Page 78 - DCAP309_INFORMATION_SECURITY_AND_PRIVACY
P. 78

Information  Security and Privacy




                    Notes          Introduction

                                   A biometric is a dimension of a natural trait like fingerprint, iris pattern, retina image, face or
                                   hand geometry; or a behavioral trait such as voice, gait or signature. Biometric technology uses
                                   these  traits to recognize individuals  automatically. Biometric systems are  usually  used  in
                                   combination with other authentication resources in environments requiring high security.
                                   In this unit we will discuss access control, biometrics techniques and key success factors.

                                   6.1 Access Control

                                   The meaning of access control has changed over the last several years. Originally, access control
                                   usually refereed to restricting physical access to a facility,  building or  room to  authorized
                                   persons. This used to be enforced mainly through a physical security guard.  Then, with  the
                                   advent of electronic devices, access control has evolved into the  use of physical card access
                                   systems of a wide variety including biometric activated devices.
                                   As computers evolved the meaning of access control began to change. Initially “access control
                                   lists” evolved specifying the user identities and the privileges granted to them in order to access
                                   a network operating system or an application.

                                   Access control further evolved into the authentication, authorization and audit of a user for a
                                   session. Access control authentication devices  evolved to  include id and password,  digital
                                   certificates, security tokens, smart cards and biometrics.

                                   Access control authorization meanwhile evolved into Role based Access Control (RBAC). This
                                   normally involves “mandatory access control”.
                                   RBAC is  commonly  found  in government,  military and  other enterprises  where  the  role
                                   definitions are well defined, the pace of change is not that fast and  the supporting human
                                   resource environment is capable of keeping up with changes to an identity re their roles and
                                   privileges.
                                   Access control is the  process by which users are identified and granted certain privileges to
                                   information, systems, or resources. Understanding the basics of access control is fundamental to
                                   understanding how to manage proper disclosure of information.
                                   Access control is the ability to permit or deny the use of a particular resource by a particular
                                   entity. Access control mechanisms can be used in managing physical resources (such as a movie
                                   theater, to which only ticketholders should be admitted), logical resources (a bank account, with
                                   a limited number of people authorized to make a withdrawal), or digital resources


                                          Example: Digital resources includes a private text document on a computer, which only
                                   certain users should be able to read.
                                   Today, in the age of digitization, there is a convergence between physical access control and
                                   computer access control. Modern access control (more commonly referred to in the industry as
                                   “identity management systems”) now provide an integrated set of tools to manage what a user
                                   can access physically, electronically  and virtually as well as providing an audit trail for the
                                   lifetime of the user and their interactions with the enterprise.

                                   Modern access control systems rely upon:
                                   1.  Integrated enterprise user and identity databases and Lightweight Directory Access Protocol
                                       (LDAP) directories.






          72                                LOVELY PROFESSIONAL UNIVERSITY
   73   74   75   76   77   78   79   80   81   82   83