Log in / Register
Home arrow Computer Science arrow The InfoSec Handbook
< Prev   CONTENTS   Next >

Authentication and Authorization

Authentication is the first step in granting access to a user for the resources. It is the process of identifying a user and verifying whether he/she is authorized to enter into the organizational network and access the resources. This is very similar to having a photo identification card check at the main entrance of the building. The user name and password are the most commonly used method to authenticate a user. The user name and password provides a relatively weak security as they can be stolen or guessed. Because of increasing threats to security, there are other methods introduced to complement the user name and passwords. Depending on the nature of business, one can consider implementing the appropriate authentication and authorization technique.

Authentication and authorization technologies involve:

• Proving who you are (identity card, smartcard)

• Verifying who you are (password, finger prints, etc.)

Authentication and Access Control Layers

Access control provides limits on who can access which resources and what he or she can do with it. The user needs to be identified before he can be given access to the organizational information. Access must first be granted by administrative policies, then the technical controls, and finally, physical access. There are various authentication techniques that organizations can implement and are broadly classified under three layers – administrative, technical, and physical, as shown in Figure 4-1.

Figure 4-1. Access control layers

Administrative Access Controls (Layer)

These controls are administrative in nature and are required to prevent the risk of improper or inappropriate access control or detect such improper or inappropriate access controls. These are ensured through policies and processes; appropriate description of roles and responsibilities; and proper segregation of duties.

Access Control Policy

Each organization has to clearly specify its philosophy of access control which becomes the basis for all access control activities. The policy provides absolute clarity as to the access control models the organization believes in, such as “discretionary,” “mandatory,” “non-discretionary,” or “hybrid”. Some of the attributes of such a policy are the clarity

as to whether authorization provided can be further delegated or not. The policy may specify the ground rules for classification of information which becomes the base for the access control. Even though the content and depth of the access control policy may differ from one organization to another, broadly speaking, all access control policies set the tone of the organization's intent and approach to access controls.

Personnel related – jobs, responsibilities, and authorities

Ideally, each job in the organization may require access to information for different purposes. Certain information must be only “read” by people so that they are aware of the information and/or for executing the information. Some others may require not only to “read” the information, but also to further “update” or “modify” it. Some others may require creation of new information, that is, “writing” the information to organizational repositories. Some may require all of these permissions. Again, there can be “individual” or “group” accesses defined based on the jobs and responsibilities. Authorities may rely on certain persons to further delegate their access or may clearly specify the contours of further delegation of access controls. Data owners are the ones who ideally decide on who, what, and when the data can be accessed, depending upon business requirements and enabling jobs, responsibilities, and authorities.

Segregation of duties

One of the important organizational requirements is to avoid fraud, such as that with financial connotation or frauds due to the violation of the organizational policies. For example, purchase value of an item increased by $1,000

may be a fraud from the perspective of financial implication, whereas the recruitment of a person by changing his qualification and experience or by editing a background verification report may be a violation of organization policy. Hence, it is necessary for there to be appropriate segregation of the duties where the policies have to be enforced and financial integrity has to be ensured. These responsibilities should lie with different individuals. Segregation of duties is traditionally one of the controls deployed by organizations and is important to be considered even while access authorization is provided.

Supporting policies and procedure

The organization also needs to ensure complementary controls through other supporting policies like the following:

a) Hiring Policies, b) Disciplinary Policies, c) Employee Termination Policy, and d) User registration for computer access. These policies provide clear direction to the organizational personnel. For example, organizational hiring policies may clearly specify whom not to recruit, like those with criminal backgrounds and so on. Hiring policies may also specify the need for background clearance, such as address, criminal records, education, and earlier employment verification. Disciplinary policies may clearly specify which behaviors or acts of employees are not acceptable in the organization and what are the possible consequences of such violations. Similarly, an employee termination policy may specify when and for what reasons an employee's services may be terminated. The policy on user registration

for computer access may clearly specify the reason for accessing the information, so that the access is provided only upon verification of that intent. Each such policy supports the organization to set the discipline required for providing access to and use of information.

Control Over Information Access to Trade Restricted Persons

If you consider U.S. export laws, a few of the employees or contractors of these organizations may be from trade restricted countries or working in trade restricted countries. Some of the high-end technology and related technical documentation/information may not be shared with such personnel unless a specific license to share such information is obtained from the competent authorities. Proper administrative controls need to be put in place to identify, determine, and control access to such persons to ensure compliance and confidentiality.

Technical (Logical) Controls

Technical controls are usually introduced through or on technological products, tools, or utilities. These again help the organization to either prevent or detect or contain inappropriate and improper access controls. Some of these are passwords, smart cards, encryption, network access controls, and system access controls.


Traditionally, passwords were the only form of access control. However, passwords were also easily prone to being guessed or cracked either because of the ignorance of the users or because of the inappropriate implementation of these on the networks or operating systems or on the applications. Strong passwords are one of the absolute requirements in today's world which is technologically advanced and the technology can crack the passwords in a matter of seconds if they are found to be weak. The passwords can be “static,” “dynamic,” or a combination of both.

A static password is one which is the same for each login. A dynamic password is one which is generated newly each time a user has to enter a password (normally generated using a soft token, a hard token, or by using SMS based interfaces). Some systems use a combination of both.


Smartcards normally complement password controls. These provide an additional layer of security by adding another layer to gain access. These may be implemented through various technologies like HID, RFID, or Chip-based smart cards.


Data encryption protects information from the loss of confidentiality and integrity because it requires a key to decipher the encrypted information and this key is available only with the intended recipient. Encryption provides sufficient security to the information, either stored or transmitted, unless the encryption algorithm is weak, the encryption key is weak, or the encryption key is not well protected. Encryption, if well implemented, can provide access to only the authorized personnel.

Network Access

A network has many components like routers, switches, and cables. Network components are required to be hardened. Default passwords on them have to be changed. Strong authentication and handshake mechanisms have to be implemented in the network equipment like firewalls, intruder detection/prevention systems, and so on to ensure that only authorized users are allowed connections to be established, attempts by unauthorized users to penetrate are detected or declined. Network components have to ensure that they are establishing connections to only authentic or valid systems to which the connection is intended. Access to ports has to be provided for appropriately and all unwanted/unused ports have to be closed.

System Access

There are various levels of access possible to operating systems as well as to applications. These need to be set up appropriately on a need-to-know and a need-to-do basis. Giving administrative privilege to all users for operating systems can lead to serious infections or violations. Similarly, giving unlimited access to applications should be avoided or it will lead to serious integrity issues.

Physical Access Controls

Physical access controls are again one of the important layers of either preventive or detective controls which supplement or complement other forms of control in mitigating the risk of inappropriate or improper access and modifications to the information.

Network Segregation

For ease of understanding, let us assume that you are an IT service provider organization and you work for two competing banks. It is necessary that the information pertaining to one bank is not accidentally or intentionally accessed by the personnel who work for the other bank. Physical segregation of the two networks can help ensure high confidence to the customers.

Perimeter Security

Clearly identifying the organizational boundaries and ensuring that the perimeter is secured, restricts improper and inappropriate access to the organizational resources. Some of the important controls of use are electrical fences, microwave barriers, CCTV cameras, and sensor-based intrusion detection systems.

Security Guards

Security guards are the traditional sources of preventive and detective physical controls. Even today, these security guards provide the assurance of physical access controls by ensuring that the entry and exit controls are appropriately provided for and monitored. Activities such as the checking of identification cards/badges, ensuring that nobody tail gates employees, those without official badges are allowed access only after duly verifying their identity or visitors

are allowed access only after due verification and where required only with an escort, monitoring the movement of employees and visitors in secure areas are some of the ways in which security guards are used. They can also ensure the securing and protecting of unlocked and unattended information assets like laptops. Other areas where they are used are for monitoring fire control panels and water leakages. However, for effective protection through security guards, proper background verification of these security guards needs to be ensured.

Badge Systems

Badges/identification cards are the traditional mechanisms used to control access and are still the popular means of providing access. Special/secure areas may require special types of badges or other complementary authentication mechanisms like smart cards, passwords, or biometric controls.

Biometric Access Controls

Biometric access controls use some physiological features/aspects of the human body to provide access to human beings. The features used to provide access differ from person to person such as finger print scans, iris scans, retina scans, palm scans, facial scans, and voice. Some of these, like finger prints and iris scans are widely used.

Found a mistake? Please highlight the word and press Shift + Enter  
< Prev   CONTENTS   Next >
Business & Finance
Computer Science
Language & Literature
Political science