Page 56 - DCAP516_COMPUTER_SECURITY
P. 56
Computer Security
Notes Provide end to end user session audit
Integrate with the remote user’s physical access e.g. to a call center operating on the
enterprise’s behalf.
Controlling how network resources are accessed is paramount to protecting private and
confidential information from unauthorized users. The types of access control mechanisms
available for information technology initiatives today continues to increase at a breakneck
pace.
Most access control methodologies are based on the same underlying principles. If you understand
the underlying concepts and principles, you can apply this understanding to new products and
technologies and shorten the learning curve so you can keep pace with new technology initiatives.
Access control devices properly identify people, and verify their identity through an
authentication process so they can be held accountable for their actions. Good access control
systems record and timestamp all communications and transactions so that access to systems
and information can be audited at later dates.
Reputable access control systems all provide authentication, authorization, and administration.
Authentication is a process in which users are challenged for identity credentials so that it is
possible to verify that they are who they say they are.
Once a user has been authenticated, authorization determines what resources a user is allowed
to access. A user can be authenticated to a network domain, but only be authorized to access one
system or file within that domain. Administration refers to the ability to add, delete, and
modify user accounts and user account privileges.
5.2 Access Control Objectives
The primary objective of access control is to preserve and protect the confidentiality, integrity,
and availability of information, systems, and resources. Many people confuse confidentiality
with integrity. Confidentiality refers to the assurance that only authorized individuals are able
to view and access data and systems.
Integrity refers to protecting the data from unauthorized modification. You can have
confidentiality without integrity and vice versa. It’s important that only the right people have
access to the data, but it’s also important that the data is the right data, and not data that has been
modified either accidentally or on purpose.
Availability is certainly less confusing than confidentiality or integrity. While data and resources
need to be secure, they also need to be accessible and available in a timely manner. If you have
to open 10 locked safes to obtain a piece of data, the data is not very available in a timely fashion.
While availability may seem obvious, it is important to acknowledge that it is a goal so that
security is not overdone to the point where the data is of no use to anyone.
Self Assessment
Fill in the blanks:
1. ………………… refers to the assurance that only authorized individuals are able to view
and access data and systems.
2. ………………………. refers to protecting the data from unauthorized modification.
3. ……………………… is a process in which users are challenged for identity credentials so
that it is possible to verify that they are who they say they are.
50 LOVELY PROFESSIONAL UNIVERSITY
