Why would I need access control policies if I use encryption?
If encrypted data is stored on a server, and decryption key is disseminated to the legitimate users (through email), is there a need to implement access control policies?
What could be a possible scenario where I need both of them (if decryption key is on开发者_Python百科ly available to the legitimate users)?
Access control and authentication are two separate modes of security. Depending on your needs, you may need one or both.
Encrypting data on the server, and then disseminating the key, is arguably a form of authentication, since (at least in theory) knowing the key proves that you are a legitimate user.
Access control would be more along the lines of giving different levels of access to different users -- for instance, access to general documents for most users with a key and access to privileged data for a select few users.
Ultimately, you have to evaluate your needs and decide on which modes you require.
It depends on your security needs. Do you have any need to have levels of security?
If you just need to ensure that only legitimate users can access your site then you can just encrypt their username with the key, then have them use a password, so that they have to know something and they have something (two-factor authentication) and they can get into the site.
A term that applies here is the Princple of Least Privilege
An enterprise system will have a number of different roles that users or applications perform. In these cases, it's appropriate to stop actors in one role accidentally (or deliberately) intruding into the realm of another actor's role.
A simple analogy: I am an employee of a company. I am legitimate member of the company with a pass card who can get past the security desk to reach my workstation. However, I cannot access the company's bank account.
The vast majority of employees, even if they were given the bank account details, would do nothing inappropriate with the information. As the manager of this company, you could either trust the honesty of each and every employee, or you can go the far simpler route of recognising they have no need to access the account and keep them locked out. Then, if money starts disappearing, you have far fewer people to be suspicious of.
Audit and revocation.
Audit because you want to know if someone accessed data, not if they could do it because they had a key ( this is usually a requirement for say HIPPA/HITECH)
Revocation because re-distributing keys for the data may be impractical and depending on the underlying crypto scheme, revocation may be impossible.
Access control policies, surprisingly, flow directly from your needs to control access.
When one of legitimate user accounts becomes illegitimate for any number of reasons (user changed employment, violated terms of service, reported identity theft), then you have to control access to that account's data somehow.
精彩评论