Information Technology Reference
In-Depth Information
Discretionary Access Control
The
discretionary access control (DAC)
model allows individuals complete control over
any resources or objects they own along with programs associated with those objects. The
DAC is the least restrictive model and therefore is weak in a couple of areas:
First, users are allowed complete control over security levels for other users. This could
result in some users having higher permissions than they are supposed to have.
■
Second, since the permissions over objects are inherited into other programs, the user
can execute malicious software intentionally or unintentionally. Moreover, malware can
take advantage of potentially high-level privileges to launch and kill user processes.
■
Rule-Based Access Controls
Rule-based access controls
(RB-RBAC) dynamically assign roles to users based on criteria
defined by the system administrator. This model is ideal if a user has to be allowed access to
certain files during certain hours of the day. However, the catch is that the rules need to be
custom specified into the network by the system administrator. An example use case would
be a freelancer working for an organization during certain hours of the day.
Multifactor Authentication
Multifactor authentication
, also known as two-factor authentication, is an attempt to
maximize security and minimize unauthorized access. This is achieved by increasing the
number of required items or factors for successful authentication and access. The approach
requires the availability and presentation of at least two of the three authentication factors
described here:
Something only the user knows, such as password, PIN, pattern (token generators,
one-time pads, etc.)
■
Something only the user has, such as smart access card, mobile phone
■
Something only the user is, such as a biometric characteristic like a fingerprint scan, or
iris scan
Upon presentation, each factor is validated by the system for authentication to complete.
■
Single Sign-On
Single sign-on
is an access control method or property that allows a user access to all
linked systems without being prompted to log in or sign in at each one of them. Such a
scheme is typically accomplished by using shared access and privileges directory services
such as the open-source and vendor-independent
Lightweight Directory Access Protocol
(LDAP)
or the proprietary Windows-based Active Directory. These SSO application pro-
tocols share centralized authentication servers that all linked software applications and
Search WWH ::
Custom Search