Skip to main content

Access Control and Information Security

If you are a movie lover and have watched any of those war movies where the villain is going to launch nuclear attack and he needs multiple secret codes for it and all of a sudden he finds that no single person have access to all of the codes, then you have already witnessed "Access Control" !

What is Access Control? 
Access control ensures that resources are only granted to those who are entitled to them. Basically  there are two entities , one is "Subject" and the other  is "Object". In a general scenario a subject wants to access an object and for that purpose different access control mechanism are there to apply.

There are different type of access controls:-
  • Technical :- Various Access control mechanism like passwords,smart cards, Biometrics,  etc
  • Physical :- Can be  Preventative like putting a door, a guard dog etc to control the access or it could be detective like installing a camera,motions sensors etc to detect access.
  • Administrative: Includes policies and procedures for overall strategies for security . Security awareness training,Asset Classification,Audit trail, Accounting log etc are amongst this category. 
Some other classifications that are used by information security stakeholders while discussing access control includes Deterrent, Preventative, Detective, Corrective and recovery controls. Deterrent controls doesn't let the attack even to begin, Preventative control stops an ongoing attack, Detective control only detects attack and often its result is fed to preventative controls . 

 A common problem faced by most of the firms while deploying access control is the inefficiency in anticipating the repercussions of inefficient access control deployment. Access control is one of the very few popular domain of information security which is entertained by most of the organization and needs continuous evaluation and monitoring.

Comments

Post a Comment

Popular posts from this blog

M.S in Cyber Law and Information Security(MS-CLIS) at IIIT Allahabad

The course provide an exhaustive blend of Technology and Legal requirement that are often sought after by the concerned industry. MS-CLIS students receives grounding in programming, security auditing, logic and cryptography, in addition to policy and legislative procedures. The education is at par with certifications like CISA, CISM and CISSP. “The knowledge that MS-CLIS students have at the end of the course is the same, as expected of a person holding all these certifications, and more,” says Dr. Abhishek Vaish , the faculty coordinator for placement at IIITA . Well, above is an objective view of the institute and the course, but this is my blog, and i possess the right to write my views and experiences with this course. I joined the course in july 2013 and within a fortnight after joining the course, I found out that i was quite naive before, my  understanding of information security was not holistic. It was a big surprise as i could never have had imagined the enormous d...
2 comments
Read more

Did i miss to assetize Virtual Machines !

Auditee : Hi There ! Welcome, What would you like to have? Tea or Coffee? Auditor: Asset Register ! A comprehensive Asset Register is something which is quintessential for any risk management program. Everything that has to do with risk, follows from here. Information Security Risks are no different that any other type of risks. Having a few people (rarely security pro) building asset register will probably mess up any risk management at the very first stage. It has been seen that people generally miss to address technologically advanced assets (The ones they did not understand a few years ago)  to register in their asset inventory. The most obvious are the virtual machines.  Every day ,Virtual Machines (VM) are being created on the fly as per business requirement, many of them persist for years and many not so much. There are many questions  like: if that particular VM is of some value? Do I need to consider it as valuable at this point of time, whe...
Post a Comment
Read more

Before "Security" becomes a cliché in your organization

With the proliferation of automated hacking toolkits and amusement that news channels create when some popular website gets hacked or defaced, every IT guy have heard of "security" at least as many times as it is sufficient to  make it sound boring.  Many researches held at universities across the globe shows good correlation between poor employee engagement with poor interest in efficiently fulfilling their jobs. Similarly there are some researches that emphasize on the phenomenon that effective security depends on employee engagement rather than hard compliance. With all of this taken into consideration it is not that difficult to say that talking about security more than required number of times can make situation worse. The problem that organizations are facing today can become daunting with more and more noise about  security. It is high time for CXOs to maintain a balance and keep providing filtered information about security at right time and amount. No o...
Post a Comment
Read more