Page 81 - DCAP309_INFORMATION_SECURITY_AND_PRIVACY
P. 81

Unit 6: Biometric Controls for Security




          If you have information on your web site that is sensitive, or intended for only a small group of  Notes
          people, the techniques in this tutorial will help you make sure that the people that see those
          pages are the people that you wanted to see them.
          Determining if a user is authorized to use an IT system includes the distinct steps of identification
          and authentication. Identification concerns the manner  in which a user  provides his unique
          identity to the IT system. The identity may be a name (e.g., first or last) or a number (e.g., account
          number). The identity must be unique so that the system can distinguish among different users.
          Depending on operational requirements, one “identity” may actually describe one individual,
          more than one individual, or one (or more) individual’s only part of the time.


                 Example: An identity could  be “system security officer,” which could denote any of
          several individuals, but only when those individuals are performing security officer duties and
          not using the system as an ordinary user. The identity should also be non-forcible so that one
          person cannot impersonate another.
          Additional characteristics, such as the role a user is assuming (for example, the role of database
          administrator), may also be specified along with an identity. Authentication is the process of
          associating an individual with his unique identity, that is, the manner in which the individual
          establishes the validity of his claimed identity. There are three basic authentication means by
          which an individual may authenticate his identity.
          1.   Something  an individual KNOWS (e.g., a password, Personal ID  Number (PIN),  the
               combination to a lock, a set of facts from a person’s background).
          2.   Something an individual POSSESSES (e.g., a token or card, a physical key to a lock).
          3.   Something  an individual  IS (e.g.,  personal characteristics  or  “biometrics”  such  as  a
               fingerprint or voice pattern).
          These basic methods may be employed individually, but many user  login systems  employ
          various combinations of the basic authentication methods.





             Notes  An important distinction between identification and authentication is that identities
             are public whereas authentication information is kept secret and thus becomes the means
             by which an  individual proves that he  actually is  who he claims to  be. In  addition,
             identification and authentication provides the basis for future access control.

          Self Assessment

          Fill in the blanks:
          4.   ......................... is finding  out if  the person, once identified,  is permitted  to have  the
               resource.
          5.   ......................... concerns the manner in which a user provides his unique identity to the IT
               system.

          6.   .........................  is the process of  associating an  individual with  his unique  identity,
               that  is,  the  manner in  which the  individual establishes  the  validity  of  his  claimed
               identity.







                                           LOVELY PROFESSIONAL UNIVERSITY                                   75
   76   77   78   79   80   81   82   83   84   85   86