In computer security, access control includes authentication, authorization and accountability. In access control models, the human users or software which execute actions are defined as subjects; while the resources or whatever which are intended to be protected from illegal access are designated objects.
Authentication is the process of verifying the credential provider claiming who he or she is. Before a subject open an account in online retailers or financial service firms, there is an initial step knew as identity proofing. That is, the subject must provide enough information to assert who you are. Right now there are three kinds of identity proofing , from simple to complex but with security assurance ascending. They are showed as follow:
1. Classic knowledge-based authentication (KBA), such as ...view middle of the document...
The credential used to identify the subject includes:
1. Something the subject knows, such as Personal Information Number (PIN)
2. Something the subject has, such as smart cards
3. Something the subject is, such as fingerprint
4. The location of the subject, such as inside or outside of a fire wall
Authorization determines whether a subject have permissions to manipulate the objects in the system. Generally there are three kinds of permissions.
Accountability is intended to keep a record or log about what happened to the system, meanwhile it provides fruitful information for maintenance and improvement. Rather than passively waiting for somebody reviewing the record, it sets up for an active alarm with predefined criteria or thresholds, know as clipping levels.
Access control technologies may be categorized into four main stream technologies.
1. Attribute-based Access Control, in which access is granted not based on the rights of the subject associated with a user after authentication, but based on attributes of the user. For example the claim could be “older than 18”. In this kind of access control, users can be anonymous as authentication and identification are not strictly required.
2. Discretionary Access Control, in which access is determined by the owner of the objects. Two important concepts in DAC are: ownership of the object, access rights and permission.
3. Mandatory Access Control, in which access is not determined by the owner of the objects, but by the system. This kind of access control is used for high confidential system with sensitive data. In MAC system, there are two prime questions with great concerns. One is the sensitivity label for data classification; the other is data import and export.
4. Role-based Access Control, in which access is determined by the system rather than the object owner.