Page 78 - DCAP309_INFORMATION_SECURITY_AND_PRIVACY
P. 78
Information Security and Privacy
Notes Introduction
A biometric is a dimension of a natural trait like fingerprint, iris pattern, retina image, face or
hand geometry; or a behavioral trait such as voice, gait or signature. Biometric technology uses
these traits to recognize individuals automatically. Biometric systems are usually used in
combination with other authentication resources in environments requiring high security.
In this unit we will discuss access control, biometrics techniques and key success factors.
6.1 Access Control
The meaning of access control has changed over the last several years. Originally, access control
usually refereed to restricting physical access to a facility, building or room to authorized
persons. This used to be enforced mainly through a physical security guard. Then, with the
advent of electronic devices, access control has evolved into the use of physical card access
systems of a wide variety including biometric activated devices.
As computers evolved the meaning of access control began to change. Initially “access control
lists” evolved specifying the user identities and the privileges granted to them in order to access
a network operating system or an application.
Access control further evolved into the authentication, authorization and audit of a user for a
session. Access control authentication devices evolved to include id and password, digital
certificates, security tokens, smart cards and biometrics.
Access control authorization meanwhile evolved into Role based Access Control (RBAC). This
normally involves “mandatory access control”.
RBAC is commonly found in government, military and other enterprises where the role
definitions are well defined, the pace of change is not that fast and the supporting human
resource environment is capable of keeping up with changes to an identity re their roles and
privileges.
Access control is the process by which users are identified and granted certain privileges to
information, systems, or resources. Understanding the basics of access control is fundamental to
understanding how to manage proper disclosure of information.
Access control is the ability to permit or deny the use of a particular resource by a particular
entity. Access control mechanisms can be used in managing physical resources (such as a movie
theater, to which only ticketholders should be admitted), logical resources (a bank account, with
a limited number of people authorized to make a withdrawal), or digital resources
Example: Digital resources includes a private text document on a computer, which only
certain users should be able to read.
Today, in the age of digitization, there is a convergence between physical access control and
computer access control. Modern access control (more commonly referred to in the industry as
“identity management systems”) now provide an integrated set of tools to manage what a user
can access physically, electronically and virtually as well as providing an audit trail for the
lifetime of the user and their interactions with the enterprise.
Modern access control systems rely upon:
1. Integrated enterprise user and identity databases and Lightweight Directory Access Protocol
(LDAP) directories.
72 LOVELY PROFESSIONAL UNIVERSITY
