Page 80 - DCAP309_INFORMATION_SECURITY_AND_PRIVACY
P. 80
Information Security and Privacy
Notes 6.1.1 Access Control Objectives
The primary objective of access control is to preserve and protect the confidentiality, integrity,
and availability of information, systems, and resources. Many people confuse confidentiality
with integrity. Confidentiality refers to the assurance that only authorized individuals are able
to view and access data and systems.
Integrity refers to protecting the data from unauthorized modification. You can have
confidentiality without integrity and vice versa. It’s important that only the right people have
access to the data, but it’s also important that the data is the right data, and not data that have
been modified either accidentally or on purpose.
Availability is certainly less confusing than confidentiality or integrity. While data and resources
need to be secure, they also need to be accessible and available in a timely manner. If you have
to open 10 locked safes to obtain a piece of data, the data is not very available in a timely fashion.
While availability may seem obvious, it is important to acknowledge that it is a goal so that
security is not overdone to the point where the data is of no use to anyone.
Self Assessment
Fill in the blanks:
1. ......................... is the process by which users are identified and granted certain privileges
to information, systems, or resources.
2. ......................... refers to protecting the data from unauthorized modification.
3. ......................... refers to the assurance that only authorized individuals are able to view
and access data and systems.
6.2 User Identification and Authentication
Authentication is any process by which you verify that someone is who they claim they are. This
usually involves a username and a password, but can include any other method of demonstrating
identity, such as a smart card, retina scan, voice recognition, or fingerprints. Authentication is
equivalent to showing your drivers license at the ticket counter at the airport.
Authorization is finding out if the person, once identified, is permitted to have the resource.
This is usually determined by finding out if that person is a part of a particular group, if that
person has paid admission, or has a particular level of security clearance. Authorization is
equivalent to checking the guest list at an exclusive party, or checking for your ticket when you
go to the opera.
Finally, access control is a much more general way of talking about controlling access to a web
resource. Access can be granted or denied based on a wide variety of criteria, such as the network
address of the client, the time of day, the phase of the moon, or the browser which the visitor is
using.
Access control is analogous to locking the gate at closing time, or only letting people onto the
ride who are more than 48 inches tall - its controlling entrance by some arbitrary condition
which may or may not have anything to do with the attributes of the particular visitor.
Because these three techniques are so closely related in most real applications, it is difficult to
talk about them separate from one another. In particular, authentication and authorization are,
in most actual implementations, inextricable.
74 LOVELY PROFESSIONAL UNIVERSITY
