Skip to main content

Access Control and Information Security

If you are a movie lover and have watched any of those war movies where the villain is going to launch nuclear attack and he needs multiple secret codes for it and all of a sudden he finds that no single person have access to all of the codes, then you have already witnessed "Access Control" !

What is Access Control? 
Access control ensures that resources are only granted to those who are entitled to them. Basically  there are two entities , one is "Subject" and the other  is "Object". In a general scenario a subject wants to access an object and for that purpose different access control mechanism are there to apply.

There are different type of access controls:-
  • Technical :- Various Access control mechanism like passwords,smart cards, Biometrics,  etc
  • Physical :- Can be  Preventative like putting a door, a guard dog etc to control the access or it could be detective like installing a camera,motions sensors etc to detect access.
  • Administrative: Includes policies and procedures for overall strategies for security . Security awareness training,Asset Classification,Audit trail, Accounting log etc are amongst this category. 
Some other classifications that are used by information security stakeholders while discussing access control includes Deterrent, Preventative, Detective, Corrective and recovery controls. Deterrent controls doesn't let the attack even to begin, Preventative control stops an ongoing attack, Detective control only detects attack and often its result is fed to preventative controls . 

 A common problem faced by most of the firms while deploying access control is the inefficiency in anticipating the repercussions of inefficient access control deployment. Access control is one of the very few popular domain of information security which is entertained by most of the organization and needs continuous evaluation and monitoring.

Comments

Post a Comment

Popular posts from this blog

Did i miss to assetize Virtual Machines !

Auditee : Hi There ! Welcome, What would you like to have? Tea or Coffee? Auditor: Asset Register ! A comprehensive Asset Register is something which is quintessential for any risk management program. Everything that has to do with risk, follows from here. Information Security Risks are no different that any other type of risks. Having a few people (rarely security pro) building asset register will probably mess up any risk management at the very first stage. It has been seen that people generally miss to address technologically advanced assets (The ones they did not understand a few years ago)  to register in their asset inventory. The most obvious are the virtual machines.  Every day ,Virtual Machines (VM) are being created on the fly as per business requirement, many of them persist for years and many not so much. There are many questions  like: if that particular VM is of some value? Do I need to consider it as valuable at this point of time, whe...
Post a Comment
Read more

Hustle and Tussle of Vendor Risk Management

There is no doubt that we humans would have never reached this world of connected Cars, 3d printing and Space travel without trading on each other's resources . We traded what we had for the things we didn't! The world has never been as interdependent as it is right now. This is true for us as an individual and certainly for organizations across geographies. The word "outsourcing" started getting traction in around 90s, but even before that organizations were heavily using it to reduce cost and allow themselves to focus of their core business area. Family owned businesses initially outsourced a small part of their work within their circle of friend and family considering the trust factor, but as the corporation grew and the economy went global , organizations started delegating part of their work to people living on the other side of the globe. Slowly and steadily organizations have reached to a state where they don't even know who their supplier is! The trus...
Post a Comment
Read more

To hell with "compliance", If it's not bringing Security on the table !

When the world is about to wake up on handling security consciously, The C-Suite is unable to digest the Return On Investment. Every minute of every hour, Organizations are loosing their precious security employees just because someone somewhere is incapable to use Simple Math to give some numbers to their Bosses. The management is failing to understand or at-least ignoring the fact that security is important to their businesses directly. Gone are those days when repercussions were felt later in time, In contemporary culture the impact are too high and sudden. By the time organizations wake up, They have already had a visible dent on their businesses and values.  In the last couple of years, when everyone was working to bring security solutions on the table , C-Suite people made the wrong turn and brought "compliance" ! From that day till the next major incident, we are not expecting any turn from the current pathway . No one is sharing their part of energy to push this ...
Post a Comment
Read more