xlii Access Control
Access Control
According to the Information Systems Security Organization (ISSA) [23],
“access control is the collection of mechanisms for limiting, controlling,
and monitoring system access to certain items of information, or to certain
features based on a user’s identity and their membership in various pre-
defined groups.” In this section, we will explore the major building blocks
that comprise the field of Access Control as it applies to organizational enti-
ties and to the information systems these entities are trying to protect from
compromising situations.
Purpose of Access Control
You may be asking yourself, “What are some reasons why we should have
access control?” Access control is necessary for several good reasons. Infor-
mation proprietary to a business may need to be kept confidential, so the
confidentiality issue that provides a purpose for having access controls.
The information that an organization keeps confidential also needs to be
protected from tampering or misuse. The organization must ensure the
integrity of this data for it to be useful. Having internal data integrity also
provides a purpose for having access controls. When employees of the orga-
nization show up for work, it is important that they have access to the data
they need to perform their jobs. The data must be available to the employ-
ees for work to continue, or the organization becomes crippled and loses
money. It is essential that data availability be maintained. Access controls
provide yet another purpose in maintaining a reasonable level of assurance
the data is available and usable to the organization. Therefore, the answer to
the question above is that there are three very good reasons for having access
controls: confidentiality, data integrity, and data availability.
Access Control Entities
In any discussion of access control, there are some common elements that
need to be understood by all parties. These elements comprise a common
body of terminology to ensure that everyone working on security access
issues is talking about the same thing. For our purposes, there are four pri-
mary elements we will discuss: (1) the Subject, an active user or process that
requests access to a resource; (2) the Object, a resource that contains infor-
mation (can be interchanged with the word Resource); (3) the Domain, a set
of objects the Subject can access; and (4) Groups, collections of Subjects
and Objects that are categorized into groups based on their shared charac-
Access Control xliii
Introduction
teristics (e.g., membership in a company department, sharing a common
job title, and so on).
Fundamental Concepts of Access Control
There are three concepts basic to implementation of access control in any
organization. These concepts are establishment of a security policy,
accountability, and assurance. We discuss each of these concepts below.
Establishment of a Security Policy
Security policy for an organization consists of the development and mainte-
nance of a set of directives that publicly state the overall goals of an organi-
zation and recommend prescribed actions for various situations that an
organization’s information systems and personnel may encounter. Policy is
fundamental to enabling a continuity of operations. When something hap-
pens and the one person who knows the answer is on vacation, what is to be
done? When policies are in place, administrators know what to do.
Accountability
For any information systems that process sensitive data or maintain privacy
information, the organization must ensure that procedures are in place to
maintain individual accountability for user actions on that system and also
for the users’ use of that sensitive data. There have been cases in industry
where individuals who were employees of an organization committed crim-
inal acts, such as theft of credit card data, theft of personal information for
resale to mailing lists, theft of software or data for resale on eBay, and so
forth. The people who committed these criminal acts compromised the
integrity of the information system. Such criminal actions cause huge prob-
lems for organizations, ranging from embarrassment to legal action. When
these criminals have been caught, it has been because there were procedures
in place to ensure the accountability of their actions on the data. These pro-
cedures could be in the form of log files, audit trails for actions taken within
an application, or even keystroke monitoring in some instances.
Assurance
As discussed previously, information systems must be able to guarantee cor-
rect and accurate interpretation of security policy. For example, if sensitive
data exists on a user’s machine, and that machine has been reviewed,
inspected, and cleared for processing data of that particular level of sensitiv-
..................Content has been hidden....................
You can't read the all page of ebook, please click here login for view all page.