VIP Model Call Girls Hinjewadi ( Pune ) Call ON 8005736733 Starting From 5K t...
Access Control
1. 1
Contents
Abstract ........................................................................................................................................... 2
Access Control................................................................................................................................ 3
Common Practices for Access Control Methods ........................................................................ 3
Common Control Types for Access Control............................................................................... 3
Biometric Authentication................................................................................................................ 5
Biometric Behavior Associations and Behavior Measures ......................................................... 6
Biometric Controls & Psychological Analysis............................................................................ 6
Physiological Biometric Controls ................................................................................................... 7
i. Fingerprint Recognition....................................................................................................... 7
ii. Retinal Scan ......................................................................................................................... 7
iii. Iris Scan............................................................................................................................ 7
Keystroke & Control Dynamics Analysis................................................................................... 7
Risks of Biometric authentication................................................................................................... 8
Use of Tokens ................................................................................................................................. 9
One-Time Password (OTP) ..................................................................................................... 9
Importance................................................................................................................................... 9
Drawbacks of OTPs .................................................................................................................... 9
Time-Based One Time Password (TOTP)............................................................................. 10
OTP/TOTP Token Considerations............................................................................................ 10
Multi-Factor Authentication ......................................................................................................... 11
Importance................................................................................................................................. 11
MFA Authentication Considerations ........................................................................................ 12
Single Sign-On.............................................................................................................................. 13
Considerations for SSO............................................................................................................. 13
Potential Risks........................................................................................................................... 14
Public Key Infrastructure.............................................................................................................. 15
Risks of PKI .............................................................................................................................. 15
Strategic Planning ......................................................................................................................... 16
References..................................................................................................................................... 18
2. 2
Abstract
The digital age has seen a growing use of passwords everywhere, from social media
websites to accounts on personal computers, passwords are everywhere to protect our documents
and financial institutions. All this makes the growth and adaptation of security controls vital in
an organization’s ability to grow and adapt and to be effective. Organizations should adopt
suitable controls based on their needs and strategies as each control greatly impacts the
organization’s strategies, safety and security.
3. 3
Access Control
Access control includes identification, authentication, authorization, and accountability
(Kung et al., 2017) and is defined as the process that either denies or grants resources and
services to a user in a network.
Common Practices for Access Control Methods
Some of the best practices for access control over the years include the following:
Should be based on determined roles as well as responsibilities
The principle of least privilege should be followed
They should be reviewed at various intervals and audits should occur
Logging of information
Common Control Types for Access Control
These methods can broadly be divided into the three following categories:
Technical Controls:
These include the use of biometrics, access control cards, usernames and passwords,
protocols for remote access authentication, access control lists(ACL), account restrictions,
encryptions, policy enforcements etc. (Dimov & Tistarelli, 2015)
Administrative Controls:
These include security awareness trainings, procedures, supervisory structures, personnel
control and testing.
Physical Controls:
5. 5
Biometric Authentication
This method verifies users by identifying and measuring an individual’s unique
behavioral and physiological features (Dimov et al., 2015). Biometric authentication provides
stronger access control than pins and passwords as it cannot be forgotten, lost or shared.
Biometric measures maximize between-individual random variances while simultaneously
minimizing within-individual variability.
The different types of biometric authentication include:
Face recognition
Fingerprint scanning
Iris/retinal scanning
Hand geometry
Vein infrared thermogram
Palm print and gait
Another authentication method is voice identification which is to be measured in an
ambient setting. Obstacles like auditory eavesdropping and/or manipulation has resulted in it not
being used for specific multi factor systems (Kung et al., 2017). But it has been of great use in
tending to the needs of the disabled. For example, visually impaired people have problems with
authentication processes like Captcha (Dimov et al., 2015) thus being unable to visualize and
input character sequences. Voice authentication can be used here to interact in an auditory
fashion. Good biometric systems have low false rejection and false acceptance. Failure to
comply with this results in bad user experience. Achieving 100% accuracy has been the biggest
barrier in the commercialization of this technology. (Kung et al., 2017).
6. 6
Biometric Behavior Associations and Behavior Measures
Biometric techniques have proved to be more complex and costly as compared to other
methods. They require uniqueness of eyes and fingers for validation. The accepted standards for
biometric authentication include a speed of not more than five seconds, an enrolment time of not
more than 2 minutes, and a throughput of 6 to 10 per min (Dimov et al., 2015).
Biometric Controls & Psychological Analysis
False Reject Rate (FRR) – Authorized individuals are erroneously denied access meaning there
is a possibility of the system denying access to an individual who has been matched to the
template.
False Accept Rate – Unauthorized individuals, without a match template are erroneously allowed
access.
Cross Error Rate – It allows users to compare cross systems and remains the most accurate
biometric system (Dimov et al., 2015).
7. 7
Physiological Biometric Controls
i. Fingerprint Recognition
This cheap, non-intrusive method is used to develop images of ridges, whorls and fingerprint
minutia. It can be both static and dynamic. (Kung et al., 2017). But it has the disadvantage of the
sensor wearing off, it is affected by swellings and injuries and is prone to deception. (Dimov et
al., 2015).
ii. Retinal Scan
This includes recording unique components in the blood vessels of the retina and identifying
patterns on the rear eyeball. But is has the disadvantages of damaging the eye ball due to the
laser and the retina patterns may change as a result of heart diseases or diabetes. The subject
must remain still and the scanning unit must be directly before the eyes. It has the advantage of
great accuracy.
iii. Iris Scan
Considered the most accurate among all biometric authentication as iris patterns remain
constant throughout adulthood and vary between two eyes on an individual (Kung et al., 2017).
Keystroke & Control Dynamics Analysis
This involves analyzing and recognizing an individual’s unique typing rhythm. It uses
flight time and dwell time.
Signature Dynamic systems:
These use user signatures for reference and recognition. They capture the way the pen is
held and the amount of pressure exerted and signing speed. They have the advantage of being
non-intrusive but speed wear and changing speed can be a barrier.
8. 8
Risks of Biometric authentication
Facial recognition accuracy can vary depending on camera sensitivity, lighting and angle.
Accessories like glasses or sunglasses can make the person look different. Temperature or any
problem with the finger can affect finger print scans. Apple’s impressive touch ID can been
bypassed by the use of latex and accurate sensors (Dimov et al., 2015).
Other systems use information like location. Problems with keystroke dynamics is that it may
take people different time in case of a keyboard with a different interface, also right-handed
people type slower with their left hands and vice versa. The index finger types faster due to its
consistent use and instinctive ability. (Dimov et al., 2015).
9. 9
Use of Tokens
One-Time Password (OTP)
This technology provides maximum security. Users are provided with a list of passwords
and use every password in a sequence. Hackers could sniff the passwords from the network, but
that technique is generally ineffective. Users authenticate themselves with a pin or token (Alfred,
2016). The users do not have to memorize or choose passwords, the token generates a onetime
unique password for each process allowing access to protected resources (Roebuck, 2017).
Importance
They have been designed to replace session IDs, reducing server load, rationalizing
permission management, and offering appropriate tools for supporting a cloud-based or
distributed infrastructure. Tokens are generated when the user authenticates themselves
(Roebuck, 2017). This process has the advantage of statelessness, the token generated by the
server need not be stored anywhere. All user meta data is encoded directly in the token thus any
user can be authenticated by nay machine and no sessions are required. This also has the
advantage of scalability (Alfred, 2016). Using tokens for mobile application authentication
allows users to easily control what APIs can access their devices. They are easier than cookies
when deployed on Android or iOS and require no extra effort from the development team.
Drawbacks of OTPs
SMS OTPs involve sending the OTP to a phone number configured to the website. This
has the disadvantage of trust, users will have to deal with the malware through the SMS as
encryption on cellular networks is weak (Alfred, 2016). OTP can be inconvenient as the user has
to copy the OTP from the device that received it to the login form (Roebuck, 2017). The copied
10. 10
OTP has to be short printable hindering flexibility and resulting in diminished security (Alfred,
2016).
Time-Based One Time Password (TOTP)
This method consistently generates new passwords in a given time interval. The tokens
and the server use this time to produce authentication numbers which are used by the user during
login. Similar algorithms are used at the user and server side. The server and tokens generate
OTP for a fixed time.
OTP/TOTP Token Considerations
The following should be considered when implementing OTP tokens:
Token are required for every user thus require more investment.
Users need to carry the token with them at all times as they won’t be allowed
to access the system otherwise.
Users cannot use the system for a long time without the token.
Connections can be vulnerable to sniffing as once the original connection is
authenticated all connectors are assumed to be authenticated (Alfred, 2016).
Users need to ensure the safety of their tokens.
Security tokens may not be compatible with all severs or applications.
11. 11
Multi-Factor Authentication
MFA also known as two step authentication is an authentication username, password, and
additional authentication such as personal information or a physical token. It guarantees that the
users are who they are (Stanislav, 2015). It requires that users identify themselves by presenting
a minimum of 2-pieces of evidence through three major categories. If one factor is affected by a
hacker it’s impact on other steps is minimal thus providing greater security (Sampson, 2015).
Users’ choice of weak passwords make it easier for hackers (Dasgupta, Roy & Nag, 2017). MFA
provides layers of protection to the user by preventing a ripple effect (Sampson, 2015). Some
recognized MFA methods include pop-up notification or verification via text from mobile phone,
inserting a card, and typing in unique codes created by a physical token (Stanislav, 2015). Some
companies employ a MFA for every user this along with SSO makes it very secure and
completely eliminates the need for passwords (Sampson, 2015).
Importance
MFA offers good end user experience and robust security. For example, an organization
might need higher level of reassurance while accessing a human resource applications, banks
permit clients to log into their account with their password and username, but a second
authentication is required prior to any transactions, retailers can use MFA in case a vendor logs
into its portal from a new system to ensure it is not a hacker attempting to gain access with a
password that has been stolen (Stanislav, 2015). This type of MFA is referred to as contextual,
risk-based, or adaptive MFA. It has the advantage of increasing the system’s security when
needed (Dasgupta et al., 2017). Thus balancing convenience and security. Due to the magnitude
of loss in case of violation MFA requires additional proof. If contextual MFA is used security
maybe achieved without giving up usability (Sampson, 2015).
12. 12
MFA Authentication Considerations
Users are locked out of their accounts in case of a single mistake.
Though used to keep hackers away, hackers can create their own two step authentication
to keep users locked out.
13. 13
Single Sign-On
Users can identify themselves to servers only once through this method (Miller, 2015).
Users can login multiple times with a single password but compromise in a single authentication
can compromise all available resources.
Considerations for SSO
The following should be considered when implementing SSO.
Since one authentication regulates access to resources this process should be secure.
Smart cards and tokens maybe used to strengthen the authentication process.
Password policies need to be enforced implementing minimum password length,
complexity of password, minimum time for renewal, and maximum frequency of
attempts.
Encryption to protect against sniffing should be used. Logins should be used to detect
suspicious login attempts.
Authentication servers must be used.
SSO protocols often share session information, but a central domain exists, by which
authentication is executed, and sessions are shared with some domains in certain manners
(Dasgupta et al., 2017). For instance, a central domain can generate a signed JSON Web Token
that is encrypted with JWE. This token can be passed to the customer and applied by the
authentication domain. The token may be redirected and consists of all the data necessary to
authenticate the user. Since the tokens are signed, the client cannot modify it (Miller, 2015).
Users are redirected to the authentication domain every time authentication is required. Since the
14. 14
users have already logged in, they can instantly redirect to the original domain through the
authentication token.
Potential Risks
Authentication and privacy keys are a security concern.
If the SSO server is unavailable the users cannot access any site.
SSO is not suitable for multi-user computers if they remain logged at all times.
They lack back up and better authentication.
If the password is weak it is easy to identify and hack accounts, once hacked all accounts
will be compromised.
15. 15
Public Key Infrastructure
PKI is defined as a technology that uses mathematical processes and algorithms to
facilitate secure transactions using data integrity, data confidentiality, and authentication by Kim
(2016). PKI uses certificates, developed by a trusted certificate authority to prove an individual’s
identity. The user is authenticated by the certificate authority’s private key. This certificate can
be used for authentication to access many applications that check the identity through the digital
signature from the CA. (Schmeh, 2016). PKI is valuable to applications that require no pre-
registration like online transactions. Users only require a certificate from the certificate authority
(Kim, 2016).
Risks of PKI
There is no governing body to enforce the standards of PKI (Schmeh, 2016). CAs are
trusted third parties but limitations in security procedures over the years has resulted in less trust
in PKI as any compromise in CA can expose the entire PKI security to risks (Kim, 2016).
16. 16
Strategic Planning
Strategic operations define an organization’s strategy or direction and the decisions it
takes and the resources it allocates to pursue that strategy. Organizations need to keep in mind
the following:
What the organization is currently doing
Who they are doing it for
How will they excel going forward
Strategic decisions keep in view the next three to five years and consider any potential
mishaps. These mishaps may also include untapped opportunities. These decisions are affected
by factors that may be out of the organization’s control, e.g. wars, geopolitical shocks etc.
Organizations’ strategies should also address how they intend to sustain their operations and
provide quality products or services to their customers while including capabilities for future
innovations.
Strategic planning involves the following steps:
Clarifying mission and vision statements
This involves identifying and clarifying the company’s mission, vision, corporate
values, culture and most importantly why the company exits and what success looks like
to the company.
Identifying current and future market position
17. 17
This involves gathering data on internal strengths, weaknesses, external threat and
external opportunities so the organization can develop an understanding of all the critical
issues and deal with them accordingly.
Prioritizing
Creating priorities that need to be addressed and form strategies in dealing with
those issues.
It is the culmination of proper security controls, the understanding of the need for an
organization’s assets to remain secure, and various strategic decisions that allow for an
organization to properly plan for their long-term success. It is part of the constant struggle to
create balance between security, accessibility, and strategic vision. Each of these acts as the
driving force to enable the next, sparking creativity and hopefully, long-term success.
18. 18
References
Alfred, A. (2016). Node.js: Token-Based Authentication Part 3. Defining Routes and
Implementing Token-Based Authentication.
Dasgupta, D., Roy, A., & Nag, A. (January 01, 2017). Multi-Factor Authentication: More secure
approach towards authenticating individuals.
Dimov, D., & In Tistarelli, M. (2015). Biometric Authentication. Cham (Alemania: Springer.
Kim, D. (2016). Access control, authentication, and public key infrastructure: Laboratory
manual to accompany.
Kung, S. Y., Mak, M.-W., & Lin, S.-H. (2017). Biometric authentication: A machine learning
approach. Upper Saddle River: Prentice Hall.
Miller, W. (2015). Foundations of iOS Security: Working with Single Sign-on Authentication.
Roebuck, K. (2017). Security Tokens: High-impact Strategies - What You Need to Know:
Definitions, Adoptions, Impact, Benefits, Maturity, Vendors. Dayboro: Emereo Pub.
Schmeh, K. (2016). Cryptography and Public Key Infrastructure on the Internet. New York,
NY: John Wiley & Sons.
Sampson, A. (2015). Architecting Microsoft Azure Solutions: Multi-factor Authentication
Overview.
Stanislav, M. (2015). Two-factor authentication. Ely, Cambridgeshire, United Kingdom: It
Governance Publishing.