This article discusses about the Access Control security features that control how users and systems communicate and interact with other systems and resources. They protect the systems and resources from unauthorized access and can be components that participate in determining the level of authorization after authentication procedures has successfully completed. Although identification, authentication, authorization and accountability have close and complementary definitions, each has distinct functions that fulfill a specific requirement in the process of access control as mentioned below
Access control review: The following is a review of the basic concepts in access control:
1) Identification - Subject supplying identification information like Username, user ID, account number
2) Authentication - verifying the identification information like passphrase, PIN value, biometric, one-time password, and password.
3) Authorization - Using a criteria to make a determination of operations that subjects can carry out on objects like “I know who you are, now what am I going to allow you to do?”
4) Accountability - Audit logs and monitoring to track user activity
Identity management solutions and products that are available in the marketplace are Directories, Web access management, password management, legacy single sign-on, account management and profile update. Various day to day authentication methods used for accessing the applications are: biometric, password, token device, cryptographic keys, passphrase, memory cards and smart cards. After the person is authenticated, he has to go through the authorization process to access the multiple resources. Single-sign-on concept is where user just has to remember one username and password to access multiple resources as depicted in image below
Federation: Further elaborating the Single-sign-on concept, federation is the method of accessing websites/applications within different companies using only one credentials.
Access Control Models: This model dictates how subject access objects. Three main types are discretionary, mandatory and nondiscretionary (Role Based Access Control).
DAC - Owner of the resource specifies which subjects can access specific resources.
MAC - The operating system makes the final decision and can override the users wishes
RBAC - Access of resources is based on the role the user holds in a company.
Access Control techniques and technology: This section describes the different access controls techniques and technologies available to support different access control models, like: Rule-based access control, constrained user interface, Access control matrix, capability tables, Access control Lists, content dependent access control and context dependent access control .
- Access control matrix: Table of subjects and objects that outlines their access relationships.
- ACL:Bound to an object and indicates what subjects can access it.
- Capability Table: Bound to a subject and indicates what objects that subject can access.
- Content based access: Bases access decisions on the sensivity of the data ,not solely on subject identity.
- Context-based access: Bases access decisions on the state of the situation,not solely on identity or content sensitivity.
- Restricted interface: Limits the user’s environmenet within the system,thus limiting access to objects.
- Rule based access: Restrict subjects’ access attempts by predefined rules.
Access Control Administration: To achieve further level of protection, administration of the models is required which comes into two flavors: centralized and decentralized.
- Centralized - One entity is responsible for overseeing access to all corporate resources.
- De-Centralized - People who may better understand who should and should not have access to certain files ,data and resources.
Accounting: It will explain how to track the user, system and application activities through audit trails to provide alerts about any suspicious activities that can be investigated at a later time.
Authored by Pratibha Gaur
TCS Enterprise Security and Risk Management