Access Control Services

Access control systems provide three essential services:

check.png Authentication

check.png Authorization

check.png Accountability

We devote a subsection to each of these services.

Authentication

Authentication (who can log in) is actually a two-step process consisting of identification and authentication (I&A). Identification is the means by which a user (subject) presents a specific identity (such as a username) to a system (object). Authentication is the process of verifying that identity. For example, a username/password combination is one common technique (albeit a weak one) that demonstrates the concepts of identification (username) and authentication (password).

instantanswer.eps Authentication determines whether a subject can log in.

Authorization

Authorization (also referred to as establishment) defines the rights and permissions granted to a user account or process (what you can do). After a system authenticates a user, authorization determines what that user can do with a system or resource.

instantanswer.eps Authorization (or establishment) determines what a subject can do (as defined by assigned rights and permissions).

Accountability

Accountability is the capability to associate users and processes with their actions (what they did). Audit trails and system logs are components of accountability.

An important security concept that’s closely related to accountability is non-repudiation. Non-repudiation means that a user (username Madame X) can’t deny an action because her identity is positively associated with her actions. Non-repudiation is an important legal concept. If a system permits users to log in using a generic user account, or a user account that has a widely known password, or no user account at all, then you can’t absolutely associate any user with a given (malicious) action or (unauthorized) access on that system, which makes it extremely difficult to prosecute or otherwise discipline that user.

instantanswer.eps Accountability determines what a subject did.

Non-repudiation means that a user can’t deny an action because you can irrefutably associate him or her with that action.

..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.
Reset
18.188.154.252