• Post Reply
  • Bookmark Topic Watch Topic
  • New Topic

Doubt in security: authorization and confidentiality

 
Joshua Antony
Ranch Hand
Posts: 254
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Below is a question from http://www.cafe4java.com

An organisation hosts a web application and assigns individual username/ password to all its employees, together with a set of access rights so that users of a particular department are unable to access data related to any other department. Which security mechanism is employed by this organisation? (select one correct answer)
A) Data Integrity
B) Confidentiality
C) Authentication
D) Authorization
E) Only A and B options
F) Only B and C
G) Only C and D
H) Only B, C and D
E) A, B, C and D

Answer given is H, would G be a better answer?
 
Devi Sri
Ranch Hand
Posts: 115
Eclipse IDE Java Spring
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Answer is G.

"provide username/password" --> Authentication

"users of a particular department are unable to access data related to any other department" --> Authorization

Thanks & Regards,
 
Joshua Antony
Ranch Hand
Posts: 254
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
So the answer is G not H, right?
 
Devi Sri
Ranch Hand
Posts: 115
Eclipse IDE Java Spring
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Yes. Answer is G only.

Nothing has been mentioned regarding Confidentiality or Integrity.

By the way, where from you have taken this question ?
 
Joshua Antony
Ranch Hand
Posts: 254
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
As mentioned in my original post : http://www.cafe4java.com
 
Jose Luis Huertas
Greenhorn
Posts: 6
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
I also think G (Authentication and Authorization) is a better answer. I cannot see clues in the wording that suggest the use of 'Confidentiality'.

Unless you consider that '...so that users of a particular department are unable to access data related to any other department' means that a member of one department could install a network sniffer to access other department's data...

But I don't think you should suppose such scenarios if the question doesn't mention it.
 
Ulf Dittmer
Rancher
Posts: 42968
73
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
As Jose mentions, it depends on the definition of "confidentiality". It could mean to prevent anyone who is not authorized to see the data from seeing it (in which case the line is blurred between authorization and confidentiality), or it could mean preventing eavesdropping (by using SSL or some other form of encryption).
 
  • Post Reply
  • Bookmark Topic Watch Topic
  • New Topic