Access controls are, simply put, security features, which control the flow of information between subjects (the requesting entity) and objects (the entities containing the information). When dealing with this subject it is imperative to look at the 3 main principals of transferring information: availability - the need for information to be available in a timely manner, integrity - the need for information to be accurate, complete, and protected from unauthorized modification, and confidentiality - protection of information from unauthorized personel. One important thing to remember about confidentiality is that some information is more important than others, and as such, not all information requires the same amount of protection. This is important to remember because it security measures can sometimes be expensive and cumbersome.
With these three overarching principals in mind, the next step with access control is to look at the four steps of what I abreviate to IAAA:
- Identification - a method, such as a username or account number, of making sure that a subject is who they claim to be.
- Authentication - a second identifier, such as a password or a PIN, used to insure the identity of the subject.
- three major factors are used
- something a person knows: password, PIN, etc.
- something a person has: key, swipe card, etc.
- something a person is: retina scanner, finger print, etc.
- strong authentication refers to the use of at least two out of the three factors
- Authorization - the step of checking the directory and security rules in place to validate that the subject is authorized to access the desired information.
- Accountability - is the final step in implementing access controls and it essentially ensures the auditabilility of the system.
In the next blog I'll talk about some of the identity managment solutions for dealing with access control.
