Access Control Methods in Information Security - Coursework Example

Access Control Methods in Information Technology Introduction Access control is one of the most sensitive aspects whenit comes to computer and computer systems’ security. Access control refers to any mechanism that controls or provides a form of verification to guarantee information’s protection from inappropriate access or unauthorized use. Collectively, access control methods serve two purposes; controlling modification, and controlling the disclosure of information from threats. In computer security, a threat is any agent that may breach the confidentiality or interfere with the integrity of information or information systems. Threats on their part can take up multiple flavors ranging from sabotage, deliberate espionage, leakage, or information extortion. As is evident with the virility of information technology as the contemporary means of capturing and storing information, it is important that access control systems should exist to protect information and information technology systems. Problem statement Today, most of the issues associated with information technology revolve around loss of, or disclosure of sensitive data or computer systems. Hacking is one of the most prevalent problems facing the information technology sector. In organizations, lack of access control methods exposes critical information to unauthorized parties. Additionally, access to these systems exposes them to theft, unskilled operation, or modification of hardware, software or data. As such, the need to have methods of controlling access to information technology systems stands out. Threats to information technology systems are of different scopes, but can be generally categorized to logical and physical threats as will be discussed herein. These counter-systems to these threats will be discussed in this study with regards to their operation and the benefits they offer to the information technology field. Logical Access Control Models Logical access control models are simply protocols (mostly electronic-based) meant to prevent any form of access to information technology systems. With these types of controls, access is granted as per one’s allowed extent of exposure to information security systems. They are categorized as Mandatory Access Control, Discretionary Access Control, or Role-Based Control depends on their level of access control and applications. Mandatory Access Control (MAC) In this method of access control, a policy or policies are made such that they enforce security polices independent of user operations. Better put, this method will only grant the custodial management and the owner the privileges of managing the access controls. The third party (end user) has no permissions or abilities to control the security settings of the system. This method is created from two security models; the Bell-LaPadula, and Biba. In Bell-LaPadula, information confidentiality is the key concern. In the Biba, integrity is the bigger concern (Ausanka, 2009). This method is useful in securing information technology systems in that it isimmune to Trojan attacks as the end users are not able to declassify any information. Second, the combination of Bell-LaPadula and Biba models enables this type of control system to operate in highly hostile environments such as financial instituuions or web servers. It is therefore mostly used in intelligence and military applications (Ferrari, 2010). Discretionary Access Control (DAC) DAC, unlike MAC, is more used as it supports more commercial applications. In this method, pre-determined policies implanted by the custodian or system owner (as in MAC) is replaced by frameworks that grant access as per a user’s rights on the objects that they own in the system(s). In this case, an end user will have permissions and abilities to control and set any controls in the subjects that they own, plus the associated programs. As such, if one does not own subject X, then they can neither access it together with the functions or programs associated with program X. The advantage of this method is that it allows for a single system to be used by multiple end users without any of them interfering with the other’s rights. This is termed as fine-grained control as it implements least-privilege access to individuals. Second, this model is invisible to users and is therefore best suited for small enterprises and home users since it is overly cost-effective. Role-Based Access Control (RBAC) This access control method encompasses both Mandatory Access Control and Discretionary Access Control methods. It is unique in that it allows per-application customization basis owing to its neutral framework which neither inclines to the MAC or DAC methods. In the RBAC method, an individual’s authorization to the information systems is determined by their rank in an organization. For instance, only the head of security can access the security profile. Additionally, they have no permissions to access other departments. This method is meant to simplify the roles of the system administrator by distributing roles to specific departments (profiles). The RBAC access control system is beneficial in that it protects both the integrity and confidentiality of information systems. This is enabled by the feature of controlling not just which subjects can be accessed, but also the manner in which they are accessed. In addition, it comes with the rights and applications found in MAC and DAC. Owing to its complexity, this access control system is most suited for large organizations with many users. In other logical access control models, the provision of user rights and permissions is provided by account restrictions, passwords, group policies, and access control lists. The account restriction method works in two ways; either account expiration or day restrictions. In this case, a user will only access some information or systems during a specified time of day. Account expiration on the other hand ensures that unused accounts are not vulnerable to threats. This method is significant in that, one;administrators can access and update the systems when the off-time for the users ends. In this way, interference of vulnerability is minimized. On the other hand, hackers cannot take advantage of “idle” accounts (Vacca, 2013). Passwords, as the most common type of logical access control,make use of keywords, numeric, patterns, or other characters. They are also called logical tokens. Passwords are applied as per a level of system control. They can be created by end-users to owners and system administrators. It is recommended that they should be longer to increase their security level. However, they are quite unreliable since they are susceptible to brute force attacks or leakage. They are, however significant in that they are easy to use, and can be applied in big or small systems. In addition, their combination of all keyboard characters enhances their level of protection. Group policies as an access control method is mostly used in Windows systems by use of the Active Directory, a Windows directory service. It works by creating a network shared by multiple computers. The operation of the network is restricted to the administrator, meaning that only they can configure rights or settings. This access control method is significant in that the administrator does not have to get to each computer and operate in. Rather, they can do this from the comfort of their administrator panel. The final method of logical access control is known as the Access Control Lists, ACL. The rights and permissions granted by ACLsare centralized to an object such as a spreadsheet file with a list who can, or who cannot have particular privileges. As such, whoever is listed on the attached subject has access to a system. Depending on the operating system, the ACL will utilize an access mask, a flag for operations, a set of flags to identify privileges that are inherited, or a security identifier (Delaney, 2011).This method is significant in that multiple persons be allowed access to a system without requiring individual authorization. Physical access control systems Apart from logical access control systems, physical access control systems exist too. Unlike the logical systems, the physical ones protect the hardware part of information technology systems. These are primarily computers and related equipment. As compared to electronic breach of access, physical access control is looked down upon. This is because the systems can be wrongly operated, vandalized, or stolen in parts or whole. As such, physical access control methods are as important as logical access controls. One way of manning physical access to information systems is by disabling or removing some parts of the computers such as DVD drives and USB ports. These are disabled to ensure that access to information and usage in the computer is controlled. This method is important in that if one authorizes a computer without permission, they cannot install malicious programs or transfer information. The doors providing access to computers and related equipment should be installed with proper access control measures. One common method is using hardware locks. To gain entry, one has to use a key to disengage the lock. After the door shuts, the lock automatically disables reopening of the door unless one has a key. The other method of securing doors is by using door access systems such as codes or authorized magnetic cards. The cipher lock is a common door access system. One has to key in a recognized sequence of characters to gain entry at specified times of the day. Other systems such as fingerprint, iris, and voice scan systems complete the list (Ciampa, 2011). These access control systems are significant in that they are one-off installations that provide authorized access only. In so doing, they ensure that information systems remain intact, thus ensuring integrity and confidentiality in their operations. Conclusion In computer security, access control is one of the most critical elements in that it determines what can be accessed, how, and by whom. In their absence, information systems are vulnerable to attacks by threats such as hackers and viruses. Access control systems come in two flavors; logical and physical. The physical control systems secure the systems from physical breach, while the logical access controls are electronic-based. As the study reveals, these methods vary in efficiency, scale of use, complexity, and intended purpose. Evidently, if information security has to retain its ranking as the in-thing in the modern world, access control systems should be key factors to be considered. References Ausanka, R. (2009). “Methods for Access Control: Advances and Limitations”. Harvey MuddCollege.1-5. Ciampa, M. (2011).Security+ guide to Network Security Fundamentals.Cengage Learning. Clark, D, & Wilson, D. (1997).“A Comparison of Commercial and Millitary Security Policies”.IEEE Symposium on Security and Privacy.184-194. Delaney, E. (2011). CompTIA Security+ Deluxe Study Guide: SY0-201. John Wiley & Sons. Ferrari, E. (2010). Access Control in Data Management Systems. Morgan & Claypool Publishers. Vacca, J. (2013). Managing Information Security.Elsevier. Read More