Page 195 - DCAP403_Operating System
P. 195
Operating System
Notes 5. A global enterprise id for each user to integrate the user’s identity between many
applications and systems.
6. A strong end to end audit of everywhere the physical person went as well as the systems,
application and information systems they accessed.
With many portions of an enterprise now outsourced, the challenges to access control have
increased. Today it is becoming common to have contractual agreements with the enterprise’s
outsource partners that:
1. Automatically provision and de-provision users
2. Build trusted authentication and authorization mechanisms
3. Provide end to end user session audit
4. Integrate with the remote user’s physical access e.g. to a call center operating on the
enterprise’s behalf.
Controlling how network resources are accessed is paramount to protecting private and
confidential information from unauthorized users. The types of access control mechanisms
available for information technology initiatives today continues to increase at a breakneck pace.
Most access control methodologies are based on the same underlying principles. If you understand
the underlying concepts and principles, you can apply this understanding to new products
and technologies and shorten the learning curve so you can keep pace with new technology
initiatives.
Access control devices properly identify people, and verify their identity through an authentication
process so they can be held accountable for their actions. Good access control systems record and
timestamp all communications and transactions so that access to systems and information can be
audited at later dates.
Reputable access control systems all provide authentication, authorization, and administration.
Authentication is a process in which users are challenged for identity credentials so that it is
possible to verify that they are who they say they are.
Once a user has been authenticated, authorization determines what resources a user is allowed
to access. A user can be authenticated to a network domain, but only be authorized to access one
system or file within that domain. Administration refers to the ability to add, delete, and modify
user accounts and user account privileges.
10.5 Access Control Techniques
There are different types of access control technologies that can all be used to solve enterprise
access solutions. Tokens, smart cards, encrypted keys, and passwords are some of the more
popular access control technologies.
10.5.1 Passwords
Passwords are used for access control more than any other type of solution because they are
easy to implement and are extremely versatile. On information technology systems, passwords
can be used to write-protect documents, files, directories, and to allow access to systems and
resources. The downside to using passwords is that they are among the weakest of the access
control technologies that can be implemented.
The security of a password scheme is dependent upon the ability to keep passwords secret.
Therefore, a discussion of increasing password security should begin with the task of choosing a
password. A password should be chosen such that it is easy to remember, yet difficult to guess.
188 LOVELY PROFESSIONAL UNIVERSITY
