Access Control Jeff Wicklund Computer Security Fall 2013

Access Control  Introduction  A firm must develop a security plan for each sensitive resource within the company  Part of this security plan has to focus on access control  Companies need to plan, implement, and respond when the controls fail to provide high security

Access Control  Definition of Access Control  Access control is the policy driven control of access to systems, data and dialogues  Many ways to control access  Physical barriers  Passwords  Biometrics  The use of cryptography protection is used sometimes in access control

Access Control  Policy  Policy is the key concept of security  All security begins with the development of security policies for different devices  Ex- Network devices, door controllers  Policies coordinate and guide the implementation of devices within the company

Access Control  Three Functions of Access Control  Authentication  Process of assessing the identity of each individual claiming to have permission to use a resource within the company  The person or process requesting access is the supplicant  The person or process providing admission is the verifier  The Supplicant authenticates to the verifier by sending the credential's to the device requiring access

Access Control  Three functions of Access Control cont.  Authorization  Specific permissions that a particular authenticated user should have in order to access a device or file  Ex – Bob may have permission to read a file but not edit that file or delete it but another user named carol may not even have permission to see the file on the network

Access Control  Three functions of Access Control cont.  Auditing  Consists of collecting information about the activates of each individual in log files to review immediately or later for analysis.  Without auditing, violations of authentication and authorizations policies are likely to be uncontrolled within the company

Access Control  Authentication  Authentication is the most complex part of the three types of access controls.  To be authenticated you must show a verifier credentials that are based on one of the following  What you know (a password or a private key)  What you have (a physical key or a smart card)  Who you are (your fingerprint), or  What you do (how you specifically pronounce a passphrase)

Access Control  Passwords  At one point simple passwords were sufficient for most authentication needs  Today companies need many types of authentication technologies like  Access Cards  Tokens  Biometric Authentication  Cryptographic Authentication  The different types allow a company to choose the strength of authentication needed for the device

Access Control  Two factor Authentication  Use of two different forms used for access  Better security defense than one form of access  Multifactor Authentication  Use of more than two different forms of access control  Provides higher security defense than one and two

Access Control  Individual and Role-Based Access Control  Firms use what your role in the company to determine their access to company resources  They create these groups to cut down on individualizing each user within the firm  This lessens the number of opportunities of errors in assigning access  Easier to move users from one group to another for promotions

Access Control  Physical Access and Security  Many attacks do happen over the network but attacks do happen physically  Physical access is very important in access control for a firm in order to protect the firm  Even within the building certain areas of the firm should not be accessed by regular employees and must be secured

Access Control  Risk Analysis  Firms must analyze the weak points and high risk points within the firm  They also must determine parts of the building that need to be more secure than others

Access Control  Physical Security Perimeter  Security professionals need to worry about physical security just as much as securing the network  They must control the buildings entry points with security  There should be only one single point of entry  The buildings walls should be strong with no gaps  Buildings will have emergency exits that must be alarmed when opened to alert others of an open door along with being monitored by video surveillance

Access Control  Physical Entry Controls  All physical access must be authorized and monitored  Access authorizations should be reviewed and updated frequently  Visitors entering and exiting the building should be logged and supervised at all times while in the building wearing visitor badges

Access Control  Public Access, Delivery and loading Area’s  Highly sensitive zones in a building  Internal people should have limited access to delivery and loading areas  Delivery and pick up personal should have no access to the internal part of the building  All incoming shipments should be inspected and logged

Access Control  Securing offices, rooms, and facilities  Certain areas of a building will be especially sensitive  These areas should be given extra security  These areas should have locks with keys, access cards or other limited entry mechanisms  Secure areas should be located away from public access

Access Control  Equipment Security  Sensitive equipment should be placed in secure areas to minimize access  These areas should not be subject to damage from smoke, water supply failure, vandalism or other threats  Equipment should be positioned so that unauthorized people cannot read information on screens

Access Control  Supporting Utilities  Quality HVAC systems should be in place for highly sensitive areas  Electrical supply should be sufficient along with a UPS in the case of loss of power during an outage.  UPS only supply a short time in which a electrical generator should be in place to back up the UPS in the event of an outage

Access Control  Cabling Security  Cables should be secured in walls, underground or in conduits and away from public areas  Wiring closets also should be locked and monitored on who has access to these areas  Security of equipment off premises  This equipment must be logged when taken off the property and never left unintended

Access Control  Monitoring Equipment  Remote sensors connected to the central security center that alerts the uniformed guards if the sensor is activated  CCTV  CCTV is also used to monitor the premises to allow the security staff to view the area remotely  High image resolution is necessary to view the personal and/or intruder for prosecution in the event of wrongdoing

Access Control  CCTV cont.  Video monitoring systems should be placed strategically within the firm to cover high risk areas  Access control to doors can be intergraded together in order to give real time video footage of the point of access  CCTV systems have come a long way with image resolution and storage capacity at a lower cost

Access Control  Access Cards and Tokens  Access cards are used to gain entry to a door or a computer system by placing the card into the reader  There are different types of cards  Magnetic stripe card  Smart cards  Tokens

Access Control  Proximity Access Tokens  Contain a radio frequency id to each token  Easier to maintain than physical keys  If lost or stolen the user can be deleted from the system without replacing locks  Access control systems can be networked together to maintain easier when assigning access to certain areas of the building with centralizing it on one system

Works Cited  Benantar, Messaoud. Access Control Systems. [New York]: Springer Science Business Media, Print.  Kartalopoulos, Stamatios V. Security of Information and Communication Networks. Hoboken, NJ: Wiley, Print.  Kruegle, Herman. CCTV Surveillance: Video Practices and Technology. Oxford: Butterworth-Heinemann, Print.  Panko, Raymond R. Access Control. Boston: Pearson Learning Solutions, Print.