Fundamentally, access refers to the ability of a subject and an object to interact. That interaction is the basis of everything we do, both in the information technology (IT) field and in life in general. Access can be defined in terms of social rules, physical barriers, or informational restrictions.

For example, consider a busy executive with an administrative assistant who serves as a gatekeeper, deciding who will be allowed to interact personally with the executive and who must leave a message with the administrative assistant. In this scenario, the visitor is the subject and the executive is the object. The administrative assistant is the access control system that decides who is authorized to access the executive.

Consider another scenario that is a bit closer to home. When you leave your house, you lock the doors. The locked door physically restricts access by anyone without a key to the assets stored inside your house—your TV, computer, and stereo system. When you come home, you unlock the door and replace the physical restriction of the locking mechanism with a human gatekeeper who decides whether or not to let someone enter the house.

What would happen if data were freely available? After all, open source software has certainly made a convincing case for open information. What if the data in question is your company's payroll file? If that file is unsecured, anyone could open the file and obtain sensitive information, including your Social Security number and annual salary. Think of the chaos that would ensue if a disgruntled employee decided you did not deserve the money you made, and reset your salary? Data is one of the most crucial assets in modern life, and it just makes sense to spend as much—if not more—time and energy securing data as you would locking your house at night.

What do executives, deadbolts, and payroll have to do with IT? They are physical counterparts to the technical access control systems that we use to protect digital and electronic resources—sensitive files, servers, and network resources. You might not have specific, documented rules for access when it comes to which visitors you allow into your home, but IT uses formalized systems to grant or restrict access to resources. Computers are not very good at making intuitive decisions, so you have to lay out specific rules for them to follow when deciding whether to grant or deny access.

Access control is the formalization of those rules for allowing or denying access. Access control defines exactly who can interact with what, and what the subject may do during that interaction. It is based on the granting of rights, or privileges, to a subject with respect to an object.

When discussing access control, a "right" is permission to perform a given action. In the preceding scenarios, the chief executive officer (CEO) of the company would have the right to interact directly with the executive, but the person who delivers the executive's mail would not. Your roommate or spouse would have the right to enter your house (as proven by ownership of a key to the door), while someone who lives down the street would not have permission to enter.

A well-defined access control system consists of three elements:

Organizations typically use procedures and tools together to enforce policies. For example, most companies have strict policies to determine who has access to personnel records. These records contain sensitive and confidential information that could be used to inflict serious harm on individual employees and the company as a whole if those records were compromised. The policy may state that only employees within the human resources department, with a specific need for the information contained within a given record, may have access to it.

To enforce this policy, the company has procedures that state that a record can only be given to employees with the proper credentials (the authentication process) who fill out a form stating their specific need for the information contained in the record they request. When the request is approved, the employees may be given a username and password to access the employee records intranet site (the authorization process). The intranet site, along with the username and password, are the tools required to grant access to personnel records.

The subject in an access control scenario is a person or another application requesting access to a resource such as the network, a file system, or a printer.

There are three types of subjects when it comes to access control for a specific resource:

The difference between an unknown person and an unauthorized one is timing. An unknown person is anonymous. They have not attempted to log in or access a restricted resource—yet. As soon as an unknown person attempts to access a restricted resource, they must fall into one of the other two categories: authorized or unauthorized.

Four broad categories of technologies can be subjects for the purposes of access control:

A technology subject does not have a username and password the way a human subject might, but it does have the same authorized, unauthorized, or unknown status.

There are three main categories of objects to be protected by access controls:

Information is the most common asset in terms of IT access controls. You put passwords on databases and applications to ensure that only authorized users can access them. Technology objects are just as important, because a malicious user can easily compromise the integrity of data by attacking the technology that stores and uses it. If an unauthorized user gains access to a file server, that user can easily steal, delete, or change the data stored on the file server.

Physical security is the process of ensuring that no one without the proper credentials can access physical resources, including hardware and physical locations. If all the servers require a password to log on, why bother restricting who can enter the server room? The answer is simple—if a malicious user's goal is to bring down a server, they don't need to log in. All they have to do is unplug it, steal it, or destroy it.

Most server and network systems have "backdoors" that are available to anyone with physical access to the machine. These backdoors allow system administrators to take control of a server that has been corrupted. A Cisco router, for example, gives anyone with the right communications device and the right codes full access to the router without the administrative password. Some locations, such as a server room, are controlled-access locations for the reasons just described. Others must have uncontrolled access in order to be useful.

The first step in any access control process is identification. The system must be able to apply labels to the two parts of the access equation: the subject and the object. In this case, a label is a purely logical description that is easy for the computer to understand. A human might easily recognize that "Beth" and "Elizabeth" are the same individual, but a computer cannot necessarily make that logical connection.

To make things simpler, you can assign a universal label to each subject and object. That label remains with that individual or resource throughout the life cycle of the privileged interaction with the object. The object also has a label to distinguish it from other resources. For example, a network might have six printers available, labeled "printer1," "printer2," and so on. A person's label might be a user ID, his or her e-mail address, employee ID, or some other unique identifier.

Figure 1-1. The access control process.

The key is that each label must be unique, because it also provides accountability. When combined with the authentication system (which correlates the identified subject with the resources they are allowed to use) and system logging facilities, unique labels correlate subjects with their actions. This becomes especially important when trying to track down the cause of a system failure. This correlation relies on the trust between the subject and the access control system. If you do not trust that a subject is who they say they are (and this trust is predicated on proof), the use of a uniquely identifying label is pointless.

Authentication takes identification one step further by requiring proof of identity. There are many ways to authenticate a subject. The most common ones are:

The key to both a password and a shared secret is secrecy. If the subject shares its password or shared secret information with someone else, the authentication system becomes less secure and the ability to correlate an action to a subject becomes less precise. Many companies regulate this problem with a policy that an employee is personally responsible for anything done under his or her credentials. If an employee shares his credentials with a friend, for example, he is personally responsible for anything the friend might do.

Most authentication systems only require a single-stage authentication, but those protecting highly sensitive assets might use multiple factors. The three most common factors are:

The last two factors are often used to provide or restrict physical access to secure buildings or rooms within buildings, although they can be used in access control systems protecting data as well. You will learn more about all three authentication factors later in the chapter.

Confidence in any authentication system can be measured by two components: the type of correlation and the number of authentication factors. A "retinal scan" (which is a biometric method) is inherently more secure than a simple password because it is much more difficult to copy or steal an eyeball than it is to guess or steal a password. Using more than one authentication factor increases the security of the system, because if one stage of the authentication system is compromised, the second can still restrict access to those who do not have the proper credentials. This is referred to as "two-factor authentication" and is covered in further detail in Chapter 10.

Once a subject has identified itself and the access control system verifies the subject's identity, the access control system must determine whether the subject is authorized to access the requested resources. Authorization is a set of rights defined for a subject and an object. They are based on the subject's identity. For example, a manager in the human resources department might be authorized to view personnel records but not authorized to edit the year-end financial report.

Authorization rules can be simple—anyone with a username and password on the system can access the information stored there. Authorization rules can also be complex, depending on the value of the resources being protected and the number of people needing access.

In a small organization with a high level of trust between the users and resources that are not sensitive, a simple authentication system is reasonable. An enterprise system with a mixture of highly sensitive data and open printers on the same network needs a more complex authorization system. In this case, you might design a system with multiple levels of authorization—a low-level employee might be given rights to the printers, while a manager would have rights to the printers and some areas of the file system. High-level executives might have all the rights of a manager, as well as rights to view sensitive information. How you define your authorization rules depends upon business needs and the sensitivity of the resources.

Logical access controls can be based on one or more criteria, including:

You should take each of these criteria into account when designing an authorization system.

In some cases it is not necessary to assign rights to individuals. This is especially true in large organizations. Rather than deciding and assigning rights to each individual within an enterprise, you cluster individuals into groups based on department, job title or role, or some other classification.

You can assign individuals to several groups. For example, every person within an enterprise may be a member of the Employees group, with read access to the company intranet and an account on the time card system. A manager might also be a member of the Managers group, and have write access to his or her department's page on the intranet as well as read access to each of his group's time card reports. Employees on the corporate retreat committee would have their normal levels of access as well as access to files related to the corporate retreat, regardless of their other job functions. A manager might not have access to those files, despite the fact that employees below him do.

Group access rights are a way of simplifying the management of the rules. When an employee changes roles within an organization, you merely have to change his or her group membership, rather than altering the employee's individual access rights. Similarly, when you create a new resource and want to grant access to a particular role, you can do that using the group mechanism and you don't need to list all of the individual employees.

So far you have focused primarily on subjects and access controls. Now you will examine how objects fit into access controls. Objects are defined by four factors:

The biggest difference between a subject and an object is passivity. A subject is active—it acts upon a passive object. An object must contain something of interest to the subject. This is usually information, but can be non-informational as well. Consider a printer. It is passive in that it is the target of a print request and does not generally initiate new contact with the subject after the print job is complete. It contains, or rather produces, something of value—a hard copy of digital information. Printers, however, do not usually have a high level of granularity. They receive a print request and process it. A server, however, can have many elements that must work together to supply the subject with the information they request.

You can define objects at many levels, depending on your business needs. Some examples of objects include:

Figure 1-2. An example of access rights in action.

In real-world applications, these levels may work together or separately to provide access rights to resources. A simple example is an application (in this case the application is the subject) that needs to work with data stored in the database (the object). It makes a request through an application programming interface (API), which handles the communication between the application and the database.

A more complex example is that of a user who needs to modify a data file stored on a file server across the network. In this case, the user (subject) logs into the operating system (object 1) and requests access to the file server across the network (object 2). The system layer on the file server (object 3) checks the user's credentials against its rules to determine if the user has no access, read-only, read/write, or administrative access to the particular data file requested.

A password is the most common authentication tool. Many people use passwords every day to check e-mail, log into online banking, and use the ATM. The biggest password challenge you will face is convincing users to use strong passwords. Users are concerned primarily with convenience. Ideally, you would prefer to have a simple, easy-to-remember password. However, simple passwords or ones based on your name or a dictionary word are also easy for malicious users to guess. An easily guessed password is almost as unsecure as no password at all.

To address this problem, you need to set password requirements on length and composition. For example, you could require that a password have at least eight characters, and that they must contain a combination of upper and lower case characters, as well as numeric or punctuation characters. This system ensures strong passwords, but you might have difficulty remembering them. Because users are primarily concerned with convenience, not with the security of the system, they often write down difficult passwords and post them in obvious locations. A malicious user with physical access to your work space can easily find the desired password.

Used alone, a physical token or device is generally used to provide physical security. Think of a smart card ID that you wave in front of a reader to gain access to specific floors of an office building. Tokens are also used in conjunction with passwords to provide logical access controls. Tokens can take a variety of forms such as the smart card or a time-variable token such as RSA's SecurID.

"Time-variable" tokens change users' passwords at regular intervals, usually every 30 to 60 seconds. Users have a physical device that tells them what their password is set to at the moment they need to log in. This two-stage authentication process ensures that passwords are not guessed or stolen—and if they are, damage is limited because the password is only valid for a brief period of time.

Possession of the physical device or token is the only way to retrieve the current password. Because the token could be lost or stolen, this type of authentication requires a two-stage login process. For example, a user activates the token to find her active password. She enters the password, along with her username and is granted access to a secondary login prompt. At this second prompt, she enters a conventional password that does not change. In this way, if the user's conventional password is guessed or stolen, a malicious user would not have the token and would not be able to access the secondary login prompt to enter the stolen password. If the token is lost or stolen, a malicious user is stopped at the secondary login prompt because he or she presumably does not also have the user's conventional password.

"Challenge-response tokens" are similar to time-variable tokens. An authentication system using this type of token will begin with a code (the "challenge"), which the user enters into the token device. The token provides another code (the "response"), which the user enters into the authentication system. Assuming that the response code is correct, the user will be granted access to the secondary login system where he or she enters a conventional username and password. The challenge and response codes are randomly generated to avoid the possibility of guesswork.

This is the most advanced, as well as the most time-tested of the three primary authentication factors. It relies upon either physical or behavioral characteristics. Humans have been using characteristics to authenticate each other for millennia. Consider an infant who recognizes its mother or other primary caregiver. The infant uses visual cues, scent, and the sound of the caregiver's voice to authenticate the caregiver's identity and determine whether to settle or scream.

Law enforcement agents also use this type of authentication when they observe an individual engaging in suspicious activity. A police officer may give only the most cursory glance to an individual walking openly down the street, but will investigate further (or call in reinforcements) if they see someone sneaking behind a building holding a gun. The police officer has used behavioral characteristics to decide whether the individual was a law-abiding citizen or a potential criminal.

Biometrics is the study of physical human characteristics. IT uses biometrics to accurately identify an individual. There are two primary types of biometric authentication systems: physical and behavioral. Physical biometrics read physical characteristics, such as fingerprints, retinal scans, hand geometry, and facial recognition. Physical biometrics are highly reliable because they measure characteristics that are unique to each individual. Even identical twins do not have the same fingerprints or retinal scans.

Behavioral characteristics may include tempo or speed of typing (or keystroke dynamics), writing rhythms, and voice recognition. Behavioral biometrics requires a significant "training period" for the system to "learn" a legitimate user's behavior patterns. They are also much more subject to error than physical characteristics.