Granting or denying approval to use specific resources.
Information system's mechanism to allow or restrict access to data or devices.
Four standard models.
Specific practices used to enforce access control.
Subject provides identification info - unique to the subject.
Username, User ID, Account #
Verifying the identification info.
Password/Phrase, PIN, Fingerprint, Smart Card
What the subject is allowed to see or do.
Determining the operations a subject may perform on an object.
Auditing / Accounting
Record of events.
Review of credentials.
Delivery person shows employee badge.
User enters username.
Validate credentials as genuine.
Mia reads badge to determine it is real.
User provides password.
Permission granted for admittance.
Mia opens door to allow delivery person in.
User allowed to access only specific data.
Ex: File or hardware device.
User or process functioning on behalf of a user.
Ex: Computer user.
Action taken by the subject over an object.
Ex: Deleting a file.
Person responsible for the information.
Determines the level of security needed for the data and delegates security duties as required.
Determines that the file secret.txt can be read only by department managers.
Individual to whom day-to-day actions have been assigned by the owner.
Periodically reviews security settings and maintains records of access by end users.
Sets and reviews security settings on secret.txt.
User who accesses information in the course of routine job responsibilities.
Follows organization's security guidelines and does not attempt to circumvent security.
Something you know, such as a password or PIN.
Something you have, such as a smartcard, token, or identification device.
Something you are, such as your fingerprints or retinal pattern (biometrics).
Something you do, such as an action you must take to complete authentication.
Somewhere you are (geolocation).
Single Factor (SFA)
Traditionally a password.
Multi-Factor Authentication (MFA)
Uses two or more access methods.
Factors should not be in the same category.
Mutual Authentication - each party validates the other's identity.
Type III - Something you are.
Metrics related to human characteristics or body measurements.
Retina Scan - examines the unique pattern of blood vessels at the back of an individual's eye via a beam projected into the eye to capture the pattern.
Iris Scan - uses mathematical pattern-recognition techniques on photos taken of an individual's eye.
False Acceptance Rate (FAR)
When the system accepts an intruder who should be rejected.
False Rejection Rate (FRR)
When the system rejects an authorized users.
Cross-Over Error Rate (CER)
Metric for comparing biometric systems.
The point where FAR and FRR are equal.
The means of linking a person's electronic identity and attributes, sorted across multiple distinct identity management systems.
Means of linking a user's ID with their privileges in a manner that can be used across business boundaries.
Allows a user to have a single ID that they can use across different businesses.
Examples: Google, FB, Microsoft
Allows a user to authenticate one time and then access resources in the environment without needing to re-authenticate.
Different from password synchronization.
Vulnerability - if an attacker uncovers a user's credentials, they will have access to all that user's resources.
May also be a single point of failure.
What you know.
User logging into a system.
Asked to ID themself:
Asked to authenticate:
Passwords are the most common type of authentication today.
Passwords only provide weak protection.
What you have.
What you are.