* Access control is the ability to permit or deny the privileges that users have when accessing resources on a network or computer. Access control involves three entities:
=> Objects are the data, applications, systems, networks, and physical space.
=>Subjects are the users, applications, or processes that need access to objects.
=>The access control system includes the policies, procedures, and technologies that are implemented to control a subject's access to an object.
======================================================
* Access control includes the following processes:
=> Identification identifies the subject. Examples include a username or a user ID number.
=> Authentication is the process of validating a subject's identity. It includes the identification process, the user providing input to prove identity, and the system accepting that input as valid.
=> Authorization is the granting or denying a subject's access to an object based on the level of permissions or the actions allowed on the object.
=>Auditing (also referred to as accounting) is maintaining a record of a subject's activity within the information system.
Note: Authentication, authorization, and auditing are known as the AAA of access control.
======================================================
* An access control policy defines the steps and measures that are taken to control access to objects by subjects. Access controls can be classified according to the function they perform:
=> Preventive access controls deter intrusion or attacks, for example, separation of duties or dual-custody processes.
=> Detective access controls search for details about the attack or the attacker, for example, intrusion detection systems.
=> Corrective access controls implement short-term repairs to restore basic functionality following an attack.
=> Deterrent access controls discourage continued or escalations of attacks during an attack.
=> Recovery access controls restore the system to normal operations after the attack and short-term stabilization period.
=> Compensative access controls are alternatives to primary access controls.
======================================================
* Access control measures can also be classified based on how they restrict or control access:
=> Administrative controls are policies that describe accepted practices. Examples are directive policies and employee awareness training.
=> Technical controls are computer mechanisms that restrict access.
Examples are encryption, one-time passwords, access control lists, and firewall rules.
=> Physical controls restrict physical access. Examples are perimeter security, site location, networking cables, and employee segregation.
On a computer network, a directory service is an example of a technical access control system that you use to manage and enforce access control policies. Examples of directory services are:
=> Active Directory for Microsoft Windows networks.
=> Novell's eDirectory for NetWare, Linux, and Windows networks.
======================================================
* Within the directory service:
=> A user account is created for each subject.
Identification is performed during logon by supplying a valid user account name.
=> Authentication is performed during logon by supplying the password or other requirements for proving identity.
=> Authorization to use network resources, such as files, printers, or computers, is controlled by identifying permissions or rights.
=> Auditing is performed by the operating system as it tracks actions taken by subjects on objects.
No comments:
Post a Comment