Asset:
Access Control:
Ensure that an asset (controlled-by,
contained-in) a computer system
- is accessed only by those with the proper authorization ( confidentiality );
- can only be modified by those with the proper authorization (integrity );
- is accessible to those with the proper authorization at appropriate times ( availability ).
Access control overview
Given a subject, which objects can it access and how?
Given an object, which subjects can access it and how?
Access control is a way of limiting access to a
system or to physical or virtual resources. In computing, access control is a
process by which users are granted access and certain privileges to systems,
resources or information.
In access control systems, users must present
credentials before they can be granted access. In physical systems, these
credentials may come in many forms, but credentials that can't be transferred
provide the most security.
For example, a key card may act as an access
control and grant the bearer access to a classified area. Because this
credential can be transferred or even stolen, it is not a secure way of
handling access control.
A more secure method for access control involves
two-factor authentication. The person who desires access must show credentials
and a second factor to corroborate identity. The second factor could be an
access code, a PIN or even a biometric reading.
There are three factors that can be used for
authentication:
- Something only known to the user, such as a password or PIN
- Something that is part of the user, such as a fingerprint, retina scan or another biometric measurement
- Something that belongs to the user, such as a card or a key
For computer security, access control includes the
authorization, authentication and audit of the entity trying to gain access.
Access control models have a subject and an object. The subject - the human
user - is the one trying to gain access to the object - usually the software.
In computer systems, an access control list contains a list of permissions and
the users to whom these permissions apply. Such data can be viewed by certain
people and not by other people and is controlled by access control. This allows
an administrator to secure information and set privileges as to what
information can be accessed, who can access it and at what time it can be
accessed.
CIA:
The CIA (Confidentiality,
Integrity, and Availability) triad of information security is an information
security benchmark model used to evaluate the information security of an
organization. The CIA triad
of information security implements security using three key areas related to information systems including
confidentiality, integrity and availability.CIA:
The CIA triad of
information security was created to provide a baseline standard for evaluating
and implementing information security regardless of the underlying system
and/or organization. The three core goals have distinct requirements and
processes within each other.
- Confidentiality: Ensures that data or an information system is accessed by only an authorized person. User Id’s and passwords, access control lists (ACL) and policy based security are some of the methods through which confidentiality is achieved
Ensures that data or an information system is accessed by
only an authorized person. User Id’s and passwords, access control lists (ACL)
and policy based security are some of the methods through which confidentiality
is achieved
The term is closely related to
privacy. Confidentiality means that
access to confidential information must be restricted only to authorized
people.
For example, keeping a client’s information only between
you and client and not disclosing it to other employees is confidentiality.
User Id’s and passwords, access control lists (ACL) and policy based security
are some of the methods through which confidentiality is achieved.
·
No comments
Post a Comment