The solution outlined in this article is based on three
security concepts: authentication, privacy, and integrity.
Authentication
Authentication is the process of determining the identity of
a person or entity. There are three general factors that can be used for
authentication:
1.
Something a person knows
2.
Something a person has
3.
Something a person is
Something a person knows can be a password, PIN, or mother’s
maiden name. Something a person has can be a key, swipe card, or badge. Biometrics
such as fingerprint and iris scans can be used to prove something a person is. Strong
authentication contains two out of these three methods.
Privacy
Privacy is the act of keeping data undisclosed to third
parties unless authorized. Privacy protects sensitive information such as personal
information.
Integrity
Integrity provides the assurance that data has not been
altered in an unauthorized way. One example is when a user sends a request to
her online bank account to pay her $24.56 water utility bill. This user needs
to be sure that the integrity of that transaction was not altered during
transmission, so the user does not end up paying the utility company $240.56
instead.
Security in the Solution
The solution outlined in this article makes use of a password
to authenticate the person opening and saving an InfoPath form. Since a
password by itself does not provide strong authentication, it is combined with
the person's user name to add a second layer of security. If someone else gains
knowledge of the password, that person would also have to impersonate the original
user before he can gain access to the protected data stored within the form.
The password is not explicitly saved within the form, or
anywhere else for that matter. The user is forced to remember and enter it to
both lock and unlock, i.e. encrypt and decrypt, sensitive form fields. Encryption
is used to ensure both privacy and integrity.