When you plan to keep information secure, you naturally begin to consider limiting access to the information. In fact, you can keep information secure if you just eliminate all access! However, the information system itself would be considered non-functional in this case. Instead, you need to allow the proper people the appropriate level of access according to what their role or responsibilities are, and deny anyone else. Access controls are security features which govern how users and systems communicate and interact. A fundamental subsystem for any secure system is an identity service. An identity service employs what are known as AAA services: Authentication, Authorization, and Accountability. However, there are really five critical elements in any good identity service subsystem.
Understanding these elements, and how each relate to the other four, is important to designing, implementing, and maintaining a secure information system.
Identification is what happens when a user claims an identity, and the process starts for authentication, authorization, and accountability for that user. A user may identify a number of ways, including typing in a username, swiping a card, or scanning his thumb. When a system issues identification values to users or subjects, it is important that each value is unique, and usernames should never be shared between users, so that user accountability can be tracked while in the system. A standard naming scheme should be followed, but care should be taken that the naming scheme should not describe the user’s position or task (e.g. payrolluser).
Authentication is making sure the claimed identity is valid. Is the user really who they claim to be? To do that, often the user claiming an identity must provide additional pieces of information that corresponds to the identity. For instance, a password or a personal identification number (PIN) known only to the user is usually required. But sometimes other factors are considered, including the physical location of the device the user is using for access. There are three categories or factors of information used to authenticate:
- Something you know (e.g. password, pin, etc.)
- Something you have (e.g. token from cellphone, keys, etc.)
- Something you are (fingerprint, voice recognition, etc.)
Many systems now implement multi-factor authentication, where at least two different pieces of information from at least two different factor groups above are used to authenticate users. Employing a second factor in the authentication process represents an additional layer in case a user’s identification and password has been compromised.
Authorization refers to established rules that determine whether a user has privileges sufficient to allow them to do some action with regard to a file, data, or a report, etc. For instance, Bob may have privileges to create, modify, read, and delete files in a certain directory. Whereas, Kathy may only have read privileges in that same directory. Authorization can be more difficult to manage at scale as compared to identification and authorization. With regard to identification and authorization, each is binary. The user has a valid id, or he does not. The user provides the correct password, or she doesn’t. However, authorization may mean both Bob and Kathy have access to some of the same files, and a mixed number of privileges of what they are allowed to do. Maintaining authorization rules can be complicated in a sophisticated system which may have numerous roles which must be accounted for and managed.
Auditing is monitoring a user’s activity while in the system programmatically, and recording that activity in an audit log. A system or application with good auditing built-in will allow a user to either be held accountable, or exonerated, should they be accused of violating company policies, procedures, or laws while using the system. A system with good auditing will provide non-repudiation — this user did these actions at these times in the system, which is critical to be able to prove responsibility legally. Further, a good auditing system is vital to detect whether unauthorized or abnormal use of a system is occurring, and can also serve to detect the health and performance of a system. When a breach or system failure has occurred, often the audit logs are the first thing to check to determine who did what and when, how they were able to do it, how extensive was the intrusion and whether it is ongoing. The audit logs also hold the clues for how to mitigate or fix the system to disallow breaches or undesired activity in the future.
Security cannot be enforced unless accountability is maintained. Users must be held accountable for detrimental and unauthorized use of the system. In order to prove a person did something with a system, you need a thorough audit log of activity. For instance, this user logged in at this time and date from this device at this IP. Further, he performed these actions, and here are the time and dates of each action. You also need to prove that someone wasn’t impersonating an individual by employing good authentication. Usernames and passwords can be compromised, but if your authentication includes multiple factors, then it is much harder for a user to successfully claim that someone hacked their account and impersonated them.
Each of the five critical elements of a secure access control system complement and depend on the others. If any one is weak or substandard, the investment made in the others can be wasted. It is vital that your organization review the components routinely and stay current with best practices and tools in identification, authentication, authorization, auditing, and accountability.