The three elements of access control

Effective security starts with understanding the principles involved. Simply going through the motions of applying some memory set of procedures isn't sufficient in a world where today's "best practices" are tomorrow's security failures. IT security is a fast-moving field, and knowing how to perform the actions necessary for accepted practices isn't enough to ensure the best security possible for your systems.

Among the most basic of security concepts is access control. It's so fundamental that it applies to security of any type — not just IT security. Everything from getting into your car to launching nuclear missiles is protected, at least in theory, by some form of access control. Because of its universal applicability to security, access control is one of the most important security concepts to understand.

The key to understanding access control security is to break it down. There are three core elements to access control. Of course, we're talking in terms of IT security here, but the same concepts apply to other forms of access control.

  1. Identification: For access control to be effective, it must provide some way to identify an individual. The weakest identification capabilities will simply identify someone as part of a vague, poorly defined group of users who should have access to the system. Your TechRepublic username, a PGP e-mail signature, or even the key to the server closet provides some form of identification.
  2. Authentication: Identification requires authentication. This is the process of ensuring that the identity in use is authentic — that it's being used by the right person. In its most common form in IT security, authentication involves validating a password linked to a username. Other forms of authentication also exist, such as fingerprints, smartcards, and encryption keys.
  3. Authorization: The set of actions allowed to a particular identity makes up the meat of authorization. On a computer, authorization typically takes the form of read, write, and execution permissions tied to a username.

These three elements of access control combine to provide the protection you need — or at least they do when implemented so they cannot be circumvented. For the example of simple access to basic system utilities on a workstation or server, identification is necessary for accounting (i.e., tracking user behavior) and providing something to authenticate. Authentication is necessary to ensure the identity isn't being used by the wrong person, and authorization limits an identified, authenticated user from engaging in prohibited behavior (such as deleting all your backups).

Depending on the type of security you need, various levels of protection may be more or less important in a given case. Access to a meeting room may need only a key kept in an easily broken lockbox in the receptionist's area, but access to the servers probably requires a bit more care.

Multi-factor authentication has recently been getting a lot of attention. Things are getting to the point where your average, run-of-the-mill IT professional right down to support technicians knows what "multi-factor authentication" means. Sadly, the same security awareness doesn't extend to the bulk of end users, who often think that passwords are "just another bureaucratic annoyance."

However, even many IT departments aren't as aware of the importance of access control as they would like to think. Sure, they may be using two-factor security to protect their laptops by combining standard password authentication with a fingerprint scanner. But if all you need to physically get to the servers is a key, and even the janitors have copies of the key, the fingerprint scanner on the laptop isn't going to mean much.

The same is true if you have important data on your laptops and there isn't any notable control on where the employees take them. There are ways around fingerprint scanners, including the ability to boot from a LiveCD operating system or even physically remove a hard drive and access it from a system that does not provide biometric access control. Some corporations and government agencies have learned the lessons of laptop control the hard way in recent months.

Remember that the fact you're working with high-tech systems doesn't rule out the need for protection from low-tech thieves. Understand the basics of access control, and apply them to every aspect of your security procedures. You shouldn't stop at access control, but it's a good place to start.

About Chad Perrin

Chad Perrin is an IT consultant, developer, and freelance professional writer. He holds both Microsoft and CompTIA certifications and is a graduate of two IT industry trade schools.

Editor's Picks

Free Newsletters, In your Inbox