Identity and Access Management (IAM) is a critical component of cybersecurity, especially in business environments. IAM, in simple terms, is a framework of policies, practices and procedures to ensure that the right users have access to the right resources and systems at the right time. This article discusses IAM, its technical and business implications and how organisations can implement it to ensure secure and efficient access to their systems.
IDs in APIs and applications might be exploited to gain unauthorised access to other data or otherwise disclose information by means of various attacks, such as timing attacks and enumeration attacks. For instance, an attacker can use sequential IDs to guess the existence of IDs and perform enumeration attacks. Authenticated Encryption with Associated Data (AEAD) encryption and opaque IDs can be used as a means of neutralising these attacks.
The principles of progressive enhancement can be applied to client-side rendered pages (or any pages with client-side scripts) to ensure that no matter the capabilities of users’ browsers, an appropriate baseline interactivity is present.
Cross-Site Request Forgery (CSRF) is an attack in which an external site makes a request to another site on behalf of a user without consent. This attack often relies on an existing session on the target site, which the attacker hijacks for their own purposes. Various CSRF prevention and mitigation techniques exist such as the SameSite attribute, CSRF tokens and header validation.
Hotlinking refers to the practice of third-party web properties loading resources directly from your server. Unauthorised hotlinks are generally undesirable, not only because they can facilitate reproducing your content without permission. Web standards and browsers have come a long way in the last few decades, and they now include all of the tools needed for effective protection against hotlinking.
Execution environments are the combination of hardware and software components that can be used to execute and support applications, typically comprising a processing unit, memory, input and output ports and an operating system. Because application execution requires an execution environment, applications are ultimately limited by any constraints placed onto them by their execution environment. Traditionally, computing is done in execution environments that not only permit the loading and execution of arbitrary programs but may also themselves be manipulated in arbitrary ways. As it is impossible for such environments to make any verifiable assertions as to their state, they are inherently untrustworthy.
Benchmarks are extremely useful to see how performant some code or operation is and a requirement for any empirical decision making. After all, how can we know with any certainty if some library is faster than another one without testing? At its core, benchmarking is quite a simple idea we want to know how long a certain operation takes.
IP addresses pose unique technical challenges because they are sent in the clear with every network request and because they may in some cases identify or help identify an individual, making them personal data. Since IP addresses are sent along with every packet on the Internet and precisely because they identify the sender to some extent, they also have many practical uses. Regulations like the GDPR contemplate these use cases under certain categories without requiring explicit user consent, but since they still are personal information, it is important to ensure that they are only used in connection to essential purposes that don’t require explicit consent or that consent is obtained prior to processing. The particular challenge of IP addresses compared to other personal information is that they can be very easily relayed to third parties by things as simple as having the user download a file.