The goal of information security access control is to ensure that the information access is restricted to people who are authorized to access that information. To implement access control, it is important that you have security policies in place in your company and clear set of roles and responsibilities defined for people involved in security management.
There are number of access control models available that help you to ensure that only authorized people can access the information. The access control models help an organization to define its security policies. The access control models are based on following two principals:
- Implicit denies: In this principal, certain users are locked implicitly and then allow and deny permissions are configured for the users. For example the at.allow and at.deny files configured in UNIX allow/deny the service to users named in the files.
- Least privilege: In this principal, the users are given only the least permissions they need to do their work.
Different Access Control Models are:
- Bell-La-Padula Model (BLM): This is a multi-level model designed by Bell and LaPadula. It is especially created for government and military applications to implement access control. It is based on least privilege principal and prevents the users from accessing information that has higher security rating than they are authorized to do. A problem with this model is it does not deal with the integrity of data.
- Biba Model: This model was created to remove the drawbacks of Bell-LaPadula model. This model emphasizes on the integrity of data. It does not allow write up and read down. This means, that the users cannot corrupt data stored for a higher rank, or cannot get corrupted data by users from a lower rank. They can only create content at or below their own integrity level and can view content only at or above their own integrity level
- Clark-Wilson Model: This model focuses on programs instead of users. It prevents unauthorized modification of data or programs by users. It addresses all the three goals of integrity and also focuses on internal and external consistency of data.
- Information Flow Model: This model focus on flow of information in all the direction and not just up or down as done by Bell-LaPadula Model and Biba models. This model prevents an operation from occurring if it is illegal.
- Noninterference Model: This model ensures that the high level security functions do not interfere with the lower-level functions. This prevents the lower level user to get affected by the changes made to the higher level of a system.
Authentication and Authorization
An effective control mechanism must also be in place to safeguard company’s resources. The authorized individuals that include employees, vendors, contractors, customers, or visitors should be given appropriate permissions to access authorized network devices in accordance with the company’s policies.
It is important to check that the people and systems that try to access the resources of the company are actually the people and the systems that they claim to be. Authentication techniques allow you to identify and authenticate the people and the systems. Authentication works in conjunction with the identification. Once the identity of a person is established by the system, authorization enables a system to find whether the user is allowed to access the requested resource or not.
The authentication depends upon three major factors that include factors such as: something you know- for example the personal identification number (PIN) and password, something you have – for example the smart card, and something physically unique about you – for example your fingerprints or retinal patterns.
At times, multifactor authentication is also used in which two or more methods of authentication are used. For example, the use of smartcards and the passwords. Some common Authentication methods used these days are: Username/Password, Password Authentication Protocol (PAP), Challenge Handshake Authentication Protocol (CHAP), Certificates, Security Tokens, and Kerberos.
Wireless Security Measures
In Wireless systems air is used to transmit data instead of wires. The wireless systems are less secure than wired systems because the data can be intercepted in transit and can be misused. To protect data on wireless systems, the wireless controllers use Service Set Identifiers (SSID), WAP and WEP.
SSID are special ID numbers in the network cards to ensure security. WAP is for use with mobile devices such as PDAs and cell phones. It functions similar to TCP/IP and serves the same purpose for wireless communications. WEP is a privacy protocol specified in IEEE 802.11 to provide secure communication to wireless LAN users.