Authentication and authorization in the cloud: a brief and necessary context

By Pontovinte Software March 12, 2024

The process of building cloud-oriented software requires a more complex design when compared to the development of desktop applications for many reasons, one of the most important aspects to be considered even before the start of development is security. Security in software has several aspects, among them the most debated are: authentication and authorization.

One of the premises of the construction of any web system is data security, regardless of the nature or visibility the application must allow access to data only through the means made available by it (such as the API - Application Programming Interface, or Application Programming Interface ). Attempting to extract data otherwise than through APIs is illegal and punishable by law.

So that we can align the understanding of how this process works, it is important to understand that when requesting the opening of a certain page on the web, the browser installed on your machine will make one or more requests of all the elements that make up the desired page, with that, the browser engine will be able to render the content. After this moment, the user will be able to provide the authentication information (username and password) locally, and only when requested, it must send it to the server in the cloud, where it will start the processes of:

Authentication As the name implies, it is necessary for the server to confirm that the data access request has come from a known source, this is the process that precedes access authorization. When performing the authentication request, the server must respond to the client (in this case, your machine) if the data provided are consistent with the application’s database, where in many cases the application does not store the user and password, but a combination of characters (HASH) derived from the encryption of received data, which makes the application somewhat safer in case of accidental data leakage.

Authorization After recognizing the authenticity of the user, the system should restrict access to data according to pre-established criteria, in this way it is possible to protect sensitive data, otherwise it would be unethical for your co-workers to have access to your paycheck.

Providing mechanisms that allow authenticating and restricting access are not the only indicators that guarantee application security. One of the types of attack on web systems is the “Men in the middle”, translating and in other words, it is when someone or some algorithm intercepts the data between the client and the server, with this type of attack third parties will be able to identify themselves to the server with your credentials and have access to restricted data. In the ideal scenario, the user should provide authentication data, which in turn should be encrypted even before being sent to the server, which makes it difficult to intercept data between your machine and the server in the cloud.

To compose data access security, web applications work with the exchange of access tokens, so after sending the username and password, the server must respond with a set of characters, this token will be used for all future requests of the client, but to improve the security of the application, the tokens must be renewed periodically. Another method that helps to increase security is the technique called “Two factor authentication” (double verification), which consists of using SMS, e-mail, connection, QRCode, etc., to perform double verification of authentication, in in some cases it is also possible to use “Machine learning” resources to monitor and protect each user’s session according to their behavior.

However, it is very important that not only developers but also end users are aligned with the security techniques of web/cloud applications, where this is just one of several factors that highlight the importance of hiring experienced and qualified professionals for the construction of systems of any nature, as mentioned at the beginning of the text, whatever its application, no data can be exposed or accessed without the due legal permissions.

comments powered by Disqus