This article can also be found in the Premium Editorial Download "Information Security magazine: Identity crisis solved: Tips from a top identity management expert."
Download it now to read this article plus other related content.
Critical pieces of security in any application are making sure anyone requiring access is properly validated, giving them only the permissions they need and holding them accountable for their actions.
With most applications, control is applied when the user first authenticates via a username and password. They are usually not reauthenticated as they move deeper into authorized resources; so, if someone hijacks the session, they could have broad access to crack deeper into the enterprise.
In addition, even legitimate users tend to be given wider access than they need based on file permissions.
.NET addresses both problems by allowing programmers to build security into each level or tier of operation: Web server, programming language, operating system and database.
Typically, a user would first interact with the IIS Web server for basic authentication and limited access. .NET enables enterprises to build in security at each tier as the user works with additional resources, downloading mobile code to work with business and commercial apps and accessing data on the corporate back end.
Let's track this through the .NET environment. Users connect to a system via the Web server, where they can be validated with a certificate and basic password; they're granted authorization based on their subnet and given access to the application. The application can require a Passport account, perform URL validation and be assigned to certain
These roles are a differentiating point for .NET, helping developers tighten security and make it easier to manage.
This was first published in May 2006