Tightening access control

The first security barrier to an organization's IT infrastructure is the access control system. Here are some ways to improve or complement your access control mechanisms. by Avinash Kadam

Security is synonymous with Access Control. Our first encounter with any information system is a screen prompt for user-ID and password, which is our authorization for accessing the system. Access control is the largest domain of BS 7799, and rightly so.

While providing access, one has to consider a number of questions, all beginning with Why, What, Who and How. These questions are framed around the following control objectives.

• Business requirement for access control
• User access management
• User responsibilities
• Network access control
• Operating system access control
• Application access control
• Monitoring system access and use
• Mobile computing and tele-working

Access Control is about applying these controls to one's satisfaction.

BUSINESS REQUIREMENT FOR ACCESS CONTROL
You have to take a hard nose approach when establishing the policy and rules for access control.

Policy and business requirement
The policy should clearly state who should be allowed access to particular information. Apart from business needs for access control, we may also have legal and contractual obligations to meet. Information classification and the access control rules should be consistent.

Access control rules
Access control policies are implemented through access control rules. The system administrators frame the rules and machines are configured to implement these rules. For example, a firewall will implement the rules pertaining to network access control. These rules should be simple and clear enough to be comprehended.

USER ACCESS MANAGEMENT
Life would have been much simpler if we had to deal only with machines. They would have obeyed all rules without any questions. However, in reality, we are dealing with human beings, who are far more intelligent than the machines. But the problem here is that they can also be disobedient, rebellious or in many cases, just malicious. Given this propensity of human nature, we have to take appropriate steps to manage user access to vital information.

User registration
Relevant information about every user should be documented. It should raise the following questions: Why is the user granted the access? Has the data owner approved the access? Has the user accepted the responsibility? Documenting the answers to these and similar questions should be part of the registration process.

Equally important is the de-registration process. When a user no longer requires access rights, his/her rights should be promptly removed.

Privilege management
Access privileges should be in accordance with work requirements and responsibilities. For example, an operator will have direct access to operating system commands. He/she will be provided higher access privileges than others. However, misuse of such privileges could endanger the organization's information security. Allocation of such privileges should be on a need-to-use basis. Minimum privileges for performing the job function should be granted.

User password management
Passwords are usually the only screening point for access to systems. Allocations, storage, revocation, and reissue of password are password management functions. A more important issue is educating users about importance of passwords, and making them responsible for their password.

Review of user access rights
A user's need for accessing information changes with time. Periodic review of access rights will remove any anomalies in the user's current job profile, and the privileges granted to them earlier.

USER RESPONSIBILITIES
Maintaining information security is not management's responsibility alone. Users are equally responsible. The two major expectations from the user are as follows:

Password use
Users should choose strong passwords and maintain confidentiality.

Unattended user equipment
Users should ensure that none of the equipment under their responsibility is ever left unprotected. They should also secure their PCs with a password, and should not leave it accessible to others.

NETWORK ACCESS CONTROL
An Internet connection exposes every organization to the entire world. The organization should benefit from the connection to the outside world but should also be protected from harmful elements. This can be achieved through the following means:

Policy on use of network services
A policy based on business needs for using the Internet services is the first step. Selection of appropriate services and approval to access them will be part of this policy.

Enforced path
Based on risk assessment, it may be necessary to specify the exact path or route connecting the networks. For example, routing all accesses only through a firewall. Similarly, the menu and submenu could be used for logging into a system restricting the options available to the user.

User authentication for external connections
Internet gives anonymity to users, but we definitely need to authenticate every person attempting to access our network through an external connection. The techniques used for user authentication may vary from a simple login process to use of hardware tokens, challenge/ response protocol or even digital certificates. Similarly, you may use callback procedures to verify telephone connections.

Node authentication
Besides users, remote computers could also be authenticated by appropriate technical means.

Remote diagnostic port authentication
Many types of equipment are provided with a diagnostic port for remote diagnostic and maintenance. This definitely saves an engineer's time. But, if the same ports are left accessible, others could take disadvantage of it and get access through such ports. Appropriate measures should be taken to prevent such misuse.

Segregation of networks
Some parts of network may be handling more sensitive information than the others. So networks should be segregated based on usage and protection needs. Such segregation will isolate any attempt to intrude in a network.

Network connection control
The traffic between networks should be restricted, based on the access policy. Access between the networks should be allowed only after authentication.

Network routing control
The traffic between networks should also be guided as per the access policy implemented by the routing rules. These will be based on identification of source and destination addresses.

Security of network services
The related security features must be understood before we subscribe to any network service. For example, if we use the Electronic Data Interchange (EDI) service, we should also understand the security provisions of such a service.

OPERATING SYSTEM ACCESS CONTROL
Operating system provides the environment for an application to use various resources of the computer and perform the specific business function. If an intruder is able to bypass the network perimeter security controls, the operating system is the last barrier to be conquered for unlimited access to all the resources. Hence, protecting operating system access is extremely crucial.

Automated terminal identification
This will help to ensure that a particular session could only be initiated from a particular location or computer terminal.

Terminal log-on procedures
The log-on procedure does not provide unnecessary help or information, which could be misused by an intruder.

User identification and authentication
The users must be identified and authenticated in a foolproof manner. Depending on risk assessment, more stringent methods like Biometric Authentication or Cryptographic means like Digital Certificates should be employed.

Password management system
An operating system could enforce selection of good passwords. Internal storage of password should use one-way
encryption algorithms and the password file should not be accessible to users.

Use of system utilities
System utilities are the programs that help to manage critical functions of the operating system—for example, addition or deletion of users. Obviously, this utility should not be accessible to a general user. Use and access to these utilities should be strictly controlled and logged.

Duress alarm to safeguard users
If users are forced to execute some instruction under threat, the system should provide a means to alert the authorities. An example could be forcing a person to withdraw money from the ATM. Many banks provide a secret code to alert the bank about such transactions.

Terminal time out
Log out the user if the terminal is inactive for a defined period. This will prevent misuse in absence of the legitimate user.

Limitation of connection time
Define the available time slot. Do not allow any transaction beyond this time period. For example, no computer access after 8.00 p.m. and before 8.00 a.m.—or on a Saturday or Sunday.

APPLICATION ACCESS CONTROL
This is the last lock an intruder will have to break to get his hands on the desired information he is after.

Information access restriction
Prevent access to information by means of menus, which limit access to system function. A user should be allowed access only to those items he is authorized to access. Control the access rights of users, For example, read, write, delete, and execute. Make sure that sensitive output is sent only to authorized terminals and locations.

Sensitive system isolation
It may even be necessary to run a sensitive system in an isolated environment.

MONITORING SYSTEM ACCESS AND USE
This is a detective control, to find whether the preventive controls discussed so far are working. If not, this control will detect any unauthorized activities.

Event logging
Computer systems can maintain extensive logs for all types of events. Ensure that the logging is enabled and the logs are archived properly.

Monitor system use
Based on the risk assessment you may have to constantly monitor use of some critical systems. Define the details of types of accesses, operations, events and alerts that will be monitored. Extent of these details and the frequency of review will be based on criticality of operation and risk factors. Similarly, the log files should also be reviewed periodically. Special attention should be given to any gaps in the logs.

Clock synchronization
The event logs are recorded as per the system time clock. If different systems have different clock time, correlating an event will be impossible. All the system clocks should be synchronized as per some standard time.

MOBILE COMPUTING AND TELE-WORKING
Use of computers is not restricted to the data center alone. Easy availability of powerful desktops and portable computers provide an opportunity to work from home and also while traveling. This puts additional responsibility on users and organizations to maintain information security.

Mobile computing
Portable computers and devices have large disk capacities. Theft of such computers might be for the data carried on the disk drives rather than the value of the computer. All possible physical protection should be provided to such devices. These should not be kept out of sight at any time. Information on these computers should be encrypted. So, even if the computer is stolen, the information will be protected.

Tele-working
A tele-worker has complete access to the information on the main computer. Keeping this fact in mind, appropriate steps should be taken for physical security of the equipment as well as access control. Use of this personal computer by other family members should be discouraged.