Authentication, Access Control and Security Policies






Authentication, Access Control and Security Policies, these three concepts define modern-day protection in the world of technology.
But first let's define each one of them.

 What is Authentication?
"The process of determining whether someone or something is, in fact, who or what it declares itself to be" (Rosencrance, 2018).

 How authentication is used:
Authentication technology provides access control for systems by checking to see if a user's credentials match the credentials in a database of authorized users or in a data authentication server.
Generally, a user has to choose a username or user ID and provide a valid password to begin using a system. User authentication authorizes human-to-machine interactions in operating systems and applications, as well as both wired and wireless networks to enable access to networked and internet-connected systems, applications and resources.

 Authentication factors:


  • Knowledge factor: "Something you know." Consist of information that the user possesses, including a personal identification number (PIN), a user name, a password or the answer to a secret question.
  • Possession factor: "Something you have." Based on items that the user can own and carry with them, including a security token or a mobile phone used to accept a text message or to run an authentication app that can generate a one-time password or PIN.
  • Inherence factor: "Something you are." Typically based on some form of biometric identification, including finger or thumb prints, facial recognition, retina scan or any other form of biometric data.
  • Location factor: "Where you are." Sometimes used as an adjunct to the other factors. Location can be determined to reasonable accuracy by devices equipped with GPS, or with less accuracy by checking network routes.
  • Time factor: "When you are authenticating." Like the location factor, the time factor is not sufficient on its own, but it can be a supplemental mechanism for weeding out attackers who attempt to access a resource at a time when that resource is not available to the authorized user.

 Authentication methods:
  • Two-factor authentication, adds an extra layer of protection to the process of authentication. 
    • Requires that a user provide a second authentication factor in addition to the password. 
    • Require the user to enter a verification code received via text message on a preregistered mobile phone, or a code generated by an authentication application.
  • Multifactor authentication, requires users to authenticate with more than one authentication factor, including a biometric factor like fingerprint or facial recognition, a possession factor like a security key fob or a token generated by an authenticator app.
  • One-time password, is an automatically generated numeric or alphanumeric string of characters that authenticates a user. This password is only valid for one login session or transaction, and is usually used for new users, or for users who lost their passwords and are given a one-time password to log in and change to a new password.
  • Three-factor authenticationuses three authentication factors: a knowledge factor (password) combined with a possession factor (security token) and inherence factor (biometric).
  • Biometrics, are usually used as a second or third authentication factor. The more common types of biometric authentication available include fingerprint scans, facial or retina scans and voice recognition.
  • Mobile authentication, is the process of verifying user via their devices or verifying the devices themselves. This lets users log into secure locations and resources from anywhere. The mobile authentication process involves multifactor authentication that can include one-time passwords, biometric authentication or QR code validation.
  • Continuous authentication, instead of a user being either logged in or out, a company's application continually computes an "authentication score" that measures how sure it is that the account owner is the individual who's using the device.
  • API authentication -- The standard methods of managing API authentication are:
    • HTTP basic authenticationthe server requests authentication information, i.e., a username and password, from a client. The client then passes the authentication information to the server in an authorization header.
    •  API keys and OAutha first-time user is assigned a unique generated value that indicates that the user is known. Then each time the user tries to enter the system again, his unique key is used to verify that he is the same user who entered the system previously.
  • Open Authorization (OAuth), is an open standard for token-based authentication and authorization on the internet. 
    • OAuth allows a user's account information to be used by third-party services, such as Facebook, without exposing the user's password. 
    • OAuth acts as an intermediary on behalf of the user, providing the service with an access token that authorizes specific account information to be shared.
Why is authentication so important?
Without the right security measures, user data, such as credit and debit card numbers, as well as Social Security numbers, could get into the hands of cybercriminals.
Access Control, the fundamental concept in security that minimizes risk to the business or organization.

 There are two types of access control:
  • Physical access control limits access to physical spaces such as buildings and physical IT assets.
  • Logical access control limits connections to computer networks, system files and data.
Access control and Authentication work hand in hand, because access control systems perform identification authentication and authorization of users and entities by evaluating required login credentials that can include authentication factors and methods explained earlier.

 The main types of access control (Richard, 2018):


  • Mandatory access control (MAC): A security model in which access rights are regulated by a central authority based on multiple levels of security. Often used in government and military environments, classifications are assigned to system resources and the operating system or security kernel, grants or denies access to those resource objects based on the information security clearance of the user or device. For example, Security Enhanced Linux is an implementation of MAC on the Linux operating system.
  • Discretionary access control (DAC): An access control method in which owners or administrators of the protected system, data or resource set the policies defining who or what is authorized to access the resource. Many of these systems enable administrators to limit the propagation of access rights.
  • Role-based access control (RBAC): Restricts access to computer resources based on individuals or groups with defined business functions rather than the identities of individual users. The role-based security model relies on a complex structure of role assignments, role authorizations and role permissions developed using role engineering to regulate employee access to systems.
  • Rule-based access control: A security model in which the system administrator defines the rules that to govern access to resource objects. These rules are based on conditions, such as time of day or location.
  • Attribute-based access control (ABAC): Manages access rights by evaluating a set of rules, policies and relationships using the attributes of users, systems and environmental conditions.
Security Policy "identifies the rules and procedures for all individuals accessing and using an organization's IT assets and resources" (Cyberpedia, 2018). It's document that states in writing how a company plans to protect the company's physical and information technology (IT) assets.

 The IT Security Policy is a living document that is continually updated to adapt with evolving business and IT requirements.

The objectives of an IT security policy is the preservation of confidentiality, integrity, and availability of systems and information used by an organization’s members.

These three principles compose the CIA triad:
  • Confidentiality, involves the protection of assets from unauthorized entities
  • Integrity, ensures the modification of assets is handled in a specified and authorized manner
  • Availability, is a state of the system in which authorized users have continuous access to said assets

 References:
Cyberpedia. (2018). What is an IT security policy?. Cyberpedia. Recovered from: https://www.paloaltonetworks.com/cyberpedia/what-is-an-it-security-policy

 Richars, K .(2018). Access control. TechTarget. Recovered from: https://searchsecurity.techtarget.com/definition/access-control

Rosencrance, L. (2018). Authentication. TechTarget. Recovered from: https://searchsecurity.techtarget.com/definition/authentication

Comentarios

Publicar un comentario

Entradas más populares de este blog

Imagen
SCM Software Configuration Management What? SCM is a software engineering discipline consisting of standard processes and techniques often used by organizations to manage the changes introduced to its software products. SCM helps to eliminate the confusion often caused by miscommunication among team members. The SCM system controls the basic components such as software objects, program code, test data, test output, design documents, and user manuals. Who? The Software Engineering Institute (SEI) advocated a standard definition for CM oriented to software, broadening the definition of the Institute of Electrical and Electronics Engineers (IEEE) and the guidelines of the International Organization for Standardization (ISO). Why? Is software engineering practices associated with software configuration management offer a number of opportunities to address requirements found International  Standard, ISO 9001. From management perspective, the principles and practices of  
Leer más
Imagen
API 101 A pplication  p rogram  i nterface  ( API ) is a set of  routines ,  protocols , and tools for building  software applications . An API specifies how software components should interact and APIs are used when programming graphical user interface ( GUI ) components. A good API makes it easier to develop a  program  by providing all the building blocks. A  programmer  then puts the blocks together" (webopedia, 2016). Application Programming Interfaces   allows applications to talk to other applications. For example:  M obile devices all use APIs to connect our mobile app to Facebook. YouTube users  consume  videos using the universal embeddable video player (like Vimeo) allowing Youtube videos to be embedded on any website around the web, all driven by APIs. Sources & Links: http://www.webopedia.com/TERM/A/API.html http://rightleftcommunication.com/wp-content/uploads/2015/05/api-integration-service-5.png
Leer más

Security Countermeasures and Denial of Service

" Denial of Service (DoS) and Distributed Denial of Service (DDoS) attacks impact system availability by flooding the target system with traffic or requests or by exploiting a system or software flaw" (PCcare, 2018). What happens during a DoS attack , is that a single attacker directs an attack against a single target, sending packets directly to the target. It basically targets the network bandwidth or connectivity. There are many common forms of DoS attacks , for example: Smurf Fraggle Ping flood Ping-of-death Syn Flood Land Teardrop DNS poisoning Banana Attack Negative Acknowledgement (NACK) Deuthentication (Deauth) One of the most knowledgeable and used is Spam . It consists of sending unwanted e-mail messages to users. It's considered a from of DoS because: It consumes bandwidth that is used by legitimate traffic.  It can fill a mailbox or hard disk and result in legitimate e-mail being rejected.  Spam is often distributed by hijacking misconfigured
Leer más