Information Security Assignment

Download as pdf or txt
Download as pdf or txt
You are on page 1of 2

Kashif Ullah

Class No 17
BS CS 6th Semester

Components of Access Control


Before understanding components of access control, first we briefly define Access Control.
Access Control is a security technique that regulates who or what can view or use resources in a
computing environment.
Simply, it is the process of protecting a resource so that it is used only by those who are allowed
to access it.
Now the four steps (components) to complete access control management are identification,
authentication, authorization, and accountability. Many confuse or consider that identification and
authentication are the same. But all these are distinct concepts and must be understood.
❖ Identification
❖ Authentication
❖ Authorization
❖ Accountability

Identification
Whenever you log in to most of the websites, you submit a username. In case you create an
account, you are asked to choose a username which identifies you. This username which you
provide during login is “Identification”. It is simply a way of claiming your identity.
From an information security point of view, identification describes a method where you claim
whom you are.

Authentication
So now you have entered your username, what do you enter next? the password. This is what
authentication is about. Here you authenticate or prove yourself that you are the person whom you
are claiming to be. Authentication can be done through various mechanisms.
There are commonly 3 ways of authenticating: something you know, something you have and
something you are.
• Dual factor Authentication / Multifactor Authentication – If more than one factor of
authentication is used, it is called as multi-factor authentication. Dual means 2, hence 2 factors
will be used. Example – PIN + Access ID card (something you know + something you have)
is an example of dual factor authentication.

Authorization
A lot of times, many people get confused with authentication and authorization. It seems simple,
if I authenticated, I am authorized to do anything. Once the subject provides its credentials and is
properly identified, the system it trying to access needs to determine if this subject has been given
the necessary rights and privileges to carry out the requested actions. Consider your mail, where
you log in and provide your credentials. You will be able to compose a mail, delete a mail and do
certain changes which you are authorized to do. Can you make changes to the messaging server?
No, since you are not authorized to do so. Hence successful authentication does not guarantee
authorization. Successful authentication only proves that your credentials exist in the system and
you have successfully proved the identity you were claiming. However, to make any changes, you
need authorization.

Accountability
The fourth component of access control is accountability. Imagine where a user has been given
certain privileges to work. What happens when he/she decides to misuse those privileges? If the
audit logs are available, then you will be able to investigate and make the subject who has misused
those privileges accountable on the basis of those logs. The subject needs to be held accountable
for the actions taken within a system or domain. The only way to ensure accountability is if the
subject is uniquely identified and the subject’s actions are recorded. Auditing capabilities ensure
users are accountable for their actions, verify that the security policies are enforced, and can be
used as investigation tools.

If all the four components of access control work, then the access control management is complete.

You might also like