Tuesday, May 22, 2012

Travel and Security Concepts

When I am teaching a DB2 class, or data management in general, security is always on the agenda. Authentication and authorization are basic terms, but often they are mixed up. That is the moment when I bring the following analogy.

Authentication is about making sure that I am really the person I say I am. This can be done during travel through a "government-issued identification card" (passport, driver's license, etc.) or when working with a computer through a userid and password (or keycard, token generator, a PIN, or a fingerprint). Often a special token is then issued which can be used as simplified identicator for a limited time. During air travel this is the (in)famous bording pass. On the computer it could be setting a cookie, a session identifier or something else.

Authorization gives me (after I have been identified) access to specific resources, it is the access control part of security. I am allowed only to board a specific flight, I don't have access to the lounge, I am allowed to sit in economy class, but not in business class, the pilot is allowed to use electronic devices during take-off and landing, I don't.

Next on the agenda: Groups and roles in DB2 (groups are controlled outside the database, roles inside).