1

We are rethinking our security and came on an interesting issue. How can me make a generic security implementation for customer owned assets.

Does every asset need a direct-indirect relation to a customer. And does this mean that for a secure system there always must be a a check on this relationship before a query operation can happen ? this seems very intensive to me.

an example would be: a Customers has a internet of things gateway and coupled to that is a device. another customer should never be able to manipulate that device or ask for it. There are WCF API's but also direct legacy calls to the logic. The idea is that security should as close to the database as possible.

so is there a better way to handle this in.NET ?

Stefaan Van Hoof
  • 11
  • 2
  • This is a pretty abstract question without more details. What exactly are you trying to accomplish? Verifying the identity of the thing sending commands to the device? Secure communication? – Greg Dec 10 '14 at 13:47
  • well we do a lot of custom BL logic to assure that every call being done by a logged in client only manipulates his devices (assets), this leads to a lot of sql joins on every call to see if that device actually belongs to that client. and we would like to avoid BL like this. – Stefaan Van Hoof Dec 11 '14 at 14:08

0 Answers0