|
In this article:
- What is access control
- Aspects of access control
What is Access Control
In relation with computer security, access control means the practice of restricting access to a computer system or a part of it by authorized persons and stopping unauthorized persons from accessing the system at all. The field of computer access control involves authentication, authorization and audit. Apart from this, additional measures to ensure security such as physical devices (eg., biometric scans, metal locks) or digital signatures and encryption etc. may also be included in computer system access control.
More specifically, access control is aimed at permitting or denying the use of an object by a person or subject.
Aspects of Access Control
Access control has certain aspects which form the basis of the services it provides. These are identification, authentication, authorization and accountability. Identification and authentication decide who is allowed to log on to the system while authorization determines what a person is allowed to do on the system. Finally, accountability denotes what a user did on a computer system. These aspects are explained below:
- Identification
Identification helps determine who the person trying to log on to the computer system is. This is usually done with the help of username or user ID. Identification helps to identify the user as being unique but it does not determine how the person is important, say to an organization (eg., president or CEO etc.). A common advice given in this regard is to keep oneself from using the common names for
accounts such as admin, sysadmin or root etc. which are easy prey for hackers and crackers.
- Authentication
Authentication is seen as the very next step after identification leading to their pairing as Identification and Authentication or I&A. By definition, it is a method that verifies the identity that a user claims to posses. This is typically done by the password entered by the user with the existing password stored on a computer corresponding to the given username. Authentication may involve the use of all or one of the following factors:
- First, authentication maybe done with the help of something you know. This is a common practice and is implemented with the help of a password or personal identification number or PIN. It is assumed by the authentication sub-system that such a password would only be known to the owner of the account or username.
- Second, authentication maybe implemented on the basis of something you have. This can be done with the help of physical devices such as smart cards and tokens. Again, this works on the assumption that such a card o token would only be possessed by the authorized owner of the account which is to be unlocked.
- Finally, authentication maybe implemented with by taking into consideration something you are. This makes use of ‘instruments’ such as fingerprint, voice, retina and other such physical characteristics of a person.
- Authorization
Authorization is the scope of work a particular user can do on a computer system. This determines what permissions and rights a user is given. A series of permissions maybe given to a single user. For example, a person maybe allowed to read certain files and directories but not allowed to modify them (called Read access). Another policy may allow a user to change file and directory contents including modifying a file, deleting files and directories and renaming them (called Write access). This type of authorization is common in modern operation systems such as Windows XP and the upcoming Windows Vista.
- Accountability
The last step in the access control process involves determining what all activities were performed by the user on the computer system. Most operating systems keep what are called as log files that record whatever changes have been made to files, directories and settings of the computer. If such a feature is not built into the operating system, one may make use of third party tool or software to achieve the same functionality. This way, a particular user can be held responsible for his or her activities on the computer system alongwith the requisite proof.
|
