other functions he can execute by default or limited to the least privileged role in the system.
• Need to know principle: denoting or relating to a principle or policy of telling people only what is deemed necessary for them to know in order to carry out a task effectively.

NoCode-X helps you!

NoCode-X has an effective, fine grained, transparent built-in user management including the authorization. There are some key concepts which helps your business to organize the authorization.

• No access by default: a newly created user has no access to information where authentication is required. By default a user has no role memberships.
• Rights are linked to technical functionalities which are managed by the developer, things like creating an item, purchasing an item, reading sales orders, …
• Roles are the glue between a user and a right. A role is assembled of rights like managing sales order, customer management, … to create a “sales manager” role.

This structure allows users to be managed in a standard organizational manner, which reflects to your organization’s needs.

A user can have fine grained access to multiple applications across organizations, when he received explicit grants to those functions.

Do you have questions on security principles, cyber resilience or NoCode do not hesitate to contact us.

References

https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r5.pdf

• AC-6 LEAST PRIVILEGE

• Control: Employ the principle of least privilege, allowing only authorized accesses for users (or processes acting on behalf of users) that are necessary to accomplish assigned organizational tasks.
• Discussion: Organizations employ least privilege for specific duties and systems. The principle of least privilege is also applied to system processes, ensuring that the processes have access to systems and operate at privilege levels no higher than necessary to accomplish organizational missions or business functions. Organizations consider the creation of additional processes, roles, and accounts as necessary to achieve least privilege. Organizations apply least privilege to the development, implementation, and operation of organizational systems.