Page 55 - DCAP516_COMPUTER_SECURITY
P. 55
Unit 5: Access Control Mechanism
Access control further evolved into the authentication, authorization and audit of a user for a Notes
session. Access control authentication devices evolved to include id and password, digital
certificates, security tokens, smart cards and biometrics.
Access control authorization meanwhile evolved into Role Based Access Control (RBAC). This
normally involves “mandatory access control”. Mandatory access control is access control policies
that are determined by the system and not the application or information owner.
RBAC is commonly found in government, military and other enterprises where the role
definitions are well defined, the pace of change is not that fast and the supporting human
resource environment is capable of keeping up with changes to an identity re their roles and
privileges.
Access control is the process by which users are identified and granted certain privileges to
information, systems, or resources. Understanding the basics of access control is fundamental to
understanding how to manage proper disclosure of information.
5.1 Access Control Overview
Access control is the ability to permit or deny the use of a particular resource by a particular
entity. Access control mechanisms can be used in managing physical resources (such as a movie
theater, to which only ticket holders should be admitted), logical resources (a bank account,
with a limited number of people authorized to make a withdrawal), or digital resources (for
example, a private text document on a computer, which only certain users should be able to
read).
Today, in the age of digitization, there is a convergence between physical access control and
computer access control. Modern access control (more commonly referred to in the industry as
“identity management systems”) now provide an integrated set of tools to manage what a user
can access physically, electronically and virtually as well as providing an audit trail for the
lifetime of the user and their interactions with the enterprise.
Modern access control systems rely upon:
Integrated enterprise user and identity databases and Lightweight Directory Access Protocol
(LDAP) directories.
Strong business processes pertaining to the provisioning and de-provisioning of a user.
Provisioning software integrated with the business provisioning and
de-provisioning process.
Site, building and room based access control systems that are LDAP enabled or, able to be
integrated into a virtual enterprise LDAP directory.
A global enterprise id for each user to integrate the user’s identity between many
applications and systems.
A strong end to end audit of everywhere the physical person went as well as the systems,
application and information systems they accessed.
With many portions of an enterprise now outsourced, the challenges to access control have
increased. Today, it is becoming common to have contractual agreements with the enterprise’s
outsource partners that:
Automatically provision and de-provision users
Build trusted authentication and authorization mechanisms
LOVELY PROFESSIONAL UNIVERSITY 49
