In this article, we will explore together some key concepts of system security. Although we will not address all the concepts, the focus will be on applications built for web or mobile use. These concepts can be shared across every other system (embedded systems are similar), but we will focus mainly on the aspect pointed out earlier.
Before we go into much detail on the topic, let’s understand what System Security is about:
Also as a reminder, from my last post, I use system and application as the same thing.
“System security ensures that information is accessed, transmitted, and maintained securely, reaching only authorized individuals, without being altered or disrupted.”
Now that we know the definition, let’s start looking at the concepts that ensure this is true in our system. And I will speak about them in no particular other.
Authentication.
The next two concepts are fundamental to a secure system. However, people sometimes don’t know the key differences, and I will explain them using clear examples.
Authentication is the concept that verifies user identity and ensures that the information provided by the person trying to access our system (Username and Password) is correct.
Let’s use an event for example, most events are strictly by invitation, you get to the event venue, you see the security personnel at the gate and they ask you for your invitation card or mail, whatever was used. Let’s say the invitation has a QR code, it gets scanned, your name and other information pop up, you get registered and a tag is given to you.
This is what authentication is about, anyone who presents this information in our case “QR code”, we see if the information comes up, then we sign the person in (grant access) and provide a tag for the person.
Authorization
Authorization is the concept that applies after you have been authenticated (granted access), it now determines your access level.
Using our event example, you have entered the event hall, where you will sit is determined by the tag you have. In a system, someone who has read-only access won’t be allowed to create in the system, so if your seat level is in the middle of the event hall, you won't be allowed to sit in front. This concept of authorization leads us to our next concept role-based access.
Role-Based Access Control
Role-based access control (RBAC) is a concept where people's roles determine what they access in your system. This means people have access to resources based on the role they have in your system. Using our event example again, someone who is part of the security or organisers has an access level that permits him/her to go to multiple places in the event center including backstage, in the RBAC system, people can have one or more roles and those roles determines what they see, and action they perform in the system.
This concept is important when you are building a multiple-actor system. For example Hospital management system, what a doctor sees, will be different from what the patient is seeing.
The doctor sees information on all the patients under him, while the patient sees only their information and upcoming appointments. A receptionist could see only the scheduling and billing information but not medical records. Things like this keep information safe and can be achieved using RBAC.
Encryption
Encryption concept ensures data security during transmission and storage by converting it into unreadable formats. If the system gets hacked or data leaks, important personal pieces of information like passwords or health-related data won’t be in plain readable text.
It’s interesting to know that this is not a computer-age concept, Julius Caesar was reported to use some level of encryption to send messages to his Generals, even when the enemy arrests the messenger, they can’t make sense of the message being transmitted.
His encrypted method is known as The Caesar Cipher which is simple to replace each letter of the alphabet with the letter occurring three positions later or 23 positions earlier in the alphabet: A becomes D, B becomes E, X becomes A, and so forth. You can read more about this. This method is not a safe option anymore.
We can achieve encryption today by leveraging many existing software or codes, like JWT, JASYPT Encryptor, and many others.
What this means is when you pass your message like “Hello, I am the author of this article.”, these encrypting tools convert it to something like this “gXe3mi8CAlXoVpwfCkr0hSLhYZ1FeizkRmAntcZQPA41FAKsGLDEPvk7/KleCv+T”. This way only the person with the secret key will be able to decrypt your message and make sense of it. By the way, I used this online tool to create the encryption above https://www.devglan.com/online-tools/jasypt-online-encryption-decryption you too can go play with it.
I hope this article was helpful to you in understanding these concepts, if you have any questions, please feel free to drop them in the comments section and I will answer them.
Top comments (2)
Nice article..
Thank you Tosan.