So the very first measure that we would normally take to secure an IS environment is to stop and check for a user’s validity at the entry point of the network itself.
This may be an entry point to the company’s facility, or logging on to a desktop computer on the network.
All of these processes of checking form a part of Access Control.
The whole process starting from a user entering his credentials to his being able to access the resource he wants to, is actually broken down into 4 components–
(And you thought it was simple?? )
So lets talk about them in brief-
1. Identification – Process whereby a user can be known for later accountability. (e.g. username)
meaning, "may I know who I am talking to?"
2. Authentication – Process to verify that a user is who he is claiming to be. (e.g. password)
meaning, "May i see your photo id?" or "Proove that you are xyz."
3. Authorization – process of checking and granting the right level of access to the user for the resource he needs to access. meaning, "What do you want to do?" and "Let me check if you can do it."
4. Accountability – Process of tracking an incedent so as to hold accountability for it to a user. (e.g maintaining audit logs). meaning, "Lets check who did this!"
Different kinds of mechanisms exist for identification and authentication and can be orderd on the basis of surity they provide of a user being actually who he claims to be. There may be four kinds of access control techniques which can be used in isolation or in combination to one another:
a. Where you are – giving access based upon the physical location of the user. e.g in RAS
b. What you know – based upon what you remember. e.g passwords
c. What you have – based upon some physical card you have. e.g smart card
d. Who you are – based upon your unique physiological characters. e.g. biometrics
I ll talk about "Biometric systems" , the most trusted source of user identification, in my next blog!