--Originally published at The Hitchhiker's Guide to information security… according to me!
Have you ever had that traumatic childhood experience where you wanted to play with the cool kids of the neighborhood and when you asked them “Can I play with you guys” they will brutally say “No, because you’re not cool like us”. Kids are violent… Well, even though they where assholes, they where actually, and of course subconsciously, applying a security control so that only the right people could play with them. We call that and access control system. Damn you cool kids (*cries in a dark lonely corner).
Access Control is a technique used to restrict the access to a physical place or other non-phsysical resources, and with access we mean entering a facility or being able to view and manipulate data. So yeah, those kids didn’t want you to enter their secret group and to view and manipulate secret cool data from their organization, but less assume for a moment, for a very hypothetical moment that you’re a cool kid. How this group of young delinquents can distinguish between a cool kid and a average one? Well, the access control process consists in the following 3 steps.
Identification: the person that wants access to the system claims to be someone with authorization. This first step consist only on giving an assertion of who you are. If you talk about physical access, you may give your name to the guard or inside an information system you may provide an account.
Authentication: After you gave your name to a guard or your user name to a system, you will need to prove that you really are who you claim to be, to the system satisfaction (it could be more than one authentication phase). For the name and the guard example, you may need to give your driver’s license in order
Authorization: So now that they know that you are you they need to know if you’re even authorized to go in. The guard will check the a list and say “Mmmm, sorry Mr. Somebody you’re not on the list” or the opposite.
This 3 steps are the basic process of the access control. So the cool kid will say “Hey, let me in, I’m cool” (Identification), then the young delinquent will say “Prove it” and after doing a cool stuff like stealing money or something the delinquent group will determine if the action was worth it or not (Authorization).
Important notes to oneself
Authentication factors
Withing the authentication process there exist some factors that you may want to take into account in order to choose the best option. or a combination of them, in order to correctly authenticate a person within your system.
Something you know: These is commonly a password, something only you is supposed to know.
Something you are: These can refer to a biometric, like your iris color or your fingerprints.
Something you have: Like a physical token that allows you to enter to your bank account.
Somewhere you are : You can only access confidential data from within a computer with an IP that comes only from within a certain building.
Something you do: The speed you introduce a certain pattern of characters may be a security control for this factor. It’s very prone to error though.
Authorization
Now for the authorization part there are some tips next you may want to consider.
Least privileges principle: This principle states that the user needs to have the least of privileges in order to accomplish it’s task. An employee doesn’t need to have authorization to nuke a country if he just wants to erase a file.
Separation of duties principle (involvement of 2 or more employees): this principle states that some really processes need to be responsibility of more that one person, in order to avoid security breaches if that person decides to harm the organization. For example, if you want to create a customer and issue a check, this duties most be split, so that the same person can’t commit fraud creating a non-existent person and making a check to its name.
Thank God we have information security to explain our childhood traumas. Next time you’re in therapy remember it’s not the cool kids fault, it’s fault of our insecure information systems. See ya folks.
