Access control in relation to risk, threat and vulnerability:-
What is Risk?
Risk is defined as function of threats finding vulnerabilities and methods and gain access to damage and destroy assets.
What is Vulnerability?
Vulnerability is defined as a gap or weakness in security system that can be helpful to find threats and gain access to unauthorized content. It can be used by cyber hackers or threats to get access for unauthorized content in a system of an organization.
What is Threat?
Threats can be anything which may be within the system or exterior, whether happens intentionally or accidentally and may destroy system security.
Access control and its relation to the above defined factors:-
Access control to any organization is helpful to minimize the potential risks to the organization by preventing any ways of possible vulnerabilities getting into the system.
Risk is a function of threats exploiting vulnerabilities to damage assets , thus threats may exist but if the vulnerabilities are less then there a chance of very less risk .In a similar manner if we have vulnerability and we have no or little threat , we have little /no risk.
Access control eliminates Vulnerabilities by the following ways:
• Encrypting URL content , data
• Maintenance and creating time out sessions
• Encrypting data in the database itself so that no one can fetch the data by using simple SQL injection queries
Access control eliminates threats by following methods:
• Verifying digital signatures in the web pages
• Parsing each HTTPS requests in order to verify the previously logged in user.
• Using the IP address or location of person who is trying to authenticate.
The Relation between Access control and its Impact on CIA:
CIA describes the major foundation security elements of any organization.
Relation with confidentiality:
It is securing the secret or privacy of credentials on the server or cloud. Data confidentiality should be addressed whether the data is stored, rest and transported in the cloud or in the premises of data center. Data kept in the cloud or data center should be fully encrypted to prevent unauthorized access. In this way, access control helps an organization in maintaining this factor.
Relation with Availability:
This factor is ensuring that application is always available for intended user to access their personal data.
Access control helps the user in authenticating from anywhere around the globe at any time. It helps user getting access to any confidential data of the organization. Cyber-attacks may threaten the application security being available for all the time. In order to prevent that appliance protection should be implemented to prevent from cyber-attacks.
Relation with Integrity:
Integrity promises that a particular application is working as intended and the secret data is available to intended users only. Development operations team need to create and ensure security of all their applications data and also have the control of managing changes so that unintended changes won’t impact this factor in any way in an application.
Access control and its importance within info security:
Access controls are security features that controls the system how people interact with other, authorized to use the system resources in an organization. The main target of the access control is to protect application from being used by unauthorized resource. Mainly there are two types of access control physical and logical, of which the former one restricts access to campuses, buildings, IT assets and the later one for access to limitation of computer networks and data. To secure a facility, organization using access control that rely on user access, card readers and restricted areas such as data centers should be implemented. Access control systems perform identification authentication and authentication of users by requiring login credentials that required phrase-password, PINS, security tokens and other authentication factors. Multi factor authentication is a famous, where two or more authentication tokens are required to protect multilayered defense by using access control systems.
Need for organizations to take implement access controls in relation to maintaining CIA:
There is no doubt in stating that implementing access control is the primary method for an organization to maintain the fundamentals of information security.
• Access to information must be restricted to those resources who were supposed to be authorized to access the data. Data can be divided into categories based on the type of damage that could happen for it falling into unauthorized hands .According to these categories protecting measures should be implemented. Ultimately protecting confidentiality is must.
• Integrity assures that sensitive data is trustworthy and accurate .consistency, trustworthy and accuracy of data should be maintained over its life time. Sensitive data should not be manipulated or altered in transit and security measures such as file permissions and user access should be taken care that unauthorized users cannot modify the content .
• Availability is the guarantee of constant and reliable access to the sensitive data by authorized users only. Hence there is a need for the organization to prevent down time of server due to cyber-attacks. Hence there is a need to implement strict access control to maintain the above three factors information security in an organization.
Yes, it is a risky practice to store the customer information for repeated visits if session management is not properly implemented. I.e. it must be ensured that session must be expired after a certain amount of time and ask the user to re authenticate.
Necessary components within an organizations Access control metric:
Organizations planning to implement access control should consider the following three components.
• Access control policies
Access control policies are top level requirements that specify how we can manage access and who can access our information under what circumstances. To illustrate policies may pertain to using of resource within or outside organization units. At high level access control policies are enforced through a mechanism that converts user access request often in terms of a structure that system provides. Access control list is a familiar example.