Week 5 Essay Questions
docx
School
University of Maryland, University College *
*We aren’t endorsed by this school
Course
425
Subject
Information Systems
Date
Jan 9, 2024
Type
docx
Pages
3
Uploaded by mdshay
1.
Access controls are security features that are usually considered the first line of defense in asset protection. They are used to dictate how subjects access objects, and their main goal is to protect the objects from unauthorized access. Access control models are frameworks that use access controls to enforce the rules and objectives of the model. In your essay response, compare the different Access Control Models and give an example of one that you have used in a work situation or if that is not possible, one that you’ve read about in a scholarly article. There are three basic access control models: Role-based Access Control (RBAC), Discretionary Access Control (DAC), and Mandatory Access Control (MAC). These different access controls differ in how access is assigned and confirmed.
RBAC defines different roles that users have and then determines the access the need to conduct the responsibility of those roles. Access to data is limited to the scope of those roles because there is no need-to-
know.
DAC is maintained and directed by the owner of the information or systems that are being accessed. There’s not a specific method for how this is achieved. It can be exclusively at the discretion of the owner, or the owner can set up a system to determine access (Das, 2012).
MAC separately classifies users and information or systems and grants access based on these classifications (Fundamentals, n.d.). In order for a user to have access to information or systems, the user has to have the same classification level.
In my experience, MAC is used in the way that access to government and military classified information is maintained. Employees are assigned clearance levels, information and networks are assigned classification levels. One’s access to classified material should never exceed their clearance level. Sources:
Fundamentals of Information Systems Security/Access Control Systems. (n.d.). Retrieved from https://en.wikibooks.org/wiki/Fundamentals_of_Information_Systems_Security/
Access_Control_Systems#Access_Control_Models
Das, S., Kant, K. & Zhang, N. (2012). Handbook on securing cyber-physical critical infrastructure: foundations and challenges
. [Books24x7 version] Available from http://common.books24x7.com.ezproxy.umuc.edu/toc.aspx?bookid=47116
.
2.
Relying on a password to secure access to a system does not provide enough security in today’s complex world. The Office of Personnel Management learned this the hard way in 2015. Since OPM was hacked and it was learned that the attackers compromised their system administrator accounts that were protected only with passwords, the Federal government has required the use of multifactor authentication for privileged accounts. Describe the three factors that can be used in authentication and give at least two examples for each.
Multifactor authentication is a best practice to prevent unauthorized access for many industries. There are typically three ways that this can be expressed. Something you know, something you have, and something you are (Fundamentals, n.d.).
Something you know represents knowledge that only you have. This would be something like a password or a PIN (Gibson, 2011). This is probably the cheapest method of authentication. Something you have represents an item that should only be in your position. One good example is a Smart card, typically used in conjunction with a PIN. Another good example is a hardware token that produces new codes every 60 seconds.
Something that you are represents a person’s physical characteristics. This would be implemented in form of biometrics. There are lots of kinds of biometric potentials out there. Good examples would be retinal scanners, fingerprint scanners, and hand geometry scanners (Fundamentals, n.d.). This I have a few personal experiences with a few of these methods. I have had to use the hand geometry scanner as part of a man-trap setup to get into work before. I’ve also had a system login that required a password, PIN, and hardware token that had a code on it. It just goes to show that there are some creative setups for multifactor authentication.
Sources:
Fundamentals of Information Systems Security/Access Control Systems. (n.d.). Retrieved from https://en.wikibooks.org/wiki/Fundamentals_of_Information_Systems_Security/
Access_Control_Systems#Access_Control_Models
Gibson, D. (2011). Microsoft windows security: essentials
. [Books24x7 version] Available from http://common.books24x7.com.ezproxy.umuc.edu/toc.aspx?bookid=43253
.
3.
There are two main methods of access control administration that an organization can choose between
to achieve the level of protection that they need to secure their assets and information: centralized and
decentralized. Describe the RADIUS, TACACS, and DIAMETER forms of centralized access control administration. What are the advantages and disadvantages of decentralized administration. Centralized access control means that a single entity is responsible for assigning and assuring access for an organization. RADIUS authorizes access by having remote access servers contact a central server that contains user profile data. RADIUS utilizes a client/server protocol that is intended to be agnostic in regard to the software that it is used with (Tipton, 2007). It is also the better option for the simpler authentication methods.
TACACS+ is the current iteration of TACACS and while they share similar client/server protocols, they vary in a few ways. TACACS+ uses TCP, a different transport protocol than RADIUS and also encrypts the entire password request packet, as opposed to RADIUS, which only encrypts the password (Tipton, 2007). TACACS+ is
also capable of supporting two-factor authentication and is a good choice for more complicated authentication methods (Fundamentals, n.d.).
Diameter was built similarly to RADIUS but was designed to not suffer the same drawbacks. It uses a peer-to-
peer protocol instead of the client/server one that allows for mutual communication between servers (Fundamentals, n.d.) Because of the way it uses a base protocol to ensure uniform data transfer, other extensions can utilize it for authorization, authentication, and accounting (Tipton, 2007). Decentralized administration means that access control is divided out to the managers that are closer to the resources. Some advantages are that administration is a little nimbler and can respond to in-proximity issues (Fundamentals, n.d.). It may, however, result in a separation from uniform implementation of security policy and overlapping access issues. Password Authentication Protocol and Challenge Handshake Authentication Protocol are typically used in decentralized administration (Kim, 2014).
Sources:
Fundamentals of Information Systems Security/Access Control Systems. (n.d.). Retrieved from https://en.wikibooks.org/wiki/Fundamentals_of_Information_Systems_Security/
Access_Control_Systems#Access_Control_Models
Kim, D. & Solomon, M. (2014). Fundamentals of information systems security, second edition
. [Books24x7 version] Available from http://common.books24x7.com.ezproxy.umuc.edu/toc.aspx?bookid=69815
.
Tipton, H. & Krause, M. (2007). Information security management handbook, sixth edition, volume 1
. [Books24x7 version] Available from http://common.books24x7.com.ezproxy.umuc.edu/toc.aspx?
bookid=26438
.
Your preview ends here
Eager to read complete document? Join bartleby learn and gain access to the full version
- Access to all documents
- Unlimited textbook solutions
- 24/7 expert homework help