Associate Level Material
Access Control Policy
Student Name: Charles Williams
University of Phoenix
IT/244 Intro to IT Security
Instructor’s Name: Tarik Lles
Date: December 4, 2011
Access Control Policy
Due in Week Seven: Outline the Access Control Policy. Describe how access control methodologies work to secure information systems
Access control is used to restrict operations, which authorized users can perform. Access control does exactly what it says, it controls what access an authorized user can have. A reference monitor is used for access control and follows instructions from an authorization database. These authorizations are controlled and ...view middle of the document...
Single sign on, or SSO refers to the ability of a user to only be authenticated once and to be provided authorization to multiple services. This authentication process permits a user to enter one name and password to be able to access all applications he or she has been given rights to and eliminates any further prompts when switching applications during a session. Biometrics is another modern form of authentication. Biometrics uses biological factors of authentication, such as retinal scans, fingerprints, photo-comparison technologies, etc. to authenticate someone. Biometric identification and authentication is considered the most secured. Multifactor authentication is exactly how it sounds. Multifactor authentication refers to using more than one factor to authenticate a user. This form of authentication is more secure than single factor authentication in most cases, and requires a user to be authenticated by using at least two forms of authentication. This may include a password and a fingerprint, or a smart card and a retinal scan. Multifactor authentication usually combines biometrics and another form of authentication.
2 Access control strategy
1 Discretionary access control
Describe how and why discretionary access control will be used. Include an explanation of how the principle of least privilege applies to assure confidentiality. Explain who the information owner is that has the responsibility for the information and has the discretion to dictate access to that information.
Discretionary Access Control (DAC) allows each user to control access to his or her own data. Every resource object on a DAC based system has an Access Control List (ACL) associated with it. The ACL contains users and groups who the user has permitted access, along with the level of access for each user or group. As an example, user HY may provide read-only access on one on the files to user J, read and write access on the same file to user L, and full control to any user belonging to group two. Using DAC, a user can only set access permissions for resources he or she already own, so user A cannot change the access control for a file owned by user F, but user A can set access permissions on a file that he or she owns. It is also possible under some operating systems for the network or system administrator to dictate which permissions users are allowed to set in the ACL’s of the resources. Discretionary Access Control has a more flexible environment than Mandatory Access Control, but also increases the risk that data will be made accessible to users who should not gain access. Understanding permissions about the security of file servers on the network will increase network security (Bushmiller, 2011).
2 Mandatory access control
Describe how and why mandatory access control will be used.
Mandatory Access Control (MAC) uses a hierarchy approach to control access to resources, such as data files. The system...