Access control is an approach used to secure access and use of resources in a computer environment. Encryption is a technique in which data or plain text is converted from its current form to an encoded version that is only decoded by another computer with a decryption key. Access control and encryption are some of the most important techniques used to provide network and data security. Access control includes physical that restricts access to buildings and IT assets and logical access control which is concerned with limiting access to system files, computer networks and data (Pfleeger & Pfleeger, 2006). Facilities can be secured using electronic access control systems that use credentials from the users auditing, reports and access card readers to track access to priority areas and other restricted locations. It can include access control panels and alarms that restrict entry to an installation. Similarly, lockdown capabilities can be added to limit unauthorised access. Access control and encryption are critical security measures in a computing environment that ensures the confidentiality, integrity and availability of information.
Access control and encryption are critical in ensuring the confidentiality and integrity of information. The two provides that only authorised persons can read and alter the data. Access control authenticates and authorises entry to a computer system. Authentication ensures that the identity of a user is legitimate. The user can use a password or biometric and smart carts to authenticate (Ferraiolo, Chandramouli & Kuhn, 2007). The user, therefore, must know something about the system, they must hold something, for example, a smart card or a key and must possess some physical characteristics that distinguish one person from another. A combination of two factors makes authentication stronger and enhance the security of a system. The authorisation is concerned with what an individual s allowed to do or the access granted. Permit heavily relies on proper authentication.
Delegate your assignment to our experts and they will do the rest.
Appropriate security measures identify the sites or locations to be secure by identifying the type of access required and the number of pieces of equipment to be secured. Similarly, it looks at the reasons for ensuring the system and when such security should be provided. Additionally, it considers the number of people involved including departments and sections. Lastly, it looks at the process of achieving the desired goal (Ciampa, 2015). Access control and encryption ensure that physical and logical access is guaranteed throughout the computing environment.
Types of Access Control
Different types of access control can be used in a computer environment. Some of the highly preferred techniques include role-based access control which restricts access to an environment based on a group or individual with an assigned function. For example, access can be granted the people at the executive level, middle management or supervisors. Role base heavily relies on the assigned roles, permission and authorisation and the aim is to check employee access to a computer system.
Mandatory access control is another type of access control where access is regulated by a single authority that has multiple levels of security (Pfleeger, Pfleeger & Pfleeger, 2007). Discretionary access control is an approach where the administrator establishes policies that dictate who can access the computer system. The administrator can limit access rights depend on the perceived security level.
Security Methods for Access control
Different techniques can be used in access control. Some of the most common are authentication, strong password policies, encryption, access control, inactivation of accounts and security system audits. Strong password policies ensure that no unauthorised access is allowed into the computer system. The passwords authenticate and authorise an individual to access the computer system and manipulate data. A weak password policy can be manipulated to allow entry by unauthorised people who can manipulate the data or even affect the integrity of the data.
Access control uses physical and logical controls to ensure that unauthorised persons are not allowed into the computer system. Different types of access control can be used to protect the computer environment of a company. Some of the conventional techniques include mandatory access control that involves a central authority and multiple security levels. Discretionary access control can also be used and consists of the use of policies established by owners or administrators of the system. Role-based access control is another technique that restricts access to a specific group.
Inactivation of accounts is another technique that can be used to enhance access control in a computing environment. Dormant accounts can pose severe threats to a computer system if adversaries access the account. A dissatisfied employee, for example, can use such an account to manipulate the data or to launch an attack (Pfleeger & Pfleeger, 2006). Dormant account for employees who left an organisation should be deactivated as soon as possible to ensure that the employees or their colleagues do not access the account and make any changes that are likely to affect the availability or integrity of the information.
Security system audits are performed by an organisation to understand the current vulnerabilities and how to address such issues before they can cause any significant loss. Some of the techniques involved include security vulnerability scans, interviewing the employees, reviewing access control in applications and operating systems in addition to analysing physical access (Pfleeger & Pfleeger, 2006). An organisation can also conduct an automated assessment with the aim of generating audit reports and monitoring and reporting any changes in the computer system and files.
Encryption
Encryption is a technique of changing the data from a readable format to one that can only be read by an individual with a decrypting key. The process uses algorithms to change information to unreadable format to unauthorised people and therefore protects sensitive data by transforming the data into unreadable ciphertext that can only be decrypted with a key. Encryption ensures that confidential information can safely be transferred from one point to another.
Encryption is a tool that is commonly used to enhance the security of data especially documents and files. It ensures that any confidential information is not accessed by the unauthorised person who might access the data in transit or at the databases. Encryption can be done in two ways; symmetric and asymmetric. Symmetric keys employ two secret keys that are identical to each other and shared by computers that are involved in the sharing of the message. The key is self-encrypted implying that unauthorised access cannot compromise the data in transit (Dixit & Ravindranath, 2017). An algorithm cab uses data encryption standards that have a 56-bit key or an advanced encryption standard with 128 or 192 or 256 bits. Crucial asymmetric encryption employs a public and private key. The public keys are sent to computers that are trying to create a connection. The key handles encryption making sure that information cannot be deciphered while in transit. The user computer retains the private matching key and decrypts the message.
Encryption enhances the safety of data in communication networks. However, it is advisable to perform hashing to determine whether there is any form of tempering (Dixit & Ravindranath, 2017). An organisation can also enhance the security of its data and information by using a combination of hashing, symmetric key cryptography, data compression and public data key.
Access Control Structures
They are approaches taken by an organisation to implement access policies. Some of the key elements include access control matrix a basic control structure that allows one to understand the roles that each employee is supposed to perform. The system, for example, can allow one person to execute, read and while denying another the same privileges. Another element is capability which is a subject centred description of all access rights granted to employees in an organisation. It identifies the functions performed by all employees and their privileges. Access control list is another control structure element (Laskov, n.d.). It is a description of access rights granted to all employees allowing them access items quickly and reducing the challenges faced in the computing environment.
Intermediate controls are another factor and include groups roles, protection rings and permission. Groups are a collection of items that share unique attributes. Protection rings are the levels of access rights including the operating system kernel, the operating system, services, and user processes (Dixit & Ravindranath, 2017). Negative permissions involve the revocation of access rights to unauthorised persons.
Access control structure forms the foundation of access control in a computer system. It ensures that the appropriate policies are implemented throughout an organisation thus realising the desired system security outlook throughout the computing environment (Laskov, n.d.). The success of such structures depends on their ability to express control policies of an organisation. Similarly, they must be verifiable, scalable and manageable throughout the organisation.
Levels of Access Control
Access should only be permitted to authorised persons only. Such access should be given to computer networks, files and servers. It is critical to determine who has access to what part of the computer system and the privileges granted to such individuals. Data manipulation and deletion should be done by an authorised person only, and such actions should be done at the appropriate place and time (Pfleeger, Pfleeger & Pfleeger, 2007). Access modes to a computer system can be file type either regular or directories depending on the privileges that an individual hold and the type of information held in the database.
Permission to manipulate, update or delete the data should be granted depending on the action that an individual is to perform in the computer system. Some of the permission can allow an individual to read, write or execute an operation. Similarly, a group accessing a computer system must be granted permission depending on their expected involvement and what they are supposed to do in the computer system (Dixit & Ravindranath, 2017). Any other agreements that are given to other users must, and access should be granted according to the agreement. Such actions must recognise the extent of allowing access to other users and the implications of such measures to the security of the computer system.
Security Needs Analysis
An organisation performs security needs analysis to determine access rights that should be granted to individuals who will access the computer system. A critical analysis should be performed to ensure that organisations understand the security threats that they are exposed to if the grant access to computer files and systems. Similarly, it will identify security needs in organisations and areas that need further improvements (Hu, Ferraiolo & Kuhn, 2006). A needs analysis is performed with the intention of ensuring that an organisation is secured from potential threats, therefore, ensuring the integrity and availability of the data and information. Similarly, a security needs analysis provides that an organisation obtains relevant information that can enhance security audits.
Designing Access Controls
Well-Designed access control can go a long way in enhancing the security of an organisation. It is imperative to understand that protection of a computer system is no longer a preserve of a few individuals in the IT department but an organisational-wide undertaking. The input of all employees and other stakeholders including security personnel, vendors, system programmers and customers should be considered.
Employees must understand their role in computer security and how they can enhance the availability, access and integrity of data held or transmitted by an organisation through its wireless networks. Care must be taken to ensure that all vulnerabilities are identified and dealt with at the initial stages (Dixit & Ravindranath, 2017). The design of access control must consider the physical and logical access requirement and the security needs of an organisation. Similarly, an inventory of all computer application and network systems and their vulnerabilities must be considered while designing access control.
An organisation should start by analysing system vulnerabilities and needs. This is the starting point of a successful process since it helps to identify the current weaknesses in the system and the needs of an organisation. Weak areas are identified, and the management can dedicate to strengthen such areas to reinforce the security of the computer system (Pfleeger, Pfleeger & Pfleeger, 2007). A thorough analysis can unearth some of the areas that an organisation should focus its efforts on and identifies potential approaches that can be used to address the identified needs.
An organisation should determine access criteria that must be adopted throughout the company. It is critical to decide on the requirements to be used like biometric identification, card identification, passwords or other techniques that are appropriate to the security needs identified in the analysis stage. Similarly, access levels that should be granted to all individuals must be determined at this stage. The privileges granted to all individuals who access the computer system must be clearly stated at this stage (Hu, Ferraiolo & Kuhn, 2006). Similarly, the information that can be seen by a customer or other third particles must be clearly stated and understood by all employees in the company. The security implications of such access to information by third parties should be determined to ensure that no confidential information is exposed to unauthorised persons.
Organisations should estimate the budgetary needs of access control depending on the needs identified at the analysis stage. The complexity of the con troll system will affect budgetary allocations depending on the pieces of equipment that are likely to be installed. The use of physical security features like automatic door locks, security personnel and strong rooms can require more resources to establish and maintain compared to a computer security system that manages the entire organisation (Hu, Ferraiolo & Kuhn, 2006). Adequate resources must be availed at the appropriate time to ensure that there are no delays that are going to affect the implementation of the project.
All the key stakeholders must be involved at all stages from initiation to completion of the project. Employees play a significant role in computer security and therefore engaging them at stages will not only guarantee the success of the project but can also go a long way in ensuring the security of the computing g environment. Employees must understand their roles towards computer security and should feel that they are part and parcel of the entire process. The management must ensure that the right tools and pieces of equipment are procured for access control (Hu, Ferraiolo & Kuhn, 2006: Milenkovic, 2008). Similarly, the whole process must show value for money, and therefore the organisation must perform a cost-benefit analysis to ensure that the tools and pieces of equipment are worth investing in. It is critical to note that the entire process depends on how well the planning process and analysis is conducted. Similarly, teamwork can go a long way in enhancing the success of the project.
References
Ciampa. (2014). Security Awareness: Applying Practical Security in Your World (4th ed.). Boston: Cengage Learning.
Ciampa, M. (2015). Security+ guide to network security fundamentals . Boston, MA: Course Technology, Cengage Learning.
Chapter 7 Access Control, Authentication, and Encryption. (2018). Retrieved from https://docs.oracle.com/cd/E19901-01/817-7607/aci.html
Dixit, R., & Ravindranath, K. (2017). Encryption techniques & access control models for data security: A survey. International Journal Of Engineering & Technology , 7 (1.5), 107. doi: 10.14419/ijet.v7i1.5.9130
Easttom, W. (2016). Computer security fundamentals (3rd ed.). Pearson Education Inc.
Ferraiolo, D., Chandramouli, R., & Kuhn, D. (2007). Role-based access control (2nd ed.). Boston: Artech House. Laskov, P. Introduction to Computer Security Access Control and Authorization. Retrieved from http://www.cse.psu.edu/~trj1/cse497b-s07/slides/cse497b-lecture-4-authorization.pdf
Hu, V., Ferraiolo, D., & Kuhn, D. (2006). Assessment of access control systems. Retrieved from https://nvlpubs.nist.gov/nistpubs/legacy/ir/nistir7316.pdf
Milenkovic, I. (2008). Adapting organisations for role-based access control measures. Computer Fraud & Security , 2008 (11), 14-18. doi: 10.1016/s1361-3723(08)70164-7
Pfleeger, C., Pfleeger, S., & Pfleeger, C. (2007). Instructor's manual for Security in computing, fourth edition . Upper Saddle River, N.J.: Prentice Hall.
Pfleeger, C., & Pfleeger, S. (2006). Security in computing (3rd ed.). Upper Saddle River N.J.: Prentice Hall.