|
Access control is the ability to permit or deny the use of something by someone.
Physical access Physical access of a person may be allowed depending on payment, authorization, etc. Also there may be one-way traffic of people. These can be enforced by personnel such as a border guard, a doorman, a ticket checker, etc., or with a device such as a turnstile. There may be fences to avoid circumventing this access control. An alternative of access control in the strict sense (physically controlling access itself) is a system of checking authorized presence, see e.g. Ticket controller (transportation). A variant is exit control, e.g. of a shop (checkout) or a country. Admission to an event or establishment may be subject to paying an entrance fee / buying a ticket. ...
Some countries, like Germany, show text on one-way signs A Swedish one-way sign used on T junctions No entry signs are often placed at the wrong ends of one-way streets A one-way street is a street on which vehicles can only move in one direction. ...
East German guards wait for the official opening of the Brandenburg Gate George W. Bush in a border patrol dune buggy Border Guard, Border Patrol, Border police, or Frontier police is a state security agency that performs border control, i. ...
A doorman (more commonly referred to as a bouncer) is a term for a person who deals with the general security of a bar, pub or nightclub. ...
Ticket (unseparated) of the Kurkino in Berchtesgaden CeBIT Home 1998 student day ticket with barcode A Parisians transport ticket A ticket to the 2003 Rugby World Cup sporting event. ...
Turnstiles at Alewife subway station in Cambridge, Massachusetts A turnstile, also called a baffle gate, is a form of gate which allows one person to pass at a time. ...
A fence in Westtown Township, Pennsylvania. ...
A ticket controller is a person who randomly checks tickets on public transport in systems where one can enter the vehicle without being checked. ...
POS must not be confused with EFT/POS and POS Terminal used in Electronic payment POS or PoS is an acronym for point-of-sale (or point of purchase). ...
In physical security, the term access control refers to the practice of restricting entrance to a property, a building, or a room to authorized persons. Physical access control can be achieved by a human (a guard, bouncer, or receptionist), through mechanical means such as locks and keys, or through technological means such as a card access system. Physical security describes measures that prevent or deter attackers from accessing a facility, resource, or information stored on physical media. ...
The process of deciding if device X is allowed to have access to service Y. This is where the concept of trusted exists. ...
Computer security In computer security, access control includes authentication, authorization and audit. It also includes measures such as physical devices, including biometric scans and metal locks, hidden paths, digital signatures, encryption, social barriers, and monitoring by humans and automated systems. This article describes how security can be achieved through design and engineering. ...
Authentication (from Greek αυθεντικός; real or genuine, from authentes; author) is the act of establishing or confirming something (or someone) as authentic, that is, that claims made by or about the thing are true. ...
In security engineering and computer security, authorization, is a part of the operating system that protects computer resources by only allowing those resources to be used by resource consumers that have been granted authority to use them. ...
An audit trail or audit log is a chronological sequence of audit records, each of which contains evidence directly pertaining to and resulting from the execution of a business process or system function. ...
This article does not cite any references or sources. ...
In cryptography, a digital signature or digital signature scheme is a type of asymmetric cryptography used to simulate the security properties of a signature in digital, rather than written, form. ...
“Encrypt†redirects here. ...
In any access control model, the entities that can perform actions in the system are called subjects, and the entities representing resources to which access may need to be controlled are called objects (see also Access Control Matrix). Subjects and objects should both be considered as software entities, rather than as human users: any human user can only have an effect on the system via the software entities that they control. Although some systems equate subjects with user IDs, so that all processes started by a user by default have the same authority, this level of control is not fine-grained enough to satisfy the Principle of least privilege, and arguably is responsible for the prevalence of malware in such systems (see computer insecurity). Access Control Matrix or Access Matrix is an abstract, formal security model used in computer systems, that characterizes the rights of each subject with respect to every object in the system. ...
In computer science and other fields the principle of minimal privilege, also known as the principle of least privilege or just least privilege, requires that in a particular abstraction layer of a computing environment every module (such as a process, a user or a program on the basis of the...
It has been suggested that Grayware be merged into this article or section. ...
Many current computer systems have only limited security precautions in place. ...
In some models, for example the object-capability model, any software entity can potentially act as both a subject and object. It has been suggested that this article or section be merged with Capability-based security. ...
Access control models used by current systems tend to fall into one of two classes: those based on capabilities and those based on access control lists (ACLs). In a capability-based model, holding an unforgeable reference or capability to an object provides access to the object (roughly analogous to how possession of your house key grants you access to your house); access is conveyed to another party by transmitting such a capability over a secure channel. In an ACL-based model, a subject's access to an object depends on whether its identity is on a list associated with the object (roughly analogous to how a bouncer at a private party would check your ID to see if your name is on the guest list); access is conveyed by editing the list. (Different ACL systems have a variety of different conventions regarding who or what is responsible for editing the list and how it is edited.) Capability-based security is a concept in the design of secure computing systems. ...
The access control list (ACL) is a concept in computer security, used to enforce privilege separation. ...
Both capability-based and ACL-based models have mechanisms to allow access rights to be granted to all members of a group of subjects (often the group is itself modeled as a subject).
Access control systems provide the essential services of identification and authentication (I&A), authorization, and accountability where:
- identification and authentication determine who can log on to a system, and the association of users with the software subjects that they are able to control as a result of logging in;
- authorization determines what a subject can do;
- accountability identifies what a subject (or all subjects associated with a user) did.
Identification and authentication (I&A) Identification and authentication (I&A) is a two-step process that determines who can log on to a system. Identification is how a user tells a system who he or she is (for example, by using a username). The identification component of an access control system is normally a relatively simple mechanism based on either Username or User ID. In the case of a system or process, identification is usually based on: - Computer name
- Media Access Control (MAC) address
- Internet Protocol (IP) address
- Process ID (PID)
The only requirements for identification are that the identification: - Must uniquely identify the user.
- Shouldn't identify that user's position or relative importance in an organization (such as labels like president or CEO).
- Should avoid using common or shared user accounts, such as root, admin, and sysadmin. Such accounts provide no accountability and are juicy targets for hackers.
Authentication is the process of verifying a user's claimed identity (for example, by comparing an entered password to the password stored on a system for a given username).
Authentication is based on at least one of these four factors:
- Something you know, such as a password or a personal identification number (PIN). This assumes that only the owner of the account knows the password or PIN needed to access the account.
- Something you have, such as a smart card or token. This assumes that only the owner of the account has the necessary smart card or token needed to unlock the account.
- Something you are, such as fingerprint, voice, retina, or iris characteristics.
- Where you are, for example inside or outside a company firewall, or proximity of login location to a personal GPS device.
Authorization Authorization applies to subjects rather than to users (the association between a user and the subjects initially controlled by that user having been determined by I&A). Authorization determines what a subject can do on the system.
Most modern operating systems define sets of permissions that are variations or extensions of three basic types of access:
- Read (R): The subject can
- Read file contents
- List directory contents
- Write (W): The subject can change the contents of a file or directory with these tasks:
- Execute (X): If the file is a program, the subject can cause the program to be run. (In Unix systems, the 'execute' permission doubles as a 'traverse directory' permission when granted for a directory.)
These rights and permissions are implemented differently in systems based on discretionary access control (DAC) and mandatory access control (MAC).
Accountability Accountability uses such system components as audit trails (records) and logs to associate a subject with its actions. The information recorded should be sufficient to map the subject to a controlling user. Audit trails and logs are important for - Detecting security violations
- Re-creating security incidents
If no one is regularly reviewing your logs and they are not maintained in a secure and consistent manner, they may not be admissible as evidence.
Many systems can generate automated reports based on certain predefined criteria or thresholds, known as clipping levels. For example, a clipping level may be set to generate a report for the following:
- More than three failed logon attempts in a given period
- Any attempt to use a disabled user account
These reports help a system administrator or security administrator to more easily identify possible break-in attempts.
Access Control Techniques Access control techniques are sometimes categorized as either discretionary or mandatory.
Discretionary Access Control Discretionary access control (DAC) is an access policy determined by the owner of an object. The owner decides who is allowed access to the object and what privileges they have. Discretionary Access Control (DAC) defines basic access control policies to objects in a filesystem. ...
Two important concepts in DAC are
- File and data ownership: Every object in the system has an owner. In most DAC systems, each object's initial owner is the subject that caused it to be created. The access policy for an object is determined by its owner.
- Access rights and permissions: These are the controls that an owner can assign to other subjects for specific resources.
Access controls may be discretionary in ACL-based, capability-based, or Role-based access control systems. (In capability-based systems, there is usually no explicit concept of 'owner', but the creator of an object has a similar degree of control over its access policy.) In computer security, an access control list (ACL) is a list of permissions attached to an object. ...
Capability-based security is a concept in the design of secure computing systems. ...
In computer systems security, role-based access control (RBAC) is an approach to restricting system access to authorized users. ...
Mandatory Access Control Mandatory access control (MAC) is an access policy determined by the system, not the owner. MAC is used in multilevel systems that process highly sensitive data, such as classified government and military information. A multilevel system is a single computer system that handles multiple classification levels between subjects and objects. In computing, a mandatory access control (MAC) technique protects and contains computer processes, data, and system devices from misuse. ...
- Sensitivity labels: In a MAC-based system, all subjects and objects must have labels assigned to them. A subject's sensitivity label specifies its level of trust. An object's sensitivity label specifies the level of trust required for access. In order to access a given object, the subject must have a sensitivity level equal to or higher than the requested object.
- Data import and export: Controlling the import of information from other systems and export to other systems (including printers) is a critical function of MAC-based systems, which must ensure that sensitivity labels are properly maintained and implemented so that sensitive information is appropriately protected at all times.
Two methods are commonly used for applying mandatory access control: - Rule-based access controls: This type of control further defines specific conditions for access to a requested object. All MAC-based systems implement a simple form of rule-based access control to determine whether access should be granted or denied by matching:
- An object's sensitivity label
- A subject's sensitivity label
- Lattice-based access controls: These can be used for complex access control decisions involving multiple objects and/or subjects. A lattice model is a mathematical structure that defines greatest lower-bound and least upper-bound values for a pair of elements, such as a subject and an object.
Few systems implement MAC. XTS-400 is an example of one that does. The XTS-400 is a multi-level secure computer system. ...
Telecommunication In telecommunication, the term access control is defined in U.S. Federal Standard 1037C [1] with the following meanings: Copy of the original phone of Alexander Graham Bell at the Musée des Arts et Métiers in Paris Telecommunication is the transmission of signals over a distance for the purpose of communication. ...
Federal Standard 1037C, entitled Telecommunications: Glossary of Telecommunication Terms is a United States Federal Standard, issued by the General Services Administration pursuant to the Federal Property and Administrative Services Act of 1949, as amended. ...
- A service feature or technique used to permit or deny use of the components of a communication system.
- A technique used to define or restrict the rights of individuals or application programs to obtain data from, or place data onto, a storage device.
- The definition or restriction of the rights of individuals or application programs to obtain data from, or place data into, a storage device.
- The process of limiting access to the resources of an AIS to authorized users, programs, processes, or other systems.
- That function performed by the resource controller that allocates system resources to satisfy user requests.
Notice that this definition depends on several other technical terms from Federal Standard 1037C. A service feature is a capability added to a phone line in addition to the basic capability to make and receive telephone calls. ...
For other uses, see System (disambiguation). ...
For other uses, see Data (disambiguation). ...
Look up storage in Wiktionary, the free dictionary. ...
A storage device is a device used for storing something. ...
Look up access in Wiktionary, the free dictionary. ...
Public Policy In public policy, access control to restrict access to systems ("authorization") or to track or monitor behavior within systems ("accountability") is an implementation feature of using trusted systems for security or social control. Public policy is a course of action or inaction chosen by public authorities to address a problem. ...
In security engineering and computer security, authorization, is a part of the operating system that protects computer resources by only allowing those resources to be used by resource consumers that have been granted authority to use them. ...
Accountability is a concept in ethics with several meanings. ...
In security engineering, a trusted system is a system that you have no choice but to trust. ...
This article needs additional references or sources for verification. ...
Social control refers to social mechanisms that regulate individual and group behavior, in terms of greater sanctions and rewards. ...
See Also An access badge is the identification used to gain entry to the office or other places that have access controlled entry points. ...
Common Access Card issued to Contractor personnel The Common Access Card (CAC) is a United States Department of Defense (DoD) smartcard issued as standard identification for active duty military personnel, reserve personnel, civilian employees, and eligible contractor personnel. ...
This article does not cite any references or sources. ...
German identity document sample An identity document is a piece of documentation designed to prove the identity of the person carrying it. ...
A number of different keys A single key A key is a device which is used to open a lock. ...
A magnetic stripe card is a type of card capable of storing data by modifying the magnetism of tiny iron-based magnetic particles on a band of magnetic material on the card. ...
Physical security describes measures that prevent or deter attackers from accessing a facility, resource, or information stored on physical media. ...
Proximity card is a generic name for contactless integrated circuit devices used for security access or payment systems. ...
Smart card used for health insurance in France. ...
A swipe card is a (typically) credit card size badge incorporating a magnetic stripe, an RFID tag, a transponder device and/or a microchip mostly used for business premises access control or electronic payment. ...
References Federal Standard 1037C, entitled Telecommunications: Glossary of Telecommunication Terms is a United States Federal Standard, issued by the General Services Administration pursuant to the Federal Property and Administrative Services Act of 1949, as amended. ...
MIL-STD-188 is a series of U.S. military standards relating to telecommunications. ...
The National Information Systems Security Glossary, published by the National Security Telecommunications and Information Systems Security Committee of the United States federal government, is an unclassified glossary of Information Systems Security (INFOSEC) terms intended to provide a common vocabulary for discussing INFOSEC. External links Online copy in Adobe Acrobat format...
External links |
Feeds |
Contact