Jump to content
Main menu
Main menu
move to sidebar
hide
Navigation
Main page
Recent changes
Random page
Help about MediaWiki
Special pages
Niidae Wiki
Search
Search
Appearance
Create account
Log in
Personal tools
Create account
Log in
Pages for logged out editors
learn more
Contributions
Talk
Editing
Information security
(section)
Page
Discussion
English
Read
Edit
View history
Tools
Tools
move to sidebar
hide
Actions
Read
Edit
View history
General
What links here
Related changes
Page information
Appearance
move to sidebar
hide
Warning:
You are not logged in. Your IP address will be publicly visible if you make any edits. If you
log in
or
create an account
, your edits will be attributed to your username, along with other benefits.
Anti-spam check. Do
not
fill this in!
=== Authorization === After a person, program or computer has successfully been identified and authenticated then it must be determined what informational resources they are permitted to access and what actions they will be allowed to perform (run, view, create, delete, or change).<ref>{{Cite book|last=Schumacher|first=Dietmar|title=International Conference and Exhibition, Barcelona, Spain, 3-6 April 2016 |chapter=Surface geochemical exploration after 85 years: What has been accomplished and what more must be done |date=2016-04-03|chapter-url=http://dx.doi.org/10.1190/ice2016-6522983.1|series=SEG Global Meeting Abstracts|pages=100|publisher=Society of Exploration Geophysicists and American Association of Petroleum Geologists|doi=10.1190/ice2016-6522983.1}}</ref> This is called [[authorization]]. Authorization to access information and other computing services begins with administrative policies and procedures.<ref>{{Citation|title=Authorization And Approval Program|date=2015-10-23|url=http://dx.doi.org/10.1002/9781119203964.ch10|work=Internal Controls Policies and Procedures|pages=69β72|place=Hoboken, NJ, US|publisher=John Wiley & Sons, Inc.|doi=10.1002/9781119203964.ch10|isbn=978-1-119-20396-4|access-date=2021-06-01}}</ref> The policies prescribe what information and computing services can be accessed, by whom, and under what conditions. The access control mechanisms are then configured to enforce these policies.<ref>{{Citation|title=What responses under what conditions?|date=2019-10-02|url=http://dx.doi.org/10.2307/j.ctvqc6hn1.12|work=Local Policies and the European Social Fund|pages=81β102|publisher=Policy Press|doi=10.2307/j.ctvqc6hn1.12|isbn=978-1-4473-4652-4|s2cid=241438707|access-date=2021-06-01}}</ref> Different computing systems are equipped with different kinds of access control mechanisms. Some may even offer a choice of different access control mechanisms.<ref>{{Cite book|last1=Cheng|first1=Liang|last2=Zhang|first2=Yang|last3=Han|first3=Zhihui|title=2013 IEEE 7th International Conference on Software Security and Reliability |chapter=Quantitatively Measure Access Control Mechanisms across Different Operating Systems |date=June 2013|chapter-url=http://dx.doi.org/10.1109/sere.2013.12|pages=50β59|publisher=IEEE|doi=10.1109/sere.2013.12|isbn=978-1-4799-0406-8|s2cid=13261344}}</ref> The access control mechanism a system offers will be based upon one of three approaches to access control, or it may be derived from a combination of the three approaches.<ref name="AndressTheBasics14" /> The non-discretionary approach consolidates all access control under a centralized administration.<ref name="discretionary access control">{{Citation|chapter=discretionary access control|doi=10.1007/1-4020-0613-6_5225 |title=Computer Science and Communications Dictionary |date=2000 |last1=Weik |first1=Martin H. |page=426 |isbn=978-0-7923-8425-0 }}</ref> The access to information and other resources is usually based on the individuals function (role) in the organization or the tasks the individual must perform.<ref name=IS_1>{{cite journal| title=Individual Subunits of the Glutamate Transporter EAAC1 Homotrimer Function Independently of Each Other| author1=Grewer, C.| author2=Balani, P.| author3= Weidenfeller, C.| author4=Bartusel, T.| author5= Zhen Tao| author6=Rauen, T.| journal=[[Biochemistry]]| volume=44| issue=35| pages=11913β11923| date=10 August 2005| doi=10.1021/bi050987n| pmid=16128593| pmc=2459315}}</ref><ref>{{Cite book|first=Jeanne|last=Ellis Ormrod|title=Essentials of educational psychology: big ideas to guide effective teaching|date=2012|publisher=Pearson|isbn=978-0-13-136727-2|oclc=663953375}}</ref> The discretionary approach gives the creator or owner of the information resource the ability to control access to those resources.<ref name="discretionary access control"/> In the mandatory access control approach, access is granted or denied basing upon the security classification assigned to the information resource.<ref name="ACM Press"/> Examples of common access control mechanisms in use today include [[Role-Based Access Control|role-based access control]], available in many advanced database management systems; simple [[File system permissions|file permissions]] provided in the UNIX and Windows operating systems;<ref>{{Cite book|last1=Belim|first1=S. V.|last2=Bogachenko|first2=N. F.|last3=Kabanov|first3=A. N. |title=2018 Dynamics of Systems, Mechanisms and Machines (Dynamics) |chapter=Severity Level of Permissions in Role-Based Access Control |date=November 2018|chapter-url=http://dx.doi.org/10.1109/dynamics.2018.8601460|pages=1β5|publisher=IEEE|doi=10.1109/dynamics.2018.8601460|arxiv=1812.11404|isbn=978-1-5386-5941-0|s2cid=57189531}}</ref> [[Group Policy Object]]s provided in Windows network systems; and [[Kerberos (protocol)|Kerberos]], [[RADIUS]], [[TACACS]], and the simple access lists used in many [[Firewall (networking)|firewalls]] and [[Router (computing)|routers]].<ref>{{Citation|title=Configuring TACACS and Extended TACACS|date=2002-05-15 |work=Securing and Controlling Cisco Routers |publisher=Auerbach Publications|doi=10.1201/9781420031454|url=https://www.taylorfrancis.com/chapters/mono/10.1201/9781420031454-18/con%EF%AC%81guring-tacacs-extended-tacacs-peter-davis |isbn=978-0-8493-1290-8 |last1=Davis |first1=Peter T. }}</ref> To be effective, policies and other security controls must be enforceable and upheld. Effective policies ensure that people are held accountable for their actions.<ref>{{Citation|title=Developing Effective Security Policies|date=2009-12-18 |url=http://dx.doi.org/10.1201/9781420078718-18|work=Risk Analysis and Security Countermeasure Selection|pages=261β274 |publisher=CRC Press|doi=10.1201/9781420078718-18|isbn=978-0-429-24979-2|access-date=2021-06-01}}</ref> The [[United States Department of the Treasury|U.S. Treasury]]'s guidelines for systems processing sensitive or proprietary information, for example, states that all failed and successful authentication and access attempts must be logged, and all access to information must leave some type of [[audit trail]].<ref>{{cite web|url=https://www.treasury.gov/tigta/auditreports/2004reports/200420131fr.html|title=The Use of Audit Trails to Monitor Key Networks and Systems Should Remain Part of the Computer Security Material Weakness |website=www.treasury.gov|access-date=2017-10-06}}</ref> Also, the need-to-know principle needs to be in effect when talking about access control. This principle gives access rights to a person to perform their job functions.<ref>{{Cite journal|title=fixing-canadas-access-to-medicines-regime-what-you-need-to-know-about-bill-c398|url=http://dx.doi.org/10.1163/2210-7975_hrd-9902-0152|access-date=2021-06-01|website=Human Rights Documents online|doi=10.1163/2210-7975_hrd-9902-0152}}</ref> This principle is used in the government when dealing with difference clearances.<ref>{{Cite journal|last=Salazar|first=Mary K.|date=January 2006|title=Dealing with Uncertain RisksβWhen to Apply the Precautionary Principle|url=http://dx.doi.org/10.1177/216507990605400102|journal=AAOHN Journal|volume=54|issue=1|pages=11β13|doi=10.1177/216507990605400102|s2cid=87769508|issn=0891-0162}}</ref> Even though two employees in different departments have a [[Classified information|top-secret clearance]], they must have a need-to-know in order for information to be exchanged. Within the need-to-know principle, network administrators grant the employee the least amount of privilege to prevent employees from accessing more than what they are supposed to.<ref>{{Cite journal|title=We Need to Know More About How the Government Censors Its Employees|url=http://dx.doi.org/10.1163/2210-7975_hrd-9970-2016117|access-date=2021-06-01|website=Human Rights Documents Online|doi=10.1163/2210-7975_hrd-9970-2016117}}</ref> Need-to-know helps to enforce the confidentiality-integrity-availability triad. Need-to-know directly impacts the confidential area of the triad.<ref>{{Citation|last=Pournelle|first=Jerry|chapter=1001 Computer Words You Need to Know|date=2004-04-22|chapter-url=https://academic.oup.com/book/40772/chapter-abstract/348693201|title=1001 Computer Words You Need to Know: The Ultimate Guide To The Language Of Computers |publisher=Oxford University Press |series= Oxford Scholarship Online|language=en|doi=10.1093/oso/9780195167757.003.0007|isbn=978-0-19-516775-7|access-date=2021-07-30}}</ref>
Summary:
Please note that all contributions to Niidae Wiki may be edited, altered, or removed by other contributors. If you do not want your writing to be edited mercilessly, then do not submit it here.
You are also promising us that you wrote this yourself, or copied it from a public domain or similar free resource (see
Encyclopedia:Copyrights
for details).
Do not submit copyrighted work without permission!
Cancel
Editing help
(opens in new window)
Search
Search
Editing
Information security
(section)
Add topic
