Access Control: Principle and Practice, Term Paper Example

Part I: Multiple Choice Questions Review

After taking the multiple choice self-test at the end of chapters 1 and 2, I noticed that I received all correct answers in chapter 1, but had some difficulty in answering the chapter 2 problems. For question 1, I initially picked choice D, identification, authorization, and assurance, although I now realize that choice B is the correct answer. I selected this option because I believed that it would be useful to have an access control verification method at the end of the process, although I now understand that identification, authorization, and authorization are the proper steps. I also received an incorrect answer to question number 5 because I am less familiar with MAC. I initially picked choice A, but then realized that ACL’s are used by DAC.

Part II: Exam Objectives Fast Track

Access Control Objectives

To examine the access control objective more closely, I selected an article entitled “Access control: principle and practice” for analysis. This article serves as a review for information already learned in class because it focuses on the relationship between access control systems and other security services such as authentication, auditing, and administration (Sandhu, 1994). It explains that regardless of the individual tasks required to achieve access control, the ultimate goal of this process is to ensure that there are no unwanted security breaches.

This article is particularly useful because it includes discussion of the specifics of access control, including a review of the access matrix model and is use in practical systems, followed by a list of the types of policies used in current systems. I believe that the access control matrix is useful in modeling access permissions, but it cannot be used to model the rules by which permissions can change. Rather than being thought of as a comprehensive security policy, it should be thought of as an abstract model of permissions.

Password Administration

The article, entitled “Effective information system security with password controls” explains that password protection systems serve as a first line of defense against attacks (Wood, 1983). This supports the information that we learned in class, and it is clear that password authentication is a widespread and useful security tactic. Specifically, this is categorized as the “something you know” authentication type (Jacobs et al., 2003). This article explores techniques related to password design.

As mentioned in both the article and the textbook, the major password types are cognitive, dynamic, one time, paraphrase, and static. It is difficult to achieve a password that is both easy to remember and maximally secure, therefore information technology personnel should provide employees with a basic guideline to ensure that their password of choice falls somewhere between these two categories. Although a password that has many different characters is maximally secure, the fact that the employee will regularly forget their password reduces the security that it offers. To ensure that the employee does not feel encouraged to write their password down or tell someone it in order to better remember it, it is essential that employee’s use cognitive data in password formation to ensure that it is more memorable.

It is essential to consider that the major password types each have their advantages and disadvantages. For example, a one-time password seems like an ideal authentication method, but it is necessary to consider the time that might be involved in generating this one time password or ensuring that the employee correctly received it after a log-in request. Ultimately, the level of password security used should reflect the sensitivity of the information that is being protected.

Access Control Methodologies

Although there are many access control methodologies available, “Scheduling methodology for connections with quality of service (QoS) constraints in a polling based media access control (MAC)” specifically discusses one useful method (Kumar et al., 2000). Generally, Media Access Control (MAC) Scheduling for Quality of Service (QoS) uses the bandwidth and delay requirements of a connection to calculate the polling interval, which is the maximum time that the scheduler can be away from the connection. This is a preventative method because it will prevent access when the user is away from the system.

The textbook discusses that there are two basic methods of operation: centralized and decentralized access. It is important to use both, depending on which situation calls for the relevance of either technique. Generally, central authentication systems forward authorization data back to the requesting system and is useful when all queries are being pointed towards a central point of authentication. This is applicable in situation where there is a need to decrease the administrative efforts and the cost related to setting up each computer to communicate with the central point is less relevant. Decentralized authentication is relevant in situations where it is not possible for or desirable to have a single reference point for all access control requests. Since in this method, more systems are responsible for access control requests for a small group of computer systems, it is easier to enforce security measures that prevent access to network information. Ideally, this unwanted access can be stopped at many points in the process.

References

Jacobs J, Clemmer L, Dalton M. (2003). SSCP Systems Study Guide and DVD Training System. Rockland MA: Syngress Publishing.

Kumar A, Ramachandran L. (2000). Scheduling methodology for connections with quality of service (QoS) constraints in a polling based media access control (MAC). Retrieved from http://www.google.com/patents/US6657987

Sandhu RS. (1994). Access control: principle and practice. Communications Magazine, IEEE. 32(9): 40-48.

Wood CC. (1983). Effective information system security with password controls. Computers & Security, 2(1): 5-10.