Access control is a broad topic defined as the mechanisms that govern access to resources and the operations that may be performed on those resources. Resources may include physical resources, computer systems or information. The entities for which this access is managed may be users, software or other computer systems. Periodic review of access levels is no longer just best practice but has been incorporated in to current regulations, including Sarbanes-Oxley. It is considered to be part of the basic foundations to a solid IT security strategy.
Access control systems ordinarily include mechanisms that provide for identification, authentication, authorisation (and auditing).
Identification asserts a unique user or process identity and provides for accountability. It usually comes in the form of an assigned name which could be a User ID, PIN or Account number.
This is the process of verification that the identity presented to the access control system belongs to the party that has presented it. The three common factors in authentication are:
• Something you know
• Something you have
• Something you are
Examples of something you know are; a static password, PIN, passphrase or a pattern.
Examples of something you have are; Smart Cards, Dynamic passwords, Tokens or RFID device.
Something you are can be split between behavioural and physical biometrics. Examples of these are; Signature analysis, Voice Pattern Recognition, Keystroke Dynamics, Fingerprint verification technology, Hand geometry, facial recognitions and Iris or Retina Scan.
In two factor authentication we typically see the combination of something you know with something you have. This can be significantly improved upon by incorporating the third factor of something you are.
What a user can do once authenticated is most often controlled by a reference monitor. This is the service or program where access control information is stored and where access control decisions are made. Access control lists decide if access is to be granted and an authorisation matrix (or table) determines what the subject can do once access is granted.
An authorisation table is a matrix of objects (data, applications etc), subjects (users, applications etc) and their respective rights.
The most common way of managing and controlling authorisation is through a directory. The three main types are LDAP, X.500 and Microsoft Active Directory.
Identity management is the process for managing the entire lifecycle for digital identities (which include people, systems and services). The goal of identity management is to improve company-wide productivity and security, while lowering the costs associated with managing users, their identities, attributes and credentials.
Single Sign-On is the authentication mechanism that allows a single identity to be shared across multiple applications. It allows the user to authenticate once and gain access to multiple resources. With a well enforced policy for strong, complex passwords, this can strengthen security as there are no longer many easy to crack access points. However, this must be balanced against a now single entry point to multiple systems.
Kerberos has become a popular network identification protocol for third party authentication services. It is designed to strong authentication using secret key cryptography. It is an operational implementation of key distribution technology and affords a key distribution centre, authentication service and ticket granting service. Host applications all have to be Kerberos configured to be able to communicate with the user and ticket granting service.
Kerberos is based on a centralised architecture, thereby reducing administrative effort by managing all authentication from a single server.
Active Directory Federation Services (ADFS) is a software component developed by Microsoft that is now an integrated part of Windows Server. It provides users with single sign-on access to systems and applications located across organisational boundaries.
When a user requests access to a web application, that request is forwarded to an identity provider, or in this case the user’s ADFS server. Because the web app has a federation trust established with the identity provider, it’s able to verify the authentication response and authorise access to the web app.
When an organization uses ADFS to enable single sign-on to Office 365, ADFS is acting as an identity provider for the organization. Office 365 works with ADFS to authenticate users, and the user’s password information never leaves the corporate intranet. Using ADFS as an identity provider means that accounts don’t need to set up and managed in a partner’s system, greatly reducing administrative effort.
If you are using Federated Services it is clear that identity and access management within Active Directory is essential. Digital Pathways is able to assist with this by deploying technologies that seamlessly allows for permission analysis, give documentation and reporting, user provisioning, role and process optimisation and security monitoring.