Access control is an important aspect of managing a computer system. Many conventional computer systems provide access control by authenticating the identity of a requesting client and then authorizing a request provided by the client based at least in part on the identity of the client. The identity of the requesting client can be authenticated in a variety of ways. In some systems, the identity of the requesting client is authenticated by validating a set of credentials that are provided with a request. Credentials used to authenticate a client can include a username and password, biometric information, or a cryptographic signature that is included with the request. Once the requesting client is identified and authenticated, an authorization process accesses a database of authorization policies and determines a set of access rights associated with the requester's identity. If the set of access rights is insufficient to complete the request, the request is denied. If the set of access rights is sufficient, then the request is granted.
If an attacker acquires the credentials of an authorized client, the attacker can impersonate the authorized client and may be able to perform any action for which the client has been granted sufficient rights. For example, if the authorized client has the right to delete an item from a database, the attacker can also delete an item, or even every item, from the database.