KEMBAR78
Lecture 5 | PDF | Access Control | Computer Network
Scribd
Upload
30 views36 pages

Lecture 5

Access Control is essential for information security, regulating access to data and systems to protect against unauthorized use. Key components include Identification, Authentication, Authorization, and Accountability, which work together to secure data, systems, networks, and physical assets. Access controls are implemented at multiple levels, including Physical, Technical, and Administrative controls, to ensure comprehensive protection.

Uploaded by

sumaidaltaf
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
30 views36 pages

Lecture 5

Access Control is essential for information security, regulating access to data and systems to protect against unauthorized use. Key components include Identification, Authentication, Authorization, and Accountability, which work together to secure data, systems, networks, and physical assets. Access controls are implemented at multiple levels, including Physical, Technical, and Administrative controls, to ensure comprehensive protection.

Uploaded by

sumaidaltaf
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 36

Access Control

Farrukh Shabbir
What is Access Control?
Access Control is a critical component of information security that involves
regulating who or what is allowed to access and interact with information
resources, systems, and data within an organization. It ensures that only
authorized individuals have access to specific data or systems based on
predefined policies and roles, protecting the organization's data from
unauthorized access, misuse, or compromise. Access control is fundamental to
maintaining confidentiality, integrity, and availability of information systems.
Key Components of Access Control
01 Identification

02 Authentication 03 Authorization

04 Accountability
(Auditing)
01
Identification
Identification

Definition: The process by which a user
presents credentials to claim an identity
within a system.

Example: Entering a username or swiping
an access card.
02
Authentication
Authentication

Definition: The process of verifying the
claimed identity of a user or system.

Example: Inputting a password, providing a
fingerprint scan, or entering a one-time code
sent to a mobile device.
03
Authorization
Authorization

Definition: Determining whether an
authenticated user has permission to access
a resource or perform an action.

Example: A user with administrative
privileges can install software, while a
standard user cannot.
04
Accountability
(Auditing)
Accountability (Auditing)

Definition: Tracking user activities and
maintaining records to hold users
accountable for their actions.

Example: Logging access times, changes
made to files, or failed login attempts.
What needs to be secured?
01 Data &
Information

02 Systems & 03 Network


Applications Resources

04 Physical
Assets
01
Data & Information
Data & Information

Sensitive Data: Personally Identifiable
Information (PII), financial records, intellectual
property, and proprietary business information.

Databases and Files: Structured and
unstructured data stored in databases, file
systems, and cloud storage.
02
Systems & Applications
Systems & Applications
Servers and Workstations: Computers that

host applications and store data.


Software Applications: Enterprise applications

like CRM, ERP systems, and custom software.


Cloud Services: SaaS, PaaS, and IaaS

environments where applications and data


reside.
03
Network Resources
Network Resources

Network Devices: Routers, switches,
firewalls, and access points.

Communication Channels: Internal
networks, VPNs, and internet connections.
04
Physical Assets
Physical Assets

Facilities: Data centers, server rooms,
offices, and restricted areas.

Hardware Equipment: Laptops, mobile
devices, storage media, and IoT devices.
How it needs to be secured?
We apply access controls in multiple levels in
order to maintain & manage access control.
This process is called multi-level access control
and these levels are called layers of access
controls.
Layers of Access Controls

Physical Access Controls

Technical Access Controls

Administrative Access Controls
01
Physical Access
Controls
Physical Access Controls

Controls that prevent unauthorized


physical access to facilities,
equipment, and resources.
Physical Access Controls

Implementation

Locks and Keys: Traditional mechanical locks.

Access Cards and Badges: Electronic keycard like RFID/NFC cards and
smart cards.

Biometric Systems: Fingerprint scanners, facial recognition, retina/iris
scanners.

Security Personnel: Guards monitoring entrances and conducting
security checks.

Surveillance Systems: CCTV cameras, motion detectors, alarm systems.

Physical Barriers: Fences, mantraps, turnstiles, secure doors.
Physical Access Controls

Example
A company uses keycard access for entry
into the building and biometric scanners
to access sensitive areas like server
rooms.
02
Technical Access
Controls
Technical Access Controls
Technical access control, also known as logical
access control, uses technology to restrict access to
data, systems, and networks. It involves hardware
and software solutions that manage who can access
resources and what actions they can perform.
Technical Access Controls

Implementation
Network Access Control: Firewalls, Intrusion

detection/Prevention systems (IDS/IPS), Virtual


private networks (VPNs), Network Segmentation,
802.1X Authentication
System Access Control: OS security features (users,

groups, permissions), Access Control Lists(ACLs)


Data Access Control: Encryption, Data Loss

Prevention(DLP) tooling
03
Administrative Access
Controls
Administrative Access Control

Policies and procedures that


govern how access controls are
implemented and maintained.
Administrative Access Control

Implementation
Security Policies: Documented rules and guidelines

for access control.


User Training and Awareness: Educating staff about

security practices and policies.


Regular Audits and Reviews: Periodically checking

and updating access rights.


Change Management: Procedures for handling

changes in access requirements.


Administrative Access Control

Example
Conducting quarterly reviews of user
access rights to ensure compliance with
the least privilege principle.
Questions???

You might also like