Atomic authorization
Atomic authorization is the act of securing authorization rights independently from the intermediary applications to which they are granted and the parties to which they apply.[1] More formally, in the field of computer security, to atomically authorize is to define policy that permits access to a specific resource, such that the authenticity of such policy may be independently verified without reliance on the application that enforces the policy or the individuals who use the application. Resources include access to individual data, computer programs, computer hardware, computer networks, and physical access.
Traditional vs. atomic authorization
In traditional (non-atomic) authorization, policy is defined and secured at an application level. That is, outside the context of the application, there is no mechanism to verify the legitimacy of traditional authorization policy. Atomic authorization requires a trusted third party to issue authorization policy with a cryptographic guarantee of integrity. Because it is secured independently of the application which use it, atomic authorization policy is equivalent in strength to strong authentication policy.
For an application using strong (N-factor) authentication, traditional authorization techniques pose a security vulnerability. The application must rely upon technologies like database queries or directory lookups, which are protected using single-factor authentication, for authorization information and management. Any application specific hardening of non-atomic authorization methods increases the complexity of identity management and issuing credentials, but does not further legitimize the authorization decisions that the application makes.
References
- Dilles, Jacob (2009). "Atomic Authorization" (PDF). George Mason University. Archived (PDF) from the original on 2011-06-06. Retrieved 16 July 2009.