first security barrier to an organization's IT infrastructure
is the access control system. Here are some ways to
improve or complement your access control mechanisms.
by Avinash Kadam
Security is synonymous with
Access Control. Our first encounter with any information
system is a screen prompt for user-ID and password,
which is our authorization for accessing the system.
Access control is the largest domain of BS 7799, and
While providing access, one
has to consider a number of questions, all beginning
with Why, What, Who and How. These questions are framed
around the following control objectives.
- Business requirement for
- User access management
- User responsibilities
- Network access control
- Operating system access
- Application access control
- Monitoring system access
- Mobile computing and tele-working
Access Control is about applying
these controls to one's satisfaction.
REQUIREMENT FOR ACCESS CONTROL
You have to take a hard nose approach when establishing
the policy and rules for access control.
Policy and business requirement
The policy should clearly state who should be allowed
access to particular information. Apart from business
needs for access control, we may also have legal and
contractual obligations to meet. Information classification
and the access control rules should be consistent.
Access control rules
Access control policies are implemented through access
control rules. The system administrators frame the rules
and machines are configured to implement these rules.
For example, a firewall will implement the rules pertaining
to network access control. These rules should be simple
and clear enough to be comprehended.
Life would have been much simpler if we had to deal
only with machines. They would have obeyed all rules
without any questions. However, in reality, we are dealing
with human beings, who are far more intelligent than
the machines. But the problem here is that they can
also be disobedient, rebellious or in many cases, just
malicious. Given this propensity of human nature, we
have to take appropriate steps to manage user access
to vital information.
Relevant information about every user should be documented.
It should raise the following questions: Why is the
user granted the access? Has the data owner approved
the access? Has the user accepted the responsibility?
Documenting the answers to these and similar questions
should be part of the registration process.
Equally important is the de-registration
process. When a user no longer requires access rights,
his/her rights should be promptly removed.
Access privileges should be in accordance with work
requirements and responsibilities. For example, an operator
will have direct access to operating system commands.
He/she will be provided higher access privileges than
others. However, misuse of such privileges could endanger
the organization's information security. Allocation
of such privileges should be on a need-to-use basis.
Minimum privileges for performing the job function should
User password management
Passwords are usually the only screening point for access
to systems. Allocations, storage, revocation, and reissue
of password are password management functions. A more
important issue is educating users about importance
of passwords, and making them responsible for their
Review of user access rights
A user's need for accessing information changes with
time. Periodic review of access rights will remove any
anomalies in the user's current job profile, and the
privileges granted to them earlier.
Maintaining information security is not management's
responsibility alone. Users are equally responsible.
The two major expectations from the user are as follows:
Users should choose strong passwords and maintain confidentiality.
Unattended user equipment
Users should ensure that none of the equipment under
their responsibility is ever left unprotected. They
should also secure their PCs with a password, and should
not leave it accessible to others.
An Internet connection exposes every organization to
the entire world. The organization should benefit from
the connection to the outside world but should also
be protected from harmful elements. This can be achieved
through the following means:
Policy on use of network
A policy based on business needs for using the Internet
services is the first step. Selection of appropriate
services and approval to access them will be part of
Based on risk assessment, it may be necessary to specify
the exact path or route connecting the networks. For
example, routing all accesses only through a firewall.
Similarly, the menu and submenu could be used for logging
into a system restricting the options available to the
User authentication for
Internet gives anonymity to users, but we definitely
need to authenticate every person attempting to access
our network through an external connection. The techniques
used for user authentication may vary from a simple
login process to use of hardware tokens, challenge/
response protocol or even digital certificates. Similarly,
you may use callback procedures to verify telephone
Besides users, remote computers could also be authenticated
by appropriate technical means.
Remote diagnostic port authentication
Many types of equipment are provided with a diagnostic
port for remote diagnostic and maintenance. This definitely
saves an engineer's time. But, if the same ports are
left accessible, others could take disadvantage of it
and get access through such ports. Appropriate measures
should be taken to prevent such misuse.
Segregation of networks
Some parts of network may be handling more sensitive
information than the others. So networks should be segregated
based on usage and protection needs. Such segregation
will isolate any attempt to intrude in a network.
Network connection control
The traffic between networks should be restricted, based
on the access policy. Access between the networks should
be allowed only after authentication.
Network routing control
The traffic between networks should also be guided as
per the access policy implemented by the routing rules.
These will be based on identification of source and
Security of network services
The related security features must be understood before
we subscribe to any network service. For example, if
we use the Electronic Data Interchange (EDI) service,
we should also understand the security provisions of
such a service.
SYSTEM ACCESS CONTROL
Operating system provides the environment for an application
to use various resources of the computer and perform
the specific business function. If an intruder is able
to bypass the network perimeter security controls, the
operating system is the last barrier to be conquered
for unlimited access to all the resources. Hence, protecting
operating system access is extremely crucial.
Automated terminal identification
This will help to ensure that a particular session could
only be initiated from a particular location or computer
Terminal log-on procedures
The log-on procedure does not provide unnecessary help
or information, which could be misused by an intruder.
User identification and
The users must be identified and authenticated in a
foolproof manner. Depending on risk assessment, more
stringent methods like Biometric Authentication or Cryptographic
means like Digital Certificates should be employed.
Password management system
An operating system could enforce selection of good
passwords. Internal storage of password should use one-way
encryption algorithms and the password file should not
be accessible to users.
Use of system utilities
System utilities are the programs that help to manage
critical functions of the operating systemfor
example, addition or deletion of users. Obviously, this
utility should not be accessible to a general user.
Use and access to these utilities should be strictly
controlled and logged.
Duress alarm to safeguard
If users are forced to execute some instruction under
threat, the system should provide a means to alert the
authorities. An example could be forcing a person to
withdraw money from the ATM. Many banks provide a secret
code to alert the bank about such transactions.
Terminal time out
Log out the user if the terminal is inactive for a defined
period. This will prevent misuse in absence of the legitimate
Limitation of connection
Define the available time slot. Do not allow any transaction
beyond this time period. For example, no computer access
after 8.00 p.m. and before 8.00 a.m.or on a Saturday
This is the last lock an intruder will have to break
to get his hands on the desired information he is after.
Information access restriction
Prevent access to information by means of menus, which
limit access to system function. A user should be allowed
access only to those items he is authorized to access.
Control the access rights of users, For example, read,
write, delete, and execute. Make sure that sensitive
output is sent only to authorized terminals and locations.
Sensitive system isolation
It may even be necessary to run a sensitive system in
an isolated environment.
SYSTEM ACCESS AND USE
This is a detective control, to find whether the preventive
controls discussed so far are working. If not, this
control will detect any unauthorized activities.
Computer systems can maintain extensive logs for all
types of events. Ensure that the logging is enabled
and the logs are archived properly.
Monitor system use
Based on the risk assessment you may have to constantly
monitor use of some critical systems. Define the details
of types of accesses, operations, events and alerts
that will be monitored. Extent of these details and
the frequency of review will be based on criticality
of operation and risk factors. Similarly, the log files
should also be reviewed periodically. Special attention
should be given to any gaps in the logs.
The event logs are recorded as per the system time clock.
If different systems have different clock time, correlating
an event will be impossible. All the system clocks should
be synchronized as per some standard time.
COMPUTING AND TELE-WORKING
Use of computers is not restricted to the data center
alone. Easy availability of powerful desktops and portable
computers provide an opportunity to work from home and
also while traveling. This puts additional responsibility
on users and organizations to maintain information security.
Portable computers and devices have large disk capacities.
Theft of such computers might be for the data carried
on the disk drives rather than the value of the computer.
All possible physical protection should be provided
to such devices. These should not be kept out of sight
at any time. Information on these computers should be
encrypted. So, even if the computer is stolen, the information
will be protected.
A tele-worker has complete access to the information
on the main computer. Keeping this fact in mind, appropriate
steps should be taken for physical security of the equipment
as well as access control. Use of this personal computer
by other family members should be discouraged.