Access Controls


In general terms, providing security means “freedom from risk and danger”. In the context of information security, it is securing against:

• Access to information by unauthorized persons

• Modification to information by unauthorized persons

• Destruction of information by unauthorized persons

This means basically, any type of access to information needs to be protected. Whether the access is physical such as accessing CPUs, hard disks, or logical, as in accessing the system directly or remotely, access needs to be restricted and thus, information needs to be protected.

Access control is considered the most important aspect of information security and is an important pillar of information security. Access control can be implemented in various ways depending on the environment. This may entail locking your computer room, your system, restricting access to the system using login and passwords, protecting your data using file protection or encryption, encrypting network communications, or checking a digital signature before accessing the data.

Access control has two components – authentication and authorization. Authentication is verifying the identity of a user or a host that is accessing the system or network resource. The goal of authentication is also determining from where and how the resource is being accessed – whether the system is being accessed from a private computer or public computer (internet café) or if it is being accessed during normal working hours or after working hours.

Authorization is permitting or restricting access to the information based on the type of users and their roles – employee, contractor, administrator, or manager.

Examples of access control:

• Entering into a server room or data center using physical key or finger print authentication or by keying in the access code

• User prompted to provide username and password when accessing computing resources

• Remote user prompted to provide user name and password when accessing network from outside of the organization

• User denied access while accessing confidential documents related to the company or a client

• User denied access while accessing personnel related details

Confidentiality and Data Integrity

Different information or data in the organization has different sensitivities as far as confidentiality is concerned. Some data may be accessed by everyone as there is no security risk, even if it is known to the entire world. Other information may be highly confidential and may have to be shared only with a few individuals or be restricted to only a few individuals. Various levels of data sensitivity can be ensured only by controlling appropriate access through proper authentication and authorization.

Similarly, the integrity of the information/data is another important property that is protected through access controls. The importance of data integrity can be illustrated by a simple example. Imagine that you have made an online purchase of $100. By accident or deliberate intervention, your data has been modified and you receive a bill for $1000 – who will take the loss? In another example, your prescription drug dosage of 10 milligrams (mg) has been modified to 100 mg – imagine the consequences. Hence, one of the most important aspects of information security is the integrity of data – whether your data can be modified by all users or not, and any data should be possible to be modified by only authorized users.

Unauthorized modification or destruction of information leads to loss of integrity. Integrity concerns the origin of the source of information, and the correctness and completeness of information. Data Integrity protection can be provided by having preventive mechanisms as to who can access the system, appropriate access controls, and detective mechanisms in regards to who is trying to modify/destroy the data, preventive controls such as locking the systems down after a pre-specified number of unauthorized attempts. This leads to an important element of the overall guidance for information access at any organization – an Access Control Policy.

Who Can Access the Data?

Data is accessed by different types of users within an organization – the data owner, database administrator, data architect, and vendors. Each of them has a different role and function to perform on the data. For the database and its administrators, “data integrity” means to ensure that the data being entered in the database is accurate and

consistent. The database designer/database administrator designs appropriate table structures, relations, and views and sets certain rules on them to ensure proper access to, and integrity of, data. For a data owner, “data integrity” means to ensure appropriate business rules that are defined on the data are intact and the data is being accessed

as per the defined rules. For a vendor, “data integrity” means accuracy and consistency of the stored data. Between any two transactions and updates, data should not have been altered, and should have proper error checking and validation routines. There is no doubt that there are more definitions and meaning for “data integrity,” but they all mean the same thing – how or who accesses the information/data, and how information/data access can be protected and monitored.

There are different methods for protecting data integrity, such as generating checksums, file integrity software, and encryption. Checksum computes the sum of total digital data. This checksum is verified at both ends of the transmission. If there is no data integrity loss, then the checksum should be the same at both ends – before and after the transmission. There are several algorithms available for calculating the checksum. Most sites today offer either MD5 or SHA-1 checksum to users. File integrity software checks on by whom, how, and when the files have been accessed. It monitors the access of individual documents/files. You can set alerts when an unauthorized user tries to access any file or data. Encryption ensures both the integrity and confidentiality of data.

< Prev   CONTENTS   Next >