Access Control
Fundamentals
LEGAL AND SECURITY ISSUES IN ICT
ICTJ 454
�Out Line
Access Control Fundamentals
I. Introduction to Accountability process
1. Subject and Object Definition
2. Accountability process
3. Identification
4. Authentication
5. Authorization
6. Auditing
II. Authentication type
1. Authentication by Knowledge
2. Authentication by Ownership
3. Authentication by Characteristic
III. Authentication methods
I. mechanisms for authentication (Multifactor Authentication)
IV. Authorisation & auditing methods
Authorization & Auditing
� Access Control
Access control is a security technique that regulates who or
what can view or use resources in a computing
environment.
It is the selective method by which systems specify who
may use a particular resource and how they may use it.
Access controls help us restrict whom and what accesses
our information resources.
It is a fundamental concept in security that minimizes risk to
the business or organization.
� Access Control
Access control is a security technique that regulates who or what can view or
use resources in a computing environment.
It is the selective method by which systems specify who may use a particular
resource and how they may use it.
Access controls help us restrict whom and what accesses our information
resources.
It is a fundamental concept in security that minimizes risk to the business or
organization.
it is also the process of granting or denying specific requests. These process
needs the inputs;
Who issued the request?
What is requested?
Which rules are applicable when deciding on the request?
� Access Control
Access control approaches rely on the four mechanisms, which
represent the four fundamental functions of access control
systems:
● Identification: I am a user of the system.
● Authentication: I can prove I’m a user of the system.
● Authorization: Here’s what I can do with the system.
● Accountability: You can verify my use of the system.
� Biometric Access Control
This is an access control approach based on the use of a measurable human characteristic
or trait to authenticate the identity of a proposed systems user (a supplicant).
Biometric access control relies on;.
● Fingerprint comparison of the supplicant’s actual fingerprint to a stored fingerprint
● Palm print comparison of the supplicant’s actual palm print to a stored palm print
● Hand geometry comparison of the supplicant’s actual hand to a stored measurement
● Facial recognition using a photographic ID card, in which a human security guard
compares the supplicant’s face to a photo
● Facial recognition using a digital camera, in which a supplicant’s face is compared to a
stored image
● Retinal print comparison of the supplicant’s actual retina to a stored image
● Iris pattern comparison of the supplicant’s actual iris to a stored image
� Biometric Access Control
Among all possible biometrics, only three human
characteristics are usually considered truly unique:
● Fingerprints
● Retina of the eye (blood vessel pattern)
● Iris of the eye (random pattern of features found in
the iris, including freckles, pits, striations, vasculature,
coronas, and crypts)
�Biometric Access Control
� Subject and Object
• A subject is an active entity that requests access to an object, which is a
passive entity that contains information or resources. It is usually human
user or a running process.
• An Object is any resource that exists anywhere a subject can access it. (in
memory, on disk, cloud, etc). An object is an entity that contains
information
• Subjects are active and objects are passive. Subjects are also granted or
denied access to objects
• Attribute: a characteristic of a subject (user or system) that can be used to
restrict access to an object. Also known as a subject attribute.
• Attribute-Based Access Control (ABAC): An access control approach
whereby the organization specifies the use of objects based on some
attribute of the user or system.
� Accountability Process
Accountability has been defined as “the security goal that
generates the requirement for actions of an entity to be traced
uniquely to that entity.
Accountability process involves identifying users and their actions,
authenticating users, authorizing access, and auditing user activity.
Each step from identity presentation through authentication and
authorization is logged. Further, the object or some external
resource logs all activity between the subject and object.
The logs are stored for audits, sent to a log management solution,
etc. They provide insight into how well the access control process is
working: whether or not subjects abuse their access.
�Identification, Authentication, Authorization, Auditing
Identification is the process of verifying the identity of a user
requesting access to a resource
Authentication is the process of verifying the identity of a user by
validating their credentials. Authentication in a narrow sense verifies
the identity of a user logging in – locally or remotely – and binds the
corresponding user identity to a subject. User authentication based
on passwords is a common method. Some applications have
adopted biometric authentication as an alternative.
Authorization: Authorization is the process of granting or denying
access to resources based on the user's identity and permissions.
Auditing is the process of monitoring user activity to ensure
compliance with security policies and regulations.
�Identification, Authentication, Authorization, Auditing
� Authentication Types
• Authentication by Knowledge: This type of authentication requires users to
provide something they know, such as a password or PIN
• Authentication by Ownership: This type of authentication requires users to
provide something they have, such as a smart card or token
• Authentication by Characteristic: This type of authentication requires users
to provide something they are, such as biometric data like fingerprints or
facial recognition
� Authentication methods(Multi-factor
authentication-MFA)
MFA combines several user authentication methods for increased security. It uses
two of three dimensions, or factors:
1. Something the subject knows. (passwords and PINs)
2. Something the subject has. (smart card or a certificate issued by a trusted
third party)
3. Something the subject is. (fingerprints, facial features, vein patterns, etc.)
Using two of these dimensions significantly increases the probability of correct
identity verification.
• Two-factor Authentication (2FA) is an MFA that requires exactly two
authentication methods.
�• Authorisation & auditing methods
• Authorization & Auditing
