Access control

Access control ( engl. access control) is to monitor and control access to specific resources. The purpose of access control is to ensure the integrity, confidentiality and availability of information.

One of the most important basics of information security is the way how to access to resources and how these resources are protected by the access mechanisms. Thus, it is in the access control not only about technical tools.

The distribution of the three areas administrative, physical and technical access control is considered to be complementary. This means that can be described by a layer model of the areas in which the individual layers are complementary to each other.

• 3.1 alternatives

Administrative access control

The administrative controls are at the top of the hierarchy. They describe how an organization will deal with the access to their information. Aspects of access control at this level are:

Safety regulations and procedures

• The safety rule can give guidance to the access control, but this does not necessarily have. To establish the safety, an organization must determine what information is worth protecting and which eg financial value of that resource has ( for example trade secrets such as construction plans in the automotive sector, account data in the banking sector, etc.). Furthermore, the safety regulation is also influenced by regulatory requirements ( Data Protection Act, banking secrecy, to be met standards, etc.). In which the organization operates Depending on the industry get patent protection, intellectual property (IP ) or similar to

Access control for the employee

• What roles must be separated (4- eyes principle, segregation of duties )
• Have access to what information and what roles people
• What characteristics must meet these persons to obtain access
• How these properties can be verified on a regular basis
• As a person, the rights can be withdrawn

Control structure of an organization

• Who controls what data integrity
• That indicators can be used to control
• Who is responsible for what actions in an organization

Testability of the access controls

• How the specified controls can be verified (audit)

Physical access control

In the physical access control is access controls, which can be claimed by physical measures. This refers to the access control such as:

• Design and architecture of buildings or enclosed areas in terms of access or access control
• Locks, Bluetooth ( phone ) or biometric access control in rooms ( server rooms, safes )
• Floodlights, alarm systems, and video surveillance.
• Protection services, guard dogs, fences etc.

The physical layout of a network can be expected also for physical access control, since physically a spatial division of a network and so the access is protected to the network. If the backup of a system is kept in a fireproof safe, it is also a physical control, namely the access protection against fire and theft.

Technical Access Control

Technical access control, sometimes called logical access control, is the restriction of access through software and hardware. These are components of operating systems, software applications, network devices or protocols.

This is done by means of authorization and allocation of access rights. The check is usually about passwords, the granting of privileges or the provision of attributes is reached ( see file attributes). There have to be answers three questions:

• Granularity: What is the smallest protectable unit? A file or set of files?
• Operations: Between which operations (read, write, delete, execute, etc. ) can be distinguished in the allocation of rights?
• Access: How is authorization performed? Common methods after successful authentication are: assigning a user ID and assignment to a user class.

Technically, various access models have been implemented that can be used for organizational as well as physical access control.

Alternatives

The necessary access control information could be stored in an access matrix. However, access matrixes are not suitable for implementation since they are very large and generally sparse. An alternative could be a Tripelliste, in which there is an entry for each assigned a user's right to an object.

Examples

• Basic models: Discretionary Access Control ( DAC)
• Mandatory Access Control (MAC) Type Enforcement (TE )
• Multi- Level Security ( MLS)

• Access Control List ( ACL)
• Password Authentication Protocol (PAP ), RFC 1334
• Extensible Authentication Protocol ( EAP), RFC 3748
• Challenge Handshake Authentication Protocol (CHAP), RFC 1994
• Authentication Header Protocol ( AH), IPsec
• Encapsulated Security Payload ( ESP), IPsec
• Internet Key Exchange (IKE), IPsec
• Lightweight Extensible Authentication Protocol (LEAP )
• Link Control Protocol (LCP)
• Host Access Protocol RFC 802
• Port Based Network Access Control RFC 802.1x

• Sensor Media Access Control
• Berkeley Media Access Control
• Timeout Media Access Control
• Zebra Media Access Control