Authentication and Access Control
Dave Carlson - February 15, 2008
This paper discusses authentication methods to verify identity and access controls to ensure only authorized individuals are allowed to access computer systems. Authentication methods include knowledge -- what a person knows, possession -- what a person has, and biometrics—what a person is. It is important to put protection systems in place and to validate that those systems are functioning as expected. Strong passwords and user education are tools to help strengthen access control. In the physical world, the best lock is effective only if it is installed and works as intended. The same holds true in the virtual world of computer systems. The three-legged stool of computer security is supported by effective authentication methods, appropriate access controls, and accurate validation systems.
Authentication and Access Control
It is a known fact that terrorists are developing a keen set of technology skills to further their agendas…. In these times of increased security awareness, IT managers must examine very carefully their identification and authentication subsystems to prevent the disabling or bypassing of the system by an unauthorized party. (Janczewski & Colarik, 2005, p. 129)
This paper will discuss authentication methods to verify identity and access controls to ensure only authorized individuals are allowed to access computer systems and resources. Additionally, the author will illustrate in written form how to strengthen authentication methods and access controls against possible attacks. The intent is to lead the reader to a conclusion that it is important to put effective protection systems in place and to validate that those protection systems are functioning as expected.
“Authentication is the process of positively identifying the person or program making a request” (Duthie & MacDonald, 2003, p. 191). Authentication provides the system with a known identity before granting access to that individual or entity. A system should require the user entity to provide proof of identify before allowing the user to access and use the system. Three types of authentication methods are: knowledge, possession, and biometrics.
Knowledge—What a User Knows
The most common method in use today to authenticate identification is a password system. The most typical configuration is a login identification code (ID) plus a password. The system administrator usually sets up the ID and password then shares them with a known user. Normally, the user is given the opportunity to change the password upon their first login (Janczewski & Colarik, 2005). The premise of this authentication method is that the only person or entity who knows the password that corresponds to a specific ID is the authorized user.
Possession—What a Use Has
A user can authenticate identity with an object, such as the magnetic strip on the back of a credit card, smart card, or an authentication dongle which must be plugged into the system to allow access (Janczewski & Colarik, 2005). Security is strengthened by combining something the user possesses with something the user knows. For example, to access a company Intranet, the author uses a small device that generates a 6-digit random number. This random number, combined with a pre-determined registered code, generates a unique password every sixty seconds.
Biometrics—Who a User Is
The theory behind biometric authentication is that only the authorized user possesses specific physical characteristics. Some of the characteristics used in biometric authentication are: face, fingerprint, iris, speech, writing, gait, and ear shape (Li et al., 2005). Li et al. (2005) indicated there is continual progress toward making this a more reliable authentication process. However, Janczewski and Colarik (2005) recommended biometrics “not be utilized in regular business information systems” (p. 142). It is beyond the scope of this paper to discuss merits of biometrics. It is left up to the organization to make a decision about biometric authentication.
After authentication, effective system security must control access to specific resources. An authenticated entity must be associated with some form of access authorization to files or system resources. After association to resources, the system must allow an authenticated entity access to those resources (Janczewski & Colarik, 2005).
“Access rights must be governed by a set of strict rules based on business requirements” (Janczewski & Colarik, 2005, p. 144). The two extremes of access controls are: access to only the information required to perform a specific task or access to everything except an explicit list of unique resources. An organization must determine where their access requirements fall between the two extremes (Janczewski & Colarik, 2005).
In February 2008, a 5-year-old boy pushed open the front door of a deserted bank the day after the bank was allegedly locked up for the weekend (Sun, 2008). Before he left Friday night, the bank manager had engaged the electronic lock that was designed to secure the door, but the lock mechanism failed. The manager had so much faith in the locking system that he did not try to open the door before he left. Fortunately, nothing from the bank was missing. But, things may have turned out differently had a bank robber tested the door.
A validation system is of little value if it does not work as expected. Two methods to increase the value of security validation systems is password rules and user education. Bradley (2007) advocated the use of strong passwords—passwords that used not just lower-case letters, but a combination of lower and upper case letters, as well as numbers or special characters. Additionally, ensuring that users understand their rights and responsibilities is a positive step toward protecting systems (Janczewski & Colarik, 2005).
In the physical world, the best lock is effective only if it functions as intended. The same holds true in the virtual world of computer systems. The three-legged stool of computer security is supported by effective authentication methods, appropriate access controls, and accurate validation systems. If any of these three methods are broken the security system may fail.
Bradley, T. (2007). Essential computer security: Everyone’s guide to email, internet, and wireless security. Burlington, MA: Syngress.
Duthie, A. and MacDonald, M. (2003). ASP.NET in a nutshell. Cambridge, MA: O’Reilly.
Janczewski, L. and Colarik, A. (2005). Managerial guide for handling cyber-terrorism and information warfare. Hershey, PA: Idea Group Publishing.
Li, S. Z., Sun, Z., Tan, T., Pankanti, S., Chollet, G., and Zhang, D. (Eds.). (2005). Advances in biometric person authentication: International workshop on biometric recognition systems, IWBRS 2005, Beijing, China, October 2005, proceedings. Berlin, Germany: Springer.
Sun. (2008). Olly finds bank left unlocked. Retrieved February 14, 2008 from http://www.thesun.co.uk/sol/homepage/news/article771971.ece