In the previous articles in this series, we explored in detail the three Web application security frameworks (WASF): database lookup, operating system level authentication, and digital certificates. But some of you may still not know which one to choose. Others have an idea, but would like one last comparison to validate your choice.
There are a lot of things to consider and measure when choosing the proper WASF for your application. The important thing, though, is that you decide on your framework before you start programming. This is going to save you a lot of work in the long haul. There's no sense building a Web site specified for one WASF, only to find out later that the particular methodology doesn't satisfy all your security requirements.
You can see the detailed explanation of Web application security frameworks in these previous articles:
"Web application security frameworks, part 1: Introduction"
"Web application security frameworks, part 2: Database lookup"
"Web application security frameworks, part 3: Operating system level authentication"
"Web application security frameworks, part 4: Digital certificates"
Let's delve a little deeper into some comparisons. I'll list the most important facts for an objective comparison. These factors will include items such as workload for users of the Web app, workload for administrators of the Web app, hardware requirements, and cost. I will then use the conclusion of the article to present my subjective thoughts on when to use which.
High workload for users
The database lookup method is set up purposefully to put the burden of work onto the users. In order to use the Web application, the user needs to go through a sign-up process. During the sign-up phase, the user will create a unique username/password combination. With this, the user can come back and log in to the Web application at any time. There is usually a section inside the application that will let the user modify and maintain private and personal information. Thus, the burden of work is on the users to insure that their information is always current.
Low workload for administrators
This particular WASF is easy on system administrators. Since the bulk of the work is on the individual users themselves, there is little for the administrators to do with regard to the user. Of course, the administrators still have all the other security requirements they need to perform. Amazon, eBay, and other such large commerce Web applications utilize this security framework. If they didn't, they would have to manage account information for millions of users.
The hardware requirements vary depending on the implementation type. The cheapest way would be putting the Web server and database on the same machine. A more costly, yet scalable, solution would be to break up the WASF pieces (Web server, database server, LDAP server, etc.) into different machines so each can focus on its respective task.
Once again, cost can vary. There are free operating system, Web server, and database server software combinations out there that can be viable, inexpensive solutions. However, if you purchase commercial software from vendors such as Oracle, IBM, or Microsoft, it can get to be pretty expensive.
Operating system level authentication
Low workload for users
The operating system level authentication method is set up purposefully to remove the burden of work from the user level. In order to access the Web application, the user does not usually go through a sign-up process. Rather, the users are provided a network username and password. With this, the user can come back and log in to the network at any time. While logged in to the network, the user need not worry about Web application security. Either they'll have the rights to access certain parts of the application and system, or they won't.
High workload for administrators
This particular WASF is hard on system administrators. Since the bulk of the work is on the system administrators themselves, there is a lot for the administrators to do in regard to the users. Of course, the administrators already have other security requirements they need to perform, such as setting up a network account for each user. Therefore, with respect to workload for each user, there is a lot of work to be done, but most of the time it would have to be done regardless of Web application security. Large corporations utilize this security framework to govern things like intranets and other internal Web applications.
The hardware requirements are very minimal, since you merely activate this feature in the Web server. With this method there is no need for separate hardware or software.
The primary cost for this method is work hours. As you get more users, the system administrators will have more work to do setting up and maintaining accounts. However, since you have to pay them anyway, this could be a soft cost since your utilize in-house resources.
Moderate workload for users
The digital certificates method is unique. The workload is doubled because digital certificates are usually used in conjunction with one of the above methods. The additional work comes after one of the above methods is used to give the user a username and password. The digital certificates are installed on the users' machines and activated with the browser. This unfamiliar process may confuse novice users, which may prevent them from accessing something they are entitled to view. Therefore, the users must take the time to familiarize themselves with the process and correctly install/activate their certificates.
Moderate workload for administrators
Once again, this method creates a doubling of work. The system administrators already have to set up one of the above security frameworks, prior to digital certificates. Since a lot of Web sites already utilize SSL technology, the Web server's digital certificate is normally already installed and activated. However, if SSL is not installed or activated, then the systems administrator would have to perform those tasks for this framework to work correctly.
The hardware required, besides the Web server, is none. However, there is optional equipment you can purchase. Digital certificate authentication is very processor intensive, since strong levels of encryption and decryption are taking place. This places an extra burden on the Web server's processor. There is highly specialized hardware you could buy to offload all the encrypting/decrypting processing. There are add-on cards, know as SSL accelerators, that support this function on the Web server themselves. Or you can purchase machines whose sole purpose is handling all the encryption/decryption processing before the requests even make it to your Web server.
There are a lot of costs associated with digital certificates. The certificates themselves can cost a few hundred dollars a piece, so if you have hundreds of users, that's tens of thousands of dollars. In addition to that, if you do decide to go with additional hardware to offload the processing, that will cost you as well.
The way I see it, the database lookup is your best bet for a WASF. It's very common on the Web, and thus very familiar to users. Its popularity is a strong vote of confidence for its use. However, you must realize its limitations and not expect database lookup to be the be-all and end-all. Fortunately, most of us don't have any top secret information that puts the world at large at risk.
The operating system level authentication framework is your best bet if the Web application will always be an internal one. The system administrators have already done the work of setting up users, so you might as well take advantage of that. The time saved from having to create a sign-up section and implementing login logic can be better used to program the application itself. Since the application is most likely being built inside a huge corporate environment, there are probably already unrealistic goals and deadlines in place anyway. Every minute spared is helpful.
Digital certificates are more of a second barrier to add to one of the above methods. On its own, the technology is effective, but in conjunction with one of the above methods, it's darn near impossible to break. While using digital certificates may make users feel like secret agents exchanging nuclear submarine plans, it's a feeling many users would enjoy. However, it's probably only financially feasible for real secret agents and their governments that actually exchange such top secret data.
I hope this series has proven useful to those of you looking for a Web application security framework. Most sites start without one and attempt to add one later. With a little preplanning, you can implement the best method for your application and save yourself some time and heartache.