Access Controls

May 5, 2008 · Filed Under Access Control 

What are Access Controls? Access Controls provide the ability to control allowance of the use of an object by an entity. For example, a locked door denies the ability of a person to enter a house. The proper key would unlock the door then allow a person to enter the house through the door.

In terms of Information Security, there are three groupings of AC. One is physical, like the example above. One is processes and procedures such as password policies and background checks. The third is technical. The technical controls are usually enforcing the policies and procedures within a computer system.

Access controls are based on three concepts, Authentication, Authorization, and Accountability. Authentication and Authorization are often confused. Authentication determines who can enter the system. Authorization deals with what a person can do in the system once they are authenticated. Accountability deals with identifying the actions of a person once they are in the system.

A traditional UNIX system login shows how this process works. First, a user presents his user name to the system. The system then prompts him to authenticate himself. The user then types his password. He is now authenticated. This is a one factor authentication. The user presented something he knows, his password. Now, that the user is in the system, he only has access to certain areas. Typically this would be full read, write, and execute permission in his home directory, some read and write access to the /tmp filesystem, and some read and execute permissions to system binaries such as ls or more. He would not be able to get into other users’ home directories, system directories, or execute more important system binaries. This takes care of Authentication and Authorization. Accountability comes into play from the system side. The system logs that the user logged in. Depending on the audit capability of the system, everything the user does may be logged. Now the user can be tracked.

So, what was that one factor that was mentioned earlier? Factors of authentication are broken down into three categories. They are: one, what do you know; two, what do you have; and three, what you are. Things that you know are usually passwords, pin numbers, mother’s maiden names, etc. Things that you have are ATM cards, credit cards, smart cards, real ID tokens, etc. Things that you are, are biometrics, retina scans, finger prints, voice, palm layouts, etc. One factor authentication uses one of the three, two factor authentication uses two of the three, three factor authentication uses all of them. In movies you will see three factor authentication quite a bit where someone will swipe a card, punch in a number on a keypad, and then have a retina scan. A common two factor authentication happens at the ATM where you supply your card (what you have) with a pin number (what you know).

This article should give you a brief introduction into what Access Controls are and what they do. For more information please see: http://en.wikipedia.org/wiki/Access_control, ISC2, and CCCure.org.

Share and Enjoy: These icons link to social bookmarking sites where readers can share and discover new web pages.
  • Digg
  • Sphinn
  • del.icio.us
  • Facebook
  • Mixx
  • Google
  • Slashdot
  • StumbleUpon
  • Technorati
  • YahooMyWeb
Creative Commons License
The Access Controls by Jeremy Finke, unless otherwise expressly stated, is licensed under a Creative Commons Attribution-Noncommercial-Share Alike 3.0 United States License.

Tags: ,

Comments

One Response to “Access Controls”

  1. Jeremy’s Brain Dump » Access Controls Article on May 15th, 2008 7:15 am

    [...] is an article I wrote regarding the basics of Access Controls. It deals mostly with AC in Information Assurance. [...]

Leave a Reply

You must be logged in to post a comment.