UNIT 5

ACCESS CONTROL
User Identity and Access Management

Access control is the method by which systems determine whether and how to admit a
user into a trusted area of the organization—that is, information systems, restricted areas
such as computer rooms, and the entire physical location. Access control is achieved
through a combination of policies, programs, and technologies. To understand access
controls, you must first understand they are focused on the permissions or privileges that
a subject (user or system) has on an object (resource), including if a subject may access
an object and how the subject may use that object.

● Access - The flow of information between subject and object

● Subject - An active entity that requests access to an object or the data in an object
● Object - A passive entity that contains information.
● Access control - The prevention of unauthorized use of a resource. i.e., this
service controls who can have access to a resource, under what conditions access
can occur, and what those accessing the resource are allowed to do.

Access controls can be non-discretionary or discretionary types.

Discretionary access controls (DACs) provide the ability to share resources in a
peer-to-peer configuration that allows users to control and possibly provide access to
information or resources at their disposal. The users can allow general, unrestricted
access, or they can allow specific people or groups of people to access these resources.
For example, a user might have a hard drive that contains information to be shared with
office coworkers. This user can elect to allow access to specific coworkers by providing
access by name in the share control function.

Non-discretionary access controls (NDACs) are managed by a central authority in the

organization. A form of non-discretionary access controls is called lattice-based access
control (LBAC), in which users are assigned a matrix of authorizations for particular
areas of access. The authorization may vary between levels, depending on the
classification of authorizations that users possess for each group of information or
resources. The lattice structure contains subjects and objects, and the boundaries
associated with each pair are demarcated. Lattice based control specifies the level of
access each subject has to each object.

Role based controls are associated with the duties a user performs in an organization,
such as a position or temporary assignment like project manager, while task-based
controls are tied to a particular chore or responsibility, such as a department’s printer
administrator. These controls make it easier to maintain the restrictions associated with a
particular role or task, especially if different people perform the role or task. Instead of
constantly assigning and revoking the privileges of employees who come and go, the
administrator simply assigns access rights to the role or task. Then, when users are
associated with that role or task, they automatically receive the corresponding access.
When their turns are over, they are removed from the role or task and access is revoked.
Roles tend to last for a longer term and be related to a position, whereas tasks are much
more granular and short-term. In some organizations the terms are used synonymously.

Mandatory access controls (MACs) are also a form of lattice-based, non-discretionary

access controls that use data classification schemes; they give users and data owners
limited control over access to information resources. In a data classification scheme, each
collection of information is rated, and all users are rated to specify the level of
information they may access. These ratings are often referred to as sensitivity levels, and
they indicate the level of confidentiality the information requires.
Access Control Mechanisms

In general, all access control approaches rely on the following four mechanisms, which
represent the four fundamental functions of access control systems:
1. Identification: I am a user of the system.
2. Authentication: I can prove I’m a user of the system.
3. Authorization: Here’s what I can do with the system.
4. Accountability: You can verify my use of the system

1. Identification: Identification is a mechanism whereby unverified entities, who seek

access to a resource, provide a label by which they are known to the system. This label is
called an identifier (ID), and it must be mapped to one and only one entity within the
security domain. Some organizations use composite identifiers by concatenating
elements—department codes, random numbers, or special characters—to make unique
identifiers within the security domain. Other organizations generate random IDs to
protect resources from potential attackers. Most organizations use a single piece of
unique information, such as a complete name or the user’s first initial and surname.

2. Authentication: Authentication is the process of validating a user’s purported identity.

There are three widely used authentication mechanisms, or authentication factors:
● Something you know
● Something you has
● Something you are

Knowledge factor (Something you know): This factor of authentication relies on what
the user knows and can recall—for example, a password, passphrase, or other unique
authentication code, such as a personal identification number (PIN).
Possession factor (Something you has): This authentication factor relies on something a
user has and can produce when necessary. One example is dumb cards, such as ID cards
or ATM cards with magnetic stripes that contain the digital (and often encrypted) user
PIN, which is compared against the number the user enters. Another common device is
the token—a card or key fob with a computer chip and a liquid crystal display that shows
a computer-generated number used to support remote login authentication.
Inherence factor (Something you are): This authentication factor relies on individual
characteristics, such as fingerprints, palm prints, hand topography, hand geometry, or
retina and iris scans, or something a user can produce on demand. Some of these
characteristics are known collectively as biometrics.
3. Authorization: Authorization is the matching of an authenticated entity to a list of
information assets and corresponding access levels.

4. Accountability: Accountability, also known as auditability, ensures that all actions on

a system—authorized or unauthorized—can be attributed to an authenticated identity.
Accountability is most often accomplished by means of system logs, database journals,
and the auditing of these records.

Account Authorization

A designated system administrator is responsible for creating and maintaining the

authorization database based on the security policy of the organization and roles and
responsibility of individual employee. The process of account authorization should
include the following:
● Assigning unique identifiers such as user id.
● Access rights granted to user id to access information system and services.
● Obtaining authorization may include separate approval of access rights when
assigning special privileges.
● Assigning individual access privileges for resources based on information security
level and classification of information.
● Specifying network and network services to be accessed like files and databases.
● Expiration of privileges.

Access and Privilege Management

With privileged access, privileged users gain access to privileged accounts, credentials,
systems, servers, databases, and more to carry out vital tasks, including managing and
modifying these accounts and resources. Privileged access management is the process of
governing and managing this access. Privileged access management involves continuous
monitoring of privileged users to ensure they do not misuse their access rights. This
requires regularly reviewing assigned privileges and revoking excess rights whenever a
user's role in the organization changes.
System and Network Access Control

Network access control (NAC) is an umbrella term for managing access to a network.
NAC authenticates users logging into the network and determines what data they can
access and actions they can perform. NAC also examines the health of the user’s
computer or mobile device (the endpoints).

Elements of a Network Access Control System

NAC systems deal with three categories of components:
1. Access requestor (AR): The AR is the node that is attempting to access the
network and may be any device that is managed by the NAC system, including
workstations, servers, printers, cameras, and other IP-enabled devices. ARs are
also referred to as supplicants, or simply, clients.
2. Policy server: Based on the AR’s posture and an enterprise’s defined policy, the
policy server determines what access should be granted. The policy server often
relies on backend systems, including antivirus, patch management, or a user
directory, to help determine the host’s condition.
3. Network access server (NAS): The NAS functions as an access control point for
users in remote locations connecting to an enterprise’s internal network. Also
called a media gateway, a remote access server (RAS), or a policy server, an NAS
may include its own authentication services or rely on a separate authentication
service from the policy server.
Figure above is a generic network access diagram. A wide range of ARs look for access
to a network by applying to some kind of NAS. The initial step is to authenticate the AR.
Authentication might be performed by the NAS, or the NAS may intervene the validation
cycle. In the last case, verification happens between the supplicant and a validation server
that is essential for the policy server or that is access by the policy server. It checks a
supplicant’s verified identity, which empowers the policy server to figure out what access
advantages, assuming any, the AR may have. The validation trade may bring about the
foundation of session keys to empower future secure communications between the
supplicant and resources on the venture network.