Effective security starts with understanding the principles involved. Simply going through the motions of applying some memory set of procedures isn’t sufficient in a world where today’s “best practices” are tomorrow’s security failures. IT security is a fast-moving field, and knowing how to perform the actions necessary for accepted practices isn’t enough to ensure the best security possible for your systems.
Among the most basic of security concepts is access control. It’s so fundamental that it applies to security of any type — not just IT security. Everything from getting into your car to launching nuclear missiles is protected, at least in theory, by some form of access control. Because of its universal applicability to security, access control is one of the most important security concepts to understand.
The key to understanding access control security is to break it down. There are three core elements to access control. Of course, we’re talking in terms of IT security here, but the same concepts apply to other forms of access control.
Identification: For access control to be effective, it must provide some way to identify an individual. The weakest identification capabilities will simply identify someone as part of a vague, poorly defined group of users who should have access to the system. Your TechRepublic username, a PGP e-mail signature, or even the key to the server closet provides some form of identification.
Authentication: Identification requires authentication. This is the process of ensuring that the identity in use is authentic — that it’s being used by the right person. In its most common form in IT security, authentication involves validating a password linked to a username. Other forms of authentication also exist, such as fingerprints, smart cards, and encryption keys.
Authorization: The set of actions allowed to a particular identity makes up the meat of authorization. On a computer, authorization typically takes the form of read, write, and execution permissions tied to a username.
These three elements of access control combine to provide the protection you need — or at least they do when implemented so they cannot be circumvented. For the example of simple access to basic system utilities on a workstation or server, identification is necessary for accounting (i.e., tracking user behavior) and providing something to authenticate. Authentication is necessary to ensure the identity isn’t being used by the wrong person, and authorization limits an identified, authenticated user from engaging in prohibited behavior (such as deleting all your backups).
Depending on the type of security you need, various levels of protection may be more or less important in a given case. Access to a meeting room may need only a key kept in an easily broken lock box in the receptionist’s area, but access to the servers probably requires a bit more care.