The goal of access control is to ensure that information access is restricted comment to people who have permission to access that information. To implement access control, it is important that you have security policies in place at your company and a clear set of defined roles and responsibilities for those involved in safety management.
There are a number of models available access controls that help you ensure that only authorized people can access the information. The access control models help a company define their security policies, they are based on two main principles:
- Implicit permissions: this, certain users are implicitly locked and without then permission or denial are configured for them. For example, at.allow and at.deny files configured on UNIX allows / denies the service to users named in the files.
- Minimum privilege: For users are only assigned the necessary permissions so that they exercise their jobs.
The different access control models are:
- Model Bell-La-Padula (BLM): This is a multi-level model developed by Bell and LaPadula. It was specially created for government and military applications to implement access control. It is based on the principle of least privilege and prevents users access to information that has higher security classification than they are allowed. One problem with this model is that it can not handle data integrity.
- Biba model: This model was created to remove the dangers of Bell-La-Padula model. He takes emphasis on data integrity and does not write or read data. That is, users can not corrupt the data stored highest rank or get corrupted by lower gas users. They can only create content equal to or lower than its level of integrity and can view the content only at or above their own level of integrity.
- Madelo Clark-Wilson: This model focuses on information flow in all directions and not just above or below as done by Bell-La Padula and Biba-models. The Clark-Wilson prevents an operation to occur if it is illegal.
- Model of “non-interference”: This ensures that the high-level security features do not interfere with the lower-level security features. This prevents the lower level of user to be affected by the changes made to the highest level of a system.
Authorization & Authentication
An effective control mechanism must also be implemented to protect the company’s resources. Authorized individuals including employees, suppliers, contractors, customers or visitors should receive appropriate permissions to access authorized network devices in accordance with company policies.
It is important to ascertain if the people and systems that try to access the company’s resources are indeed people or systems that claim to be. Authentication techniques for identifying and authenticating people and systems. Authentication works in conjunction with the identification. Once a person’s identity is established by the system, the authorization enables a system whether the user is allowed to access the requested resource or not.
The authentication depends on three major factors include the following factors: something you know – for example the personal identification number (PIN) and password, something you have – for example a smart card, and something physically unique about you – eg your fingerprints (fingerprints) or retinal patterns.
Sometimes, multifactor authentication is also used in which two or more authentication methods are used. For example, the use of smart cards, and passwords. Some common authentication methods used today are: User / Password, Password Authentication Protocol (PAP), Challenge Handshake Authentication Protocol (CHAP), Certificates, Tokens Insurance and Kerberos.