Editing Information security (section)

== Access control ==
Access to protected information must be restricted to people who are authorized to access the information.<ref name="ACM Press">{{Cite book |last1=Almehmadi |first1=Abdulaziz |last2=El-Khatib |first2=Khalil |title=Proceedings of the 6th International Conference on Security of Information and Networks |chapter=Authorized! Access denied, unauthorized! Access granted |date=2013 |chapter-url=http://dx.doi.org/10.1145/2523514.2523612 |series=Sin '13 |pages=363–367 |location=New York, New York, US |publisher=ACM Press |doi=10.1145/2523514.2523612 |isbn=978-1-4503-2498-4 |s2cid=17260474}}</ref> The computer programs, and in many cases the computers that process the information, must also be authorized.<ref name="Peiss 2020 16–39">{{Citation|last=Peiss|first=Kathy|title=The Country of the Mind Must Also Attack|work=Information Hunters |year=2020|pages=16–39 |publisher=Oxford University Press |url=http://dx.doi.org/10.1093/oso/9780190944612.003.0003 |doi=10.1093/oso/9780190944612.003.0003|isbn=978-0-19-094461-2|access-date=2021-06-01}}</ref> This requires that mechanisms be in place to control the access to protected information.<ref name="Peiss 2020 16–39"/> The sophistication of the access control mechanisms should be in parity with the value of the information being protected; the more sensitive or valuable the information the stronger the control mechanisms need to be.<ref>{{Cite journal|last1=Fugini|first1=M.G. |last2=Martella|first2=G. |date=January 1988|title=A petri-net model of access control mechanisms |url=http://dx.doi.org/10.1016/0306-4379(88)90026-9 |journal=Information Systems|volume=13 |issue=1|pages=53–63|doi=10.1016/0306-4379(88)90026-9 |issn=0306-4379}}</ref> The foundation on which access control mechanisms are built start with identification and [[authentication]].<ref>{{Citation|title=Information technology. Personal identification. ISO-compliant driving licence |url=http://dx.doi.org/10.3403/30170670u |publisher=BSI British Standards |doi=10.3403/30170670u |access-date=2021-06-01}}</ref>

Access control is generally considered in three steps: identification, [[authentication]], and [[authorization]].<ref>{{Cite book |first=Omar|last=Santos|title=Ccna security 210-260 official cert guide.|date=2015|publisher=Cisco press|isbn=978-1-58720-566-8 |oclc=951897116}}</ref><ref name="AndressTheBasics14" />

=== Identification ===
Identification is an assertion of who someone is or what something is. If a person makes the statement "Hello, my name is [[John Doe]]" they are making a claim of who they are.<ref>{{Citation|url=http://dx.doi.org/10.4324/9780203169186_chapter_one|work=ASSERTION TRAINING|pages=1–7|place=Abingdon, UK|publisher=Taylor & Francis|doi=10.4324/9780203169186_chapter_one|isbn=978-0-203-28556-5|access-date=2021-06-01|title=What is Assertion?|year=1991}}</ref> However, their claim may or may not be true. Before John Doe can be granted access to protected information it will be necessary to verify that the person claiming to be John Doe really is John Doe.<ref>{{Cite journal|last=Doe|first=John|date=1960|title=Field Season In Illinois Begins May 2|url=http://dx.doi.org/10.2136/sh1960.2.0010|journal=Soil Horizons|volume=1|issue=2|pages=10|doi=10.2136/sh1960.2.0010|doi-broken-date=January 29, 2025 |issn=2163-2812}}</ref> Typically the claim is in the form of a username. By entering that username you are claiming "I am the person the username belongs to".<ref>{{Cite web|last=Leech|first=M.|date=March 1996|title=Username/Password Authentication for SOCKS V5|doi=10.17487/rfc1929|url=https://www.rfc-editor.org/info/rfc1929|access-date=18 January 2022}}</ref>

=== Authentication ===
Authentication is the act of verifying a claim of identity. When John Doe goes into a bank to make a withdrawal, he tells the [[bank teller]] he is John Doe, a claim of identity.<ref>{{Citation|last1=Kirk|first1=John|title=Teller, Seller, Union Activist: Class Formation and Changing Bank Worker Identities|date=2011|url=http://dx.doi.org/10.1057/9780230305625_6|work=Work and Identity|pages=124–148|place=London|publisher=Palgrave Macmillan UK|isbn=978-1-349-36871-6|access-date=2021-06-01|last2=Wall|first2=Christine|doi=10.1057/9780230305625_6}}</ref> The bank teller asks to see a photo ID, so he hands the teller his [[driver's license]].<ref>{{Cite journal|last=Dewi|first=Mila Nurmala|title=Perbandingan Kinerja Teller Kriya Dan Teller Organik Pt. Bank Syariah Mandiri|date=2020-12-23|journal=Nisbah: Jurnal Perbankan Syariah|volume=6|issue=2|pages=75|doi=10.30997/jn.v6i2.1932|s2cid=234420571|issn=2528-6633|doi-access=free}}</ref> The bank teller checks the license to make sure it has John Doe printed on it and compares the photograph on the license against the person claiming to be John Doe.<ref>{{Citation|last=Vile|first=John|title=License Checks|url=http://dx.doi.org/10.4135/9781452234243.n462|encyclopedia=Encyclopedia of the Fourth Amendment|year=2013|place=Washington DC|publisher=CQ Press|doi=10.4135/9781452234243.n462|isbn=978-1-60426-589-7|access-date=2021-06-01}}</ref> If the photo and name match the person, then the teller has authenticated that John Doe is who he claimed to be. Similarly, by entering the correct password, the user is providing evidence that he/she is the person the username belongs to.<ref>{{Citation|title=He Said/She Said|url=http://dx.doi.org/10.2307/j.ctv6wgjjv.6|work=My Ghost Has a Name|pages=17–32|publisher=University of South Carolina Press|doi=10.2307/j.ctv6wgjjv.6|isbn=978-1-61117-827-2|access-date=2021-05-29}}</ref>

There are three different types of information that can be used for authentication:<ref>{{Cite journal |title=Supplemental Information 8: Methods used to monitor different types of contact |journal=PeerJ |date=26 October 2020 |volume=8 |pages=e10221 |doi=10.7717/peerj.10221/supp-8 |last1=Bacigalupo |first1=Sonny A. |last2=Dixon |first2=Linda K. |last3=Gubbins |first3=Simon |last4=Kucharski |first4=Adam J. |last5=Drewe |first5=Julian A. |doi-access=free }}</ref><ref>{{Cite book |last1=Igelnik |first1=Boris M. |last2=Zurada |first2=Jacek |title=Efficiency and scalability methods for computational intellect |year=2013 |publisher=Information Science Reference |isbn=978-1-4666-3942-3 |oclc=833130899}}</ref>
* Something you know: things such as a PIN, a [[password]], or your mother's [[maiden name]]<ref>{{Citation|title=The Insurance Superbill Must Have Your Name as the Provider |date=2005-01-01|url=http://dx.doi.org/10.4324/9780203020289-11|work=Before You See Your First Client|pages=37–38|publisher=Routledge|doi=10.4324/9780203020289-11|isbn=978-0-203-02028-9|access-date=2021-06-01}}</ref><ref>{{Cite book|first=Joe|last=Kissell|title=Take Control of Your Passwords|date=April 11, 2019 |publisher=alt concepts Incorporated |isbn=978-1-4920-6638-5|oclc=1029606129}}</ref>
* Something you have: a driver's license or a magnetic [[swipe card]]<ref>{{Cite journal|date=July 2009|title=New smart Queensland driver license announced|url=http://dx.doi.org/10.1016/s0965-2590(09)70126-4|journal=Card Technology Today|volume=21|issue=7 |pages=5|doi=10.1016/s0965-2590(09)70126-4|issn=0965-2590}}</ref><ref>{{Cite book|author=Lawrence Livermore National Laboratory. United States. Department of Energy. Office of Scientific and Technical Information|title=A human engineering and ergonomic evaluation of the security access panel interface.|date=1995|publisher=United States. Dept. of Energy|oclc=727181384}}</ref>
* Something you are: [[biometrics]], including [[palm print]]s, [[fingerprint]]s, [[Speaker recognition|voice prints]], and [[Retina scan|retina (eye) scans]]<ref>{{Cite journal|last=Lee|first=Paul|date=April 2017|title=Prints charming: how fingerprints are trailblazing mainstream biometrics|url=http://dx.doi.org/10.1016/s0969-4765(17)30074-7|journal=Biometric Technology Today|volume=2017|issue=4|pages=8–11|doi=10.1016/s0969-4765(17)30074-7|issn=0969-4765}}</ref>

Strong authentication requires providing more than one type of authentication information (two-factor authentication).<ref>{{Cite encyclopedia|chapter=Two-Factor Authentication|doi=10.1007/0-387-23483-7_443 |title=Encyclopedia of Cryptography and Security |date=2005 |last1=Landrock |first1=Peter |page=638 |isbn=978-0-387-23473-1 }}</ref> The [[username]] is the most common form of identification on computer systems today and the password is the most common form of authentication.<ref>{{Cite web|title=Figure 1.5. Marriage remains the most common form of partnership among couples, 2000-07|url=http://dx.doi.org/10.1787/888932392533|access-date=2021-06-01|doi=10.1787/888932392533}}</ref> Usernames and passwords have served their purpose, but they are increasingly inadequate.<ref>{{cite book|last1=Akpeninor|first1=James Ohwofasa|title=Modern Concepts of Security|date=2013|publisher=AuthorHouse|location=Bloomington, IN|isbn=978-1-4817-8232-6|page=135|url=https://books.google.com/books?isbn=1481782320|access-date=18 January 2018}}</ref> Usernames and passwords are slowly being replaced or supplemented with more sophisticated authentication mechanisms such as [[Time-based one-time password|time-based one-time password algorithms]].<ref>{{Cite web |last=Richards|first=G.|date=April 2012|title=One-Time Password (OTP) Pre-Authentication|doi=10.17487/rfc6560|url=http://dx.doi.org/10.17487/rfc6560}}</ref>

=== Authorization ===
After a person, program or computer has successfully been identified and authenticated then it must be determined what informational resources they are permitted to access and what actions they will be allowed to perform (run, view, create, delete, or change).<ref>{{Cite book|last=Schumacher|first=Dietmar|title=International Conference and Exhibition, Barcelona, Spain, 3-6 April 2016 |chapter=Surface geochemical exploration after 85 years: What has been accomplished and what more must be done |date=2016-04-03|chapter-url=http://dx.doi.org/10.1190/ice2016-6522983.1|series=SEG Global Meeting Abstracts|pages=100|publisher=Society of Exploration Geophysicists and American Association of Petroleum Geologists|doi=10.1190/ice2016-6522983.1}}</ref> This is called [[authorization]]. Authorization to access information and other computing services begins with administrative policies and procedures.<ref>{{Citation|title=Authorization And Approval Program|date=2015-10-23|url=http://dx.doi.org/10.1002/9781119203964.ch10|work=Internal Controls Policies and Procedures|pages=69–72|place=Hoboken, NJ, US|publisher=John Wiley & Sons, Inc.|doi=10.1002/9781119203964.ch10|isbn=978-1-119-20396-4|access-date=2021-06-01}}</ref> The policies prescribe what information and computing services can be accessed, by whom, and under what conditions. The access control mechanisms are then configured to enforce these policies.<ref>{{Citation|title=What responses under what conditions?|date=2019-10-02|url=http://dx.doi.org/10.2307/j.ctvqc6hn1.12|work=Local Policies and the European Social Fund|pages=81–102|publisher=Policy Press|doi=10.2307/j.ctvqc6hn1.12|isbn=978-1-4473-4652-4|s2cid=241438707|access-date=2021-06-01}}</ref> Different computing systems are equipped with different kinds of access control mechanisms. Some may even offer a choice of different access control mechanisms.<ref>{{Cite book|last1=Cheng|first1=Liang|last2=Zhang|first2=Yang|last3=Han|first3=Zhihui|title=2013 IEEE 7th International Conference on Software Security and Reliability |chapter=Quantitatively Measure Access Control Mechanisms across Different Operating Systems |date=June 2013|chapter-url=http://dx.doi.org/10.1109/sere.2013.12|pages=50–59|publisher=IEEE|doi=10.1109/sere.2013.12|isbn=978-1-4799-0406-8|s2cid=13261344}}</ref> The access control mechanism a system offers will be based upon one of three approaches to access control, or it may be derived from a combination of the three approaches.<ref name="AndressTheBasics14" />

The non-discretionary approach consolidates all access control under a centralized administration.<ref name="discretionary access control">{{Citation|chapter=discretionary access control|doi=10.1007/1-4020-0613-6_5225 |title=Computer Science and Communications Dictionary |date=2000 |last1=Weik |first1=Martin H. |page=426 |isbn=978-0-7923-8425-0 }}</ref> The access to information and other resources is usually based on the individuals function (role) in the organization or the tasks the individual must perform.<ref name=IS_1>{{cite journal| title=Individual Subunits of the Glutamate Transporter EAAC1 Homotrimer Function Independently of Each Other| author1=Grewer, C.| author2=Balani, P.| author3= Weidenfeller, C.| author4=Bartusel, T.| author5= Zhen Tao| author6=Rauen, T.| journal=[[Biochemistry]]| volume=44| issue=35| pages=11913–11923| date=10 August 2005| doi=10.1021/bi050987n| pmid=16128593| pmc=2459315}}</ref><ref>{{Cite book|first=Jeanne|last=Ellis Ormrod|title=Essentials of educational psychology: big ideas to guide effective teaching|date=2012|publisher=Pearson|isbn=978-0-13-136727-2|oclc=663953375}}</ref> The discretionary approach gives the creator or owner of the information resource the ability to control access to those resources.<ref name="discretionary access control"/> In the mandatory access control approach, access is granted or denied basing upon the security classification assigned to the information resource.<ref name="ACM Press"/>

Examples of common access control mechanisms in use today include [[Role-Based Access Control|role-based access control]], available in many advanced database management systems; simple [[File system permissions|file permissions]] provided in the UNIX and Windows operating systems;<ref>{{Cite book|last1=Belim|first1=S. V.|last2=Bogachenko|first2=N. F.|last3=Kabanov|first3=A. N. |title=2018 Dynamics of Systems, Mechanisms and Machines (Dynamics) |chapter=Severity Level of Permissions in Role-Based Access Control |date=November 2018|chapter-url=http://dx.doi.org/10.1109/dynamics.2018.8601460|pages=1–5|publisher=IEEE|doi=10.1109/dynamics.2018.8601460|arxiv=1812.11404|isbn=978-1-5386-5941-0|s2cid=57189531}}</ref> [[Group Policy Object]]s provided in Windows network systems; and [[Kerberos (protocol)|Kerberos]], [[RADIUS]], [[TACACS]], and the simple access lists used in many [[Firewall (networking)|firewalls]] and [[Router (computing)|routers]].<ref>{{Citation|title=Configuring TACACS and Extended TACACS|date=2002-05-15 |work=Securing and Controlling Cisco Routers |publisher=Auerbach Publications|doi=10.1201/9781420031454|url=https://www.taylorfrancis.com/chapters/mono/10.1201/9781420031454-18/con%EF%AC%81guring-tacacs-extended-tacacs-peter-davis |isbn=978-0-8493-1290-8 |last1=Davis |first1=Peter T. }}</ref>

To be effective, policies and other security controls must be enforceable and upheld. Effective policies ensure that people are held accountable for their actions.<ref>{{Citation|title=Developing Effective Security Policies|date=2009-12-18 |url=http://dx.doi.org/10.1201/9781420078718-18|work=Risk Analysis and Security Countermeasure Selection|pages=261–274 |publisher=CRC Press|doi=10.1201/9781420078718-18|isbn=978-0-429-24979-2|access-date=2021-06-01}}</ref> The [[United States Department of the Treasury|U.S. Treasury]]'s guidelines for systems processing sensitive or proprietary information, for example, states that all failed and successful authentication and access attempts must be logged, and all access to information must leave some type of [[audit trail]].<ref>{{cite web|url=https://www.treasury.gov/tigta/auditreports/2004reports/200420131fr.html|title=The Use of Audit Trails to Monitor Key Networks and Systems Should Remain Part of the Computer Security Material Weakness |website=www.treasury.gov|access-date=2017-10-06}}</ref>

Also, the need-to-know principle needs to be in effect when talking about access control. This principle gives access rights to a person to perform their job functions.<ref>{{Cite journal|title=fixing-canadas-access-to-medicines-regime-what-you-need-to-know-about-bill-c398|url=http://dx.doi.org/10.1163/2210-7975_hrd-9902-0152|access-date=2021-06-01|website=Human Rights Documents online|doi=10.1163/2210-7975_hrd-9902-0152}}</ref> This principle is used in the government when dealing with difference clearances.<ref>{{Cite journal|last=Salazar|first=Mary K.|date=January 2006|title=Dealing with Uncertain Risks—When to Apply the Precautionary Principle|url=http://dx.doi.org/10.1177/216507990605400102|journal=AAOHN Journal|volume=54|issue=1|pages=11–13|doi=10.1177/216507990605400102|s2cid=87769508|issn=0891-0162}}</ref> Even though two employees in different departments have a [[Classified information|top-secret clearance]], they must have a need-to-know in order for information to be exchanged. Within the need-to-know principle, network administrators grant the employee the least amount of privilege to prevent employees from accessing more than what they are supposed to.<ref>{{Cite journal|title=We Need to Know More About How the Government Censors Its Employees|url=http://dx.doi.org/10.1163/2210-7975_hrd-9970-2016117|access-date=2021-06-01|website=Human Rights Documents Online|doi=10.1163/2210-7975_hrd-9970-2016117}}</ref> Need-to-know helps to enforce the confidentiality-integrity-availability triad. Need-to-know directly impacts the confidential area of the triad.<ref>{{Citation|last=Pournelle|first=Jerry|chapter=1001 Computer Words You Need to Know|date=2004-04-22|chapter-url=https://academic.oup.com/book/40772/chapter-abstract/348693201|title=1001 Computer Words You Need to Know: The Ultimate Guide To The Language Of Computers |publisher=Oxford University Press |series= Oxford Scholarship Online|language=en|doi=10.1093/oso/9780195167757.003.0007|isbn=978-0-19-516775-7|access-date=2021-07-30}}</ref>