Information Sheet 5.

1-1: Control in the Security and Assurance of

Information

Site: ias101csiicollege.gnomio.com Printed by: Jess Deladia

Course: Information Assurance and Security Date: Thursday, 2 December 2021, 10:22 AM
Information Sheet 5.1-1: Control in the Security and Assurance
Book:
of Information
 Description

At the end of the lesson, students shall be able to:

1. Demonstrate understanding of access control concepts and technologies;

2. Analyze formal models of access control; and
3. Develop, manage, and maintain system access control.
 Table of contents

Access Control
 Access Control

What is Access Control?

Access control is the process through which systems decide when and how a person can be allowed into an organization's protected area. Access
control is accomplished by a blend of laws, services, and technologies. Access controls can be compulsory, nondiscretionary, or optional.

Four Parts / Mechanism of Access Control

In authentication, the following mechanisms are involved;

The Four Unified Access control Components includes Users, Resources, Actions and Relationships.

Logical Access Controls

Logical access controls are methods and procedures used in computer information systems to define, authenticate, approve and assume
responsibility. Logical access is often necessary for remote hardware access, and is often compared with the term "physical access".

Logical access controls implement mechanisms for access control of systems, services, procedures, and information. The controls may be built into
operating systems, software, add-on security products, or management systems for database and telecommunication.

Solutions for Logical Access Control may include Biometrics, Tokens, Passwords, and Single Sign-on.

Biometric Access Controls

Biometric Access Control is focused over the use of some observable human characteristic or attribute to verify the identity of a potential user (a
supplicant) of the systems. Fingerprint comparison, Palm print comparison, Hand geometry, Facial recognition, Retinal print comparison are useful
biometric authentication tools.

Minutiae are unique point of reference in one’s biometric that is stored as image to be verified upon a requested access. Each single attempt at
access results in a calculation that is compared to the encoded value to decide if the consumer is who he or she claims to be. A concern with this
approach is that is changes as our body develops over time.

For authentication during a transaction, retail stores uses signature capture. The customer shall sign a digital tab with a special pen recording the
signature. The signature will stored for future reference, or compared for validation to a signature on a database.

Voice recognition operates in a similar manner by recording the user 's initial voiceprint reciting a word. Later, the authentication mechanism allows
the user to utter the same phrase when the user tries to access the device so that the algorithm can match the actual voiceprint to the stored value.

Effectiveness of Biometrics

Biometrics are assessed using parameters such as; the false rejection rate, which is the rate of supplicants who are in fact approved users but who are
denied access; False acceptance rate, which is the percentage of users who are unauthorized users but are allowed access; and third, the crossover
error rate, which is the amount at which the number of false dismissals is equal to the false acceptances.

Authenticating with Kerberos and SESAME

Kerberos was named after the Greek mythology which uses symmetric key encryption to authorize an individual user with specific network resources.
Kerberos maintains a data repository that contains system’s private keys. Network services operate on servers in the Kerberos network registry, as do
the clients using those services. Such private keys are referred to the Kerberos program and can check a host to another.

Kerberos is based on the logic of the following principles;

1. The KDC is aware of the hidden keys of both network clients and servers. Through using these hidden keys, the KDC initially shares information
with the client and the server.
 2. By providing temporary session keys for communication between the client and KDC, the server and KDC, and the client and server,
Kerberos authenticates a client through a requested service on a server via TGS. Communications between the client and the server are then
made using these temporary session keys.

Visit http://web.mit.edu/Kerberos/, to obtain Kerberos service.

Secure European System for Multivendor Environment (SESAME) is similar to Kerberos in that the user is first authenticated to a server and
receives a token. The privilege attribute server (instead of a ticket awarding service as in Kerberos) as proof of identity to obtain a certificate of
privilege attribute (PAC).The PAC is like the ticket in Kerberos; however, a PAC conforms to the standards of the European Computer Manufacturers
Association (ECMA) and the International Organization for       Standardization/International Telecommunications Union (ISO/ITU-T). The remaining
variations lie in the safety protocols and methods of distribution. SESAME uses encryption on key to distribute confidential keys. SESAME also
builds on the Kerberos model by introducing additional and more advanced access control features, more robust encryption schemes, enhanced
manageability, audit features, and the option to delegate access authorization responsibilities.