The need for network security is a relatively new requirement. Security incidents are rising at an alarming rate every year. As the complexity of the threats increases, so do the security measures required to protect networks. Information Systems are decomposed in three main portions, hardware, software and communications with the purpose to identify and apply information security industry standards, as mechanisms of protection and prevention, at three levels or layers: Physical, personal and organizational.
Overview of Access Control
Access control is generally a policy or procedure that allows, denies or restricts access to a system. It may, as well, monitor and record all attempts made to access a system. Access Control may also identify users attempting to access a system unauthorized. It is a mechanism which is very much important for protection in computer security. Access control approaches determine how users interact with data and other network resources. Furthermore, access control measures ensure data are protected from unauthorized disclosure or modification.
Access control is the traditional center of gravity of computer security. It is where security engineering meets computer science. Its function is to control which principals have access to which resources in the system—which files they can read, which programs they can execute, how they share data with other principals, and so on.
The purpose of access control is to ensure that only authorized individuals or processes acting on your behalf can access your digital systems. Companies need a formal documented access control policy. The access control policy should address:
- Account Management – manages and documents accounts (authorizing, establishing, activating, modifying, reviewing, disabling, and removing)
- Access Enforcement – enforce authorizations in accordance with documented policies.
- Information Flow – authorizes the flow of information between interconnected systems, regulate where information can travel.
- Separation of functions – ensures the division of responsibilities to prevent conflicts of interest, no one person has power over all activities.
- Login attempts – locks out users on a number of failed login attempts within a certain period of time.
- System use notification – gives the user a system use notification message before granting users system access.
- Previous logon notification – upon logon, display the time and date of the last logon.
- Session lock – initiate a session lock after a period of inactivity, requires you to login again.
- Management Review – management reviews activities of users.
- Emergency Actions – identify actions that may be taken in an emergency without identification or authentication.
- Wireless access – restricts wireless access except through a boundary device.
- Rogue connections – perform periodic checks to ensure there are no unauthorized connections.
- Access Control for portable devices – establishes the restrictions for control of portable devices (phones, laptops, etc.).
- Access from external systems/remote access – prohibits access from an external system unless it is done through a secure portal such as a Virtual Private Network (VPN)
Access Control System Architecture
Access control system provides security by giving flexible control over who is allowed to enter your premises. The areas or organizations which require high security use different types of access control systems like bio metric, RFID, door controllers and card readers etc. Each access point may be controlled individually as per the requirement of company or organizations where high security is necessary. Network security is also important, especially in a company which handles sensitive data.
Figure: Architecture of Access Control System
By this card access control systems allows access to enter into the premises limiting people to one side of the door. In some cases, physical access control systems are integrated with electronic ones by limiting the users allowing them to utilize the resources limited on a computer system.
Characteristics of Ideal Access control
This section introduces the characteristics or properties of a good access control system for securing privacy and data access management.
Data confidentiality: Data is get encrypted before uploading to the cloud, so unauthorized user of the cloud cannot know the information about data stored on cloud. Only authorized users, those who are having decryption key can access the data.
Fine-grained access control: A different user from the same group gets the different access right. So users belongs to the same group can access the different data according to his access rights.
Scalability: When the number of users of the system increases it may effect on the system performance. So the performance of the system is not get affected by increased numbers of authorized users.
Flexibility: Flexibility of the cloud allows companies to adjust to any problems that may occur during day-to-day operations. It also allows using extra resources at peak times, to satisfy consumer demands.
Security: While updating login credentials for example password or for requesting extra attributes. We must ensure that only valid user is performing those operations. As well as system must provide security from different attacks like session hijacking, session fixation etc.
 Sam Musa, “Cybersecurity: Access Control”, available online at: https://evolllution.com/opinions/cybersecurity-access-control/
 Roger Needham and Rick Maybury, “Access Control”, Security Engineering: A Guide to Building Dependable Distributed Systems.
 Jesse Smith on December 9, 2015, “Cybersecurity – Access Control”, available online at: http://www.nationalcybersecurityinstitute.org/general-public-interests/cybersecurity-access-control/
 Tarun Agarwal, “Know about Access Control Systems and Their Types with Features”, available online at: http://www.elprocus.com/elprocus-staging/understanding-about-types-of-access-control-systems/