Access control is a broad topic defined as ‘the mechanisms that govern access to resources and the operations that may be performed on those resources.’ Resources may include physical resources, computer systems or information. The entities for which this access is managed may be users, software or other computer systems. Periodic review of access levels is no longer just best practice but has been incorporated into current regulations, including Sarbanes-Oxley. It is considered to be part of the basic foundations to a solid IT security strategy.
Access control systems ordinarily include mechanisms that provide for the identification, authentication, authorisation (and auditing).
Identification
Identification asserts a unique user or process identity and provides for accountability. It usually comes in the form of an assigned name which could be a User ID, PIN or Account number.
Authentication
This is the process of verification that the identity presented to the access control system belongs to the party that has presented it.
The three common factors in authentication are:
- Something you know
- Something you have
- Something you are
Examples of something you know are:
- A static password
- PIN
- passphrase or a pattern
Examples of something you have are:
- Smart Cards
- Dynamic passwords
- Tokens or RFID device
Something you are can be split between behavioural and physical biometrics.
Examples of these are:
- Signature analysis
- Voice Pattern Recognition
- Keystroke Dynamics
- Fingerprint verification technology
- Hand geometry
- facial recognition
- Iris or Retina Scan
In two factor authentication, we typically see the combination of something you know with something you have. This can be significantly improved upon by incorporating the third factor of something you are.
Authorisation
What a user can do once authenticated is most often controlled by a reference monitor. This is the service or program where access control information is stored and where access control decisions are made. Access control lists decide if access is to be granted and an authorisation matrix (or table) determines what the subject can do once access is granted.
An authorisation table is a matrix of objects (data, applications etc), subjects (users, applications etc) and their respective rights.
The most common way of managing and controlling authorisation is through a directory. The three main types are LDAP, X.500 and Microsoft Active Directory.
Identity management is the process for managing the entire lifecycle for digital identities (which include people, systems and services). The goal of identity management is to improve company-wide productivity and security while lowering the costs associated with managing users, their identities, attributes and credentials.
Single Sign-On is the authentication mechanism that allows a single identity to be shared across multiple applications. It allows the user to authenticate once and gain access to multiple resources. With a well-enforced policy for strong, complex passwords, this can strengthen security as there are no longer many easy to crack access points. However, this must be balanced against a now single entry point to multiple systems.
Kerberos has become a popular network identification protocol for third-party authentication services. It is designed for strong authentication using secret key cryptography. It is an operational implementation of key distribution technology and affords a key distribution centre, authentication service and ticket-granting service. Host applications all have to be Kerberos configured to be able to communicate with the user and ticket granting service.
Kerberos is based on a centralised architecture, thereby reducing administrative effort by managing all authentication from a single server.
Active Directory Federation Services (ADFS) is a software component developed by Microsoft that is now an integrated part of Windows Server. It provides users with single sign-on access to systems and applications located across organisational boundaries.
When a user requests access to a web application, that request is forwarded to an identity provider, or in this case the user’s ADFS server. Because the web app has a federation trust established with the identity provider, it’s able to verify the authentication response and authorise access to the web app.
When an organisation uses ADFS to enable single sign-on to Office 365, ADFS is acting as an identity provider for the organisation. Office 365 works with ADFS to authenticate users, and the user’s password information never leaves the corporate intranet. Using ADFS as an identity provider means that accounts don’t need to be set up and managed in a partner’s system, greatly reducing administrative effort.
If you are using Federated Services it is clear that identity and access management within Active Directory is essential. Digital Pathways is able to assist with this by deploying technologies that seamlessly allows for permission analysis, give documentation and reporting, user provisioning, role and process optimisation and security monitoring.
