Have you ever wondered why your
colleague has different views of the same internal office website with extra
menus and tabs which you don’t have access into? Wouldn’t it be nicer to have
access to all the available menus, tabs and buttons in the website? Well, it
would be nicer to have that access but remember that bigger power comes with
bigger responsibility. In the fields of information security, access control is
the selective restriction of access to resources and login credentials are
analogous mechanisms of access control. Information security is the primary
reason for having an access control system, although it can also be used for
monitoring users’ access into the system. Access control is maintained by means
of a collection of policies, programs to carry out those policies and
technologies that enforce policies. Access control enables organizations to
restrict access to information and assets.
Authentication is used to identity
a user and the host that they are using. Whereas the goal of user authentication
is to first verify that the user, either a person or system attempting to
interact with the system is allowed to do so, there is also a second goal of
authentication - which is to gather information regarding the way that the user
is accessing your system. For example - Some company strict on their network
security do not allow access for VPN connection is the staff user is using the
internet from unsecured network such as free WI-FI in a coffee shop and so on.
Authorization is the act of determining the level of access that an authorized
user has to behavior and data. For example – HR manager has more access to view
and update employee information than rest of the HR staffs.
The access control based on user
roles is designed to prevent the situation of unauthorized access to data. In
many business organizations, there are different user accounts scattered
throughout various applications in the organization which may have a few
different levels offering different privileges, but they are unlikely to reflect
the complex combinations of privileges present in the hierarchy of employee
roles. Without the account privileges, the network can open at the both side
resulting attacks from external hackers and internal data breaches. There are
different types of access controls, such as Mandatory access control (MAC), in
which the system (and not the users) specifies which subjects can access
specific data object, hence better suited in places such as a military
institution. Discretionary Access Control (DAC) is another type of access
control in which a user has complete control over all the programs it owns and
executes, and also determines the permissions other users have those files and
programs. As it allows admins to control
access for the users defined based on their job requirements, DAC can be
beneficial in the businesses and corporations.
References:
Wambler, S (n.d.). Implementing Security Access Control
(SAC). Retrieved April 24th 2015 from http://www.agiledata.org/essays/accessControl.html
No comments:
Post a Comment