Access Control

Access control is the process by which users are identified and granted certain privileges to information, systems, or resources. Understanding the basics of access control is fundamental to understanding how to manage proper disclosure of information.

Access Control Overview:
Controlling how network resources are accessed is paramount to protecting private and confidential information from unauthorized users. The types of access control mechanisms available for information technology
initiatives today continues to increase at a breakneck pace.

Most access control methodologies are based on the same underlying principles. If you understand the underlying concepts and principles, you can apply this understanding to new products and technologies and shorten the learning curve so you can keep pace with new technology initiatives.

Access control devices properly identify people, and verify their identity through an authentication process so they can be held accountable for their actions. Good access control systems record and time stamp all communications and transactions so that access to systems and information can be audited at later dates.

Reputable access control systems all provide authentication, authorization, and administration. Authentication is a process in which users are challenged for identity credentials so that it is possible to verify that they are who they say they are. Once a user has been authenticated, authorization determines what resources a user is allowed to access. A user can be authenticated to a network domain, but only be authorized to access one system or file within that domain. Administration refers to the ability to add, delete, and modify user accounts and user account privileges.

Access Control Objectives
The primary objective of access control is to preserve and protect the confidentiality, integrity, and availability of information, systems, and resources. Many people confuse confidentiality with integrity.

Confidentiality refers to the assurance that only authorized individuals are able to view and access data and systems. Integrity refers to protecting the data from unauthorized modification. You can have confidentiality without integrity and vice versa. It’s important that only the right people have access to the data, but it’s also important that the data is the right data, and not data that has been modified either accidentally or on purpose.

Availability is certainly less confusing than confidentiality or integrity. While data and resources need to be secure, they also need to be accessible and available in a timely manner. If you have to open 10 locked safes to obtain a piece of data, the data is not very available in a timely fashion.

While availability may seem obvious, it is important to acknowledge that it is a goal so that security is not overdone to the point where the data is of no use to anyone.

Types of Access Control
Discretionary access control systems allow the owner of the information to decide who can read, write, and execute a particular file or service. When users create and modify files in their own home directories, their ability to do this is because they have been granted discretionary access control over the files that they own.

On end-user laptops and desktops, discretionary access control systems are prevalent.

Mandatory access control systems do not allow the creator of the information to govern who can access it or modify data. Administrators and overseeing authorities pre-determine who can access and modify data, systems, and resources.

Mandatory access control systems are commonly used in military installation, financial institutions, and because of the new HIPAA privacy laws in medical institutions as well.

Role-based access control systems allow users to access systems and information based on their role within the organization. Role-based access allows end-users access to information and resources based on their role within the organization.

Roles based access can be applied to groups of people or individuals. For example, you can allow everyone in a group named sysadmin access to privileged resources.

Rule-based access control systems allow users to access systems and information based on pre-determined and configured rules. Rules can be established that allow access to all end-users coming from a particular domain, host, network, or IP addresses. If an employee changes their role within the organization, their existing authentication credentials remain in effect and do not need to be re-configured. Using rules in conjunction with roles adds greater flexibility because rules can be applied to people, as well as devices.

Access Control Technologies
There are different types of access control technologies that can all be used to solve enterprise access solutions. Tokens, smart cards, encrypted keys, and passwords are some of the more popular access control technologies.
Biometric devices authenticate users to access control systems through some sort of personal identifier such as a fingerprint, voiceprint, iris scan, retina scan, facial scan, or signature dynamics.

The nice thing about using biometrics is that end-users do not lose or misplace their personal identifier. It’s hard to leave your fingers at home. However, biometrics have not caught on as fast as originally anticipated due to the false positives and false negatives that are common when using biometric technologies.

Smart Cards are plastic cards that have integrated circuits or storage receptacles embedded in them. Smart cards with integrated circuits that can execute transactions and are often referred to as “active” smart cards. Cards with memory receptacles that simply store information (such as your bank ATM card) are referred to as “passive.”

Whether or not a memory card is a type of smart card depends on who you ask and what marketing material you are reading. Used to authenticate users to domains, systems, and networks, smart cards offer two-factor authentication — something a user has, and something a user knows. The card is what the user has, and the personal identification number (PIN) is what the person knows.

A token is a handheld device that has a built-in challenge response scheme that authenticates with an enterprise server. Today’s leading tokens typically use time-based challenge and response algorithms that constantly change and expire after a certain length of time, e.g., one minute.

Like smart cards, tokens use two-factor authentication. However, unlike smart cards, the two-factor authentication is constantly changing based on timed intervals — therefore, when a password is entered, it cannot be reused, even if someone sniffing the wire detected it in transit.
Encrypted keys are mathematical algorithms that are used to secure confidential information and verify the authenticity of the people sending and receiving the information.

Standards for encrypted keys have been created to make sure that security requirements are taken into account, and to allow technologies made by different vendors to work together. The most widely used standard for encrypted keys is called X.509 digital certificates. Using digital certificates allows you to stipulate who can access and view the information you are encrypting with the key.

Passwords are used for access control more than any other type of solution because they are easy to implement and are extremely versatile. On information technology systems, passwords can be used to write-protect documents, files, directories, and to allow access to systems and resources. The downside to using passwords is that they are among the weakest of the access control technologies that can be implemented. There are numerous password-cracking utilities out on the Internet — some of which are freeware and some of which are licensed professional products.

If a hacker downloads an encrypted password file, or a write-protected document with password protection, they can run the password file or document through a password cracking utility, obtain the password, and then either enter the system using a legitimate user’s account or modify the write-protected document by inserting the correct password when prompted. By using a protocol analyzer, hackers can “sniff” the network traffic on the wire and obtain passwords in plaintext rather easily.
However, in spite of the risks in using passwords, they are still commonly used world over with the assumption that taking the trouble to violate password protections would not be worth the time and effort.

If passwords are used, it is recommended that mixed-case passwords with both numeric and alphabet characters are used, since these types of passwords are more difficult for password cracking tools to crack. Passwords with names and real words in them are easiest to crack. Good password choices look like this:
• 1bHkL0m8
• a9T4j7uU
• 7VbbsT10
• gL4lJT3m
• koO521qW

Poor password choices look like this:
• Billsmith
• Troutfishing
• Jessica
• NewYorkOffice
• Surfdude
While stronger access control systems are clearly available, password models are not going to go away anytime soon. Some organizations routinely run password crackers on end-user accounts to check if end-users are using easy to guess passwords, or more secure password choices. As long as passwords are being used, they should be managed through routine audits, and expired according to a pre-determined schedule.

A Word to the Wise
Understanding the basics of access controls is good preparation for a variety of information technology initiatives including:
• Shopping for new access control products
• Developing an information security budget
• Writing access control and authentication security policies
• Evaluating and deploying single sign-on technologies
• Configuring authentication services
• Architecting data classification schemes
• Preparing to perform an information technology audit
• Getting ready for certification and accreditation initiatives
All organizations should have their access control configurations and policies well documented and available for upper management review. Keep in mind that access control configurations and policies would by their very nature contain sensitive information, so the documentation should be stored securely, and its access should be monitored.

Reference Source: http://www.intranetjournal.com/articles/200311/ij_11_10_03a.html