Software Engineering, Project Management, and Effectiveness
What are the key steps to designing an effective authentication and authorization strategy? The keys are knowing your user stores, role stores, and who need to access what or perform which operations. In this post, I share the approaches we've used in two of our patterns & practices guides. These are the approaches we've used to help customers design successfully design their authentication and authorization approaches.
Designing an Authentication and Authorization Strategy - v1When we first wrote Building Secure ASP.NET Applications, here's the meta-process we came up with for working through your authentication and authorization strategies:
For elaboration, see Authentication and Authorization.
Designing an Authentication and Authorization Strategy - v2 When we recently wrote Improving Web Application Security, we made some revisions:
Personally, I've found it really cuts to the chase if you start with your user stores and role stores, since they tend to be somewhat fixed.
IdentitiesWhen you think through the identities, I've found it helpful to think in terms of who needs to access which resources or perform which actions. Consider the following:
Resource TypesWhen you think through the resource types, I find it helpful to think in terms of:
Authorization StrategiesWhen thinking through the authorization strategies, I find it helpful to consider:
Resource Access PatternsWhen thinking through the resource access patterns, I find it helpful to consider:
Designing authentication and authorization can be a gnarly topic. I hope the scaffolding above helps you find a path that works for you.
The key to making principles, patterns, and practices more effective is to have an organizing frame. While working on our patterns & practices WCF Security Guidance Project, we created the Web Services Security Frame for just such a purpose. We use the frame throughout the guidance to organize threats, attacks, vulnerabilities and countermeasures, as well as to organize principles, patterns, and practices.
Web Services Security Frame
Here's a snapshot of the frame (the power of the frame is that it's a durable, evolvable backdrop -- in other words, you can shape it to your own purposes.) You'll see this frame used throughout our upcoming guide. Notice that the categories serve as a pivot that we can hang other viewpoints (threats/attacks, vulnerabilities, countermeasures.)
Threats / Attacks Organized By the Web Services Security Frame
Vulnerabilities Organized by the Web Services Security Frame
Countermeasures Organized by the Web Services Security Frame
ThanksSpecial thanks to Rudy Araujo and ACE Team members, Richard Lewis and John Steer for their contribution toward helping shape a better frame.
My Related Posts
Today we released our WCF Security guide, patterns & practices Improving Web Services Security: Scenarios and Implementation Guidance for WCF. This is our Microsoft playbook for Windows Communication Foundation (WCF - "Indigo".) It shows you how to build secure Web services using WCF. It's a compendium of proven practices, product team recommendations and insights from the field.
Download the guide
Contents at a Glance
Contributors and Reviewers
Our guide, patterns & practices Improving Web Services Security:Scenarios and Implementation Guidance for WCF is now available in HTML.