Professional Documents
Culture Documents
Chapter 1 : Topics
This chapter covers the following topics and concepts:
1
Chapter 1 Goals
resources. Access control systems, when properly designed, implement business rules, often direct implementations of policy,
in such a manner that individuals have access to the information and resources needed to perform their responsibilities but no
more.
The consequences of weak or nonexistent access controls range from inconvenient to downright disastrous, depending on
For the average user, it may be annoying and inconvenient to have someone else reading your e-mail. On the other end of
the scale, without strong access controls, companies could lose billions of dollars when disgruntled employees bring down
mission-critical systems. Identity theft is a major concern in modern life, because so much of our private information is stored
in accessible databases.
The only way that information can be both useful and safe is through strong access controls.
2
Fundamental concepts
What Is Access?
• Access refers to the ability of a subject to interact with an object. That interaction is the basis of everything
we do, both in the information technology (IT) field and in life in general.
• Access can be defined in terms of social rules, physical barriers, or informational restrictions.
For example, consider a busy-executive(HoD) with an administrative assistant who serves as a gatekeeper,
deciding who will be allowed to interact personally with the busy-executive(HoD) and who must leave a message
with the administrative assistant.
In this scenario, the “visitor is the subject” and the “busy-executive(HoD) is the object”.
The “administrative assistant serves as the access control system”, restricting what individuals (subjects) may
access the executive (object).
Scenario
When you leave your house, you lock the doors. The locked door physically restricts
access by anyone without a key to the assets stored inside your house - your TV,
computer, and stereo system. When you come home, you unlock the door and replace
the physical restriction of the locking mechanism with a human gatekeeper who
decides whether or not to let someone enter the house.
3
What Is Access Control?
Access controls define the allowable interactions between subjects and objects.
• Policies — The rules that govern who gets access to which resources
• Objects — The resource to which the subject desires access (e.g., files, databases, printers)
• Any time you have to decide whether to allow or deny access by a subject to a resource, you have
entered the access control problem domain.
4
Access Control Systems - elements
For example,
Most companies have strict policies to determine who has access to personnel records. These
records contain sensitive and confidential information, if those records were compromised then it
could be used to inflict serious harm on individual employees and the whole company.
The policy may state that only employees within the human resources department, with a specific
need for the information contained within a given record, may have access to it.
5
To enforce this policy, the company has procedures that state that a record can be given only to
employees with the proper credentials (the authentication process) who fill out a form stating
their specific need for the information contained in the record they request.
When the request is approved, the employees may be given a username and password to
access the employee records intranet site (the authorization process).
The intranet site, along with the username and password, is the tool required to grant access to
personnel records.
There are three types of subjects when it comes to access control for a specific resource:
• Authorized—Those who have presented authenticated credentials and have been approved for access to the
resource
• Unauthorized—Those who have presented authenticated credentials but are not approved for access to the
resource
6
AAA
Every individual who initially approaches an access control system is unknown until he or she attempts to
authenticate. For example, someone might be asked to provide a username and password.
1) If the user’s password is correct, the system knows with certainty who the user is and now it must check, if the
1a) Someone allowed to access the resource moves to the “authorized” state.
1b) Otherwise, the user is still known, but now moves to the “unauthorized” state.
2) If the user does not provide the correct password, the system still does not know who the user is and he or she
This process is known as AAA (or “triple A”) security and involves three components:
• Authorization—Ensuring that an
authenticated user is allowed to
perform the requested action
• Accounting—Maintaining records of
the actions performed by authorized
users
7
Users are not the only subjects in access control systems.
Technological Resources may also serve as subjects in access control systems.
8
Access control - process
Identification
The first step in any access control process is identification.
• The system must be able to apply labels to the two parts of the access equation: the subject and the object.
In this case, a label is a purely logical description that is easy for the computer to understand. A human
might easily recognize that “Beth” and “Elizabeth” are the same individual, but a computer cannot
necessarily make that logical connection.
• To make things simpler, you can assign a universal label to each subject and object. That label remains with
that individual or resource throughout the life cycle of the privileged interaction with the object. The object
also has a label to distinguish it from other resources. For example, a network might have six printers
available, labeled “printer1,” “printer2,” and so on. A person’s label might be a user ID, his or her e-mail
address, his or her employee ID, or some other unique identifier.
9
References
• Chapple, M., Ballad, B., Ballad, T., Banks, E. (2013) , Access Control, Authentication, and Public
Key Infrastructure, Jones & Bartlett Learning. ISBN: 9781284031607
10