Free Essay

Access Control Mechanism

In:

Submitted By anushri
Words 799
Pages 4
Access control through two-Factor Authentication
Access Maintaining data security has become more of a challenge, it is tough to anticipate attacks and prevent all the loopholes in software’s providing security. Verizon in their 2013 Data Breach Investigation Report stated that “Almost 80 percent of the attacks could have been prevented by using something other than single-factor username-password.”

Two –factor authentication (2FA) when applied is one the best ways to secure your accounts online. It is basically a system that implements multiple factors for a verification process. This authentication stems from the principle of “Something the user knows” this could be a username, phone number, password or a personal question and “Something the user has” this would include a one-time passcode, key generator or a smart card. The verification process is similar to the process you would experience at an airport ticket counter. Your ticket when presented at the security acts as your identification and your photo id like the state-id or a passport through your photo would verify that it is you.

Two-way authentication is a method of overcoming the problems associated with the single authentication process, when used efficiently it provides the following benefits. * Improved security: Since this authentication process is a 2 fold approach it ensures that even if a user’s password is compromised the hacker will be denied access until they provide the correct second element. * Reduction in data theft: Unauthorized access to system through phishing, network snooping, hashing the password, brute force attack can be mitigated. * Increased Flexibility: This authentication process can be used by companies to assure data protection by allowing its employee to work remotely * Compliance : 2FA falls in line with the compliance requirements of HIPPA,PCI and Data protection act

There are numerous mechanisms which many companies are implementing 2FA through, some of them are smart-cards one time password tokens, out of band authentication, phone based authentication, authentication verification sent via text. The points to consider while implementing a 2FA in any organization are * Understanding the corporate environment: It is essential to understand the business of the organization, get an idea about the technology the company uses on a day to day basis and what kind of IT security is already in place. * Find the audience you need to cater to: Identify whether the 2FA is needed for internal employees, external employees or for employee who access the systems via VPN. * * Implement in stages: If no target audience or scope is presented start implementation of 2FA in phases. Initially use it only to protect critical business information and then move on to the other sections. * Take Cost and complexity into consideration: Implementing 2FA is a complex and expensive procedure and it is best to identify the number of employees, number of offices and support available.

Some of the best know companies such as Google, Apple, Facebook, Twitter, Dropbox, Evernote, Paypal, Microsoft, Amazon and Linkedin have 2FA in place.

Even with all the security that 2FA offers it’s not an easy task to implement; Internet giants like Google a company that uses the best form of security has had trouble in the initial phases of adding a 2 way authentication. There are a couple of challenges while implementing this authorization method- Legacy systems and software need to be reworked upon extensively to implement 2FA. Usually companies do not use just one type of technology or system from one vendor so putting in a 2FA framework which is compatible across all the software’s is tedious and time consuming. Once implemented some of the companies require their employees to carry some form of tokens for verification purposes. These tokens can be easy misplaced and this adds to the overhead cost of implementing the authorization system.

2FA is not a full-proof method to combat against attacks and it isn’t the easiest to implement but, it is currently the only practicable means of protecting the user from identity theft. It is mandatory for companies to realize that conventional means of using just a static password and username can no longer provide adequate safety more sophisticated means are required to keep threat at bay and protect themselves from business and financial disruptions.

References: 1. Two-factor authentication option, use-cases and best practices,(January27,2014), ComputerWeekly.com, Retrieved from http://bitpipe.computerweekly.com/detail/RES/1389707740_280.html 2. Russell. Kay. "Authentication." Computerworld 34.13 (2000): 77. ProQuest. Web. 2 Feb. 2014. 3. White paper: Two factor authentication, (2005), Identrica, Retrieved from http://www.identrica.com/WhitePapers/Why2FA.pdf 4. Kemshall.A, Underwood.P, (July,2007) “Options for two factor authorization” Retrieved from http://www.securenvoy.com/whitepapers/white_paper_two_factor_authentication.pdf 5. Understanding two factor authentication, (2013), Conjungo, Retrieved from http://www.conjungo.com/technology/two-factor-authentication/benefits-of-two-factor-authentication

Similar Documents

Premium Essay

Information Security Policy in Malaysia.

...Introduction Information security means protecting information and information systems from unauthorized access, use, disclosure, disruption, modification, or destruction. The terms information security, computer security and information assurance are frequently used interchangeably. These fields are interrelated and share the common goals of protecting the confidentiality, integrity and availability of information; however, there are some subtle differences between them. These differences lie primarily in the approach to the subject, the methodologies used, and the areas of concentration. Information security is concerned with the confidentiality, integrity and availability of data regardless of the form the data may take: electronic, print, or other forms. Governments, military, financial institutions, hospitals, and private businesses amass a great deal of confidential information about their employees, customers, products, research, and financial status. Most of this information is now collected, processed and stored on electronic computers and transmitted across networks to other computers. Should confidential information about a businesses customers or finances or new product line fall into the hands of a competitor, such a breach of security could lead to lost business, law suits or even bankruptcy of the business. Protecting confidential information is a business requirement, and in many cases also an ethical and legal requirement. For the individual, information...

Words: 6195 - Pages: 25

Premium Essay

Directions for Web and E-Commerce Application Security

...This paper provides directions for web and e-commerce applications security. In particular, access control policies, workflow security, XML security and federated database security issues pertaining to the web and e-commerce applications are discussed. These security measures must be implemented so that they do not inhibit or dissuade the intended e-commerce operation. This paper will discuss pertinent network and computer security issues and will present some of the threats to e-commerce and customer privacy. These threats originate from both hackers as well as the e-commerce site itself. Another threat may originate at ostensibly friendly companies such as DoubleClick, MemberWorks and similar firms that collect customer information and route it to other firms. Much of this transaction information is able to be associated with a specific person making these seemingly friendly actions potential threats to consumer privacy. Many of the issues and countermeasure discussed here come from experiences derived with consulting with clients on how to maintain secure e-commerce facilities. These methods and techniques can be useful in a variety of client and server environments, also serving to alert e-commerce users of potential threats. 1. Introduction For the effective operation of the web and e-commerce applications, security is a key issue. The security threats include access control violations, integrity violations, sabotage, fraud, privacy violations, as well as denial of service...

Words: 3283 - Pages: 14

Premium Essay

Department of Defense (Dod) Ready

...this goal, a list of compliance laws must be compiled to make sure we me the standard. I will outline the controls placed on the computing devices that are being utilized by company employees. I will develop a plan for implementation of the new security policy. The task of creating a security policy to make my firm DoD complaint starts with knowing what laws to become complaint with. There an array of laws to adhere to, but I have listed the majors laws that the firm must comply with. The following is a list of laws that the firm must become complaint with Defense Federal Acquisition Regulation Supplement (DFARS). The DFARS contains requirements of law, DoD-wide policies, delegations of FAR authorities, deviations from FAR requirements, and policies/procedures that have a significant effect on the public (DPAP, 2014). The following is a list of standards for handling unclassified DoD information retrieved from Hogan Lovells website (2016). • prohibiting the posting of any DOD information on websites unless they are restricted to users that provide user ID/password, digital certificate, or similar credentials • using the “best level of security and privacy available” for transmissions of any DOD information transmitted via email, text messaging, and similar technologies; • transmitting any DOD information via telephone or fax only when reasonably assured that access is limited to authorized recipients; • protection of all DOD information by at least one physical (e.g...

Words: 2282 - Pages: 10

Premium Essay

Case Study - Securing the Network

...when planning for access. Normally, an internal LAN is considered a secure network. Due to its broadcast nature, wireless communications are not considered as secure. Such networks are vulnerable to eavesdropping, rogue access points, and other cracking methods. For remote access, VPN solutions such as dial-up, IPSec VPN, and SSL VPN are commonly used and any access to data center devices must be protected and secured. In the data center, access lists are used to prevent unauthorized access, and reverse-proxy servers use authentication mechanisms to provide a higher degree of security for applications. The need for security is constantly evolving. Maintaining individual security methods for each access scenario can be expensive. There are better alternatives for securing enterprise access. Some that is cost-effective, easy to manage and secure, while addressing performance and scalability requirements. Basic security requirements consist of: • Verification of user credentials and services to define user access. • Client integrity checks that consists of endpoint security verification and of redirecting users to predefined subnets to download compliant anti-virus software, firewalls, operating systems updates, and patches. • Firewall rules such as granular access control and packet filtering based on protocol, port, and destination. Very often, the same users access corporate resources from various locations. Therefore, security mechanisms and access policies should...

Words: 612 - Pages: 3

Premium Essay

Toward an Abstract Language on Top of Xacml for Web Services Security

...6th International Conference on Internet Technology and Secured Transactions, 11-14 December 2011, Abu Dhabi, United Arab Emirates Toward an Abstract Language on Top of XACML for Web Services Security aDepartment of Computer Science and Mathematics, Lebanese American University, Beirut, Lebanon b Department of Computer Engineering, Khalifa University of Science, Technology & Research, Abu Dhabi, UAE CDepartment of Computer Science, Kuwait University, Kuwait b Azzam Mourada, Hadi Otrok , Hamdi YahyaouiC and Lama Baajoura Abstract-We introduce in this paper an abstract language on top of XACML (eXtensible Access Control Markup Language) for web services security. It is based on the automatic generation of XACML security policies from abstract XACML profile(s). Our proposed approach allows first to specify the XACML profiles, which are then translated using our intended compiler into XACML security policies. The main contributions of our approach are: (1) Describing dynamic security policies using an abstract and user friendly profile language on top of XACML, (2) generating automatically the the XACML policies and (3) separating the business and security concerns of composite web services, and hence developing them separately. Our solution address the problems related to the complexity and difficulty of specifying security policies in XACML and other standard languages. We tested the feasibility of our approach by developing the library system (LB) that...

Words: 2085 - Pages: 9

Premium Essay

Project

...This essay is being submitted on 5/9/2013 for Earl Robinson intorduction to security class. Essay week 2 * The remote access control policy consists of * Group membership  * Type of connection  * Time of day  * Authentication methods  * Advanced conditions:  * Access server identity  * Access client phone number or MAC address  * Whether user account dial-in properties are ignored  * Whether unauthenticated access is allowed  After the connection is authorized, remote access policies can also be used to specify connection restrictions, including the following: * Idle timeout time  * Maximum session time  * Encryption strength  * IP packet filters  * Advanced restrictions:  * IP address for PPP connections  * Static routes  Additionally, you can vary connection restrictions based on the following settings: * Group membership  * Type of connection  * Time of day  * Authentication methods  * Identity of the access server  * Access client phone number or MAC address  * Whether unauthenticated access is allowed  On this network I recommend a WAN network . Because the wan network is great for going cities to cities or state to state plus there are more security features that can be recommended. The physical and logical access controls are as follows Authentication Identification is usually providing a public piece of information (username, account number) and...

Words: 348 - Pages: 2

Premium Essay

It302 Research #1

...investigating a wide range of computer security topics including operating system security. Recognizing the critical role of operating system security mechanisms in supporting security at higher levels, researchers from NSA's National Information Assurance Research Laboratory have been investigating an architecture that can provide the necessary security functionality in a manner that can meet the security needs of a wide range of computing environments. End systems must be able to enforce the separation of information based on confidentiality and integrity requirements to provide system security. Operating system security mechanisms are the foundation for ensuring such separation. Unfortunately, existing mainstream operating systems lack the critical security feature required for enforcing separation: mandatory access control. As a consequence, application security mechanisms are vulnerable to tampering and bypass, and malicious or flawed applications can easily cause failures in system security. The results of several previous research projects in this area have yielded a strong, flexible mandatory access control architecture called Flask. A reference implementation of this architecture was first integrated into a security-enhanced Linux® prototype system in order to demonstrate the value of flexible mandatory access controls and how such controls could be added to an operating system. The architecture has...

Words: 1295 - Pages: 6

Premium Essay

Iss Data Classification Standards.Docx

...informative. There are also three types of security policies; organizational, issue specific and system specific. Standards refer to mandatory activities, actions, rules, or regulations. Also standards can give a policy its support and reinforcement in direction. Standards could be internal, or externally mandated as well. Procedures are detailed step-by-step tasks that should be performed to achieve a certain goal such as procedures on how to install operating systems, configure security mechanisms, implement access control lists, set up new user accounts, assign computer privileges, etc… Procedures are considered the lowest level in the policy chain because they are closest to the computers and users If a policy states that all individuals who access confidential information must be properly authenticated, the supporting procedures will explain the steps for this to happen by defining the access criteria for authorization, how access control mechanisms are implemented and configured, and how access activities are audited as well. IT Infrastructure: IT infrastructure consists of the equipment, systems, software, and...

Words: 626 - Pages: 3

Free Essay

It302 Research Assignment 1

...contributors include Network Associates, Red Hat, Secure Computing Corporation, Tresys Technology, and Trusted Computer Solutions. Experimental ports of the FLASK/TE implementation have been made available via the TrustedBSD Project for the FreeBSD and Darwin operating systems. The reason NSA is involved in this project is because this organization is responsible for carrying out the research and advanced development of technologies needed to enable NSA to provide the solutions, products, and services to achieve Information Assurance for information infrastructures critical to U.S. National Security interests. Security-Enhanced Linux (SELinux) is an implementation of a mandatory access control mechanism in the Linux kernel, checking for allowed operations after standard discretionary access controls are checked. The...

Words: 900 - Pages: 4

Premium Essay

Information System Security

...operating system security mechanisms in supporting security at higher levels. End systems must be able to enforce confidentiality and integrity requirements to provide system security. Unfortunately, existing mainstream operating systems lack the critical security feature required for enforcing separation: mandatory access control. Application security mechanisms are vulnerable to tampering and bypass, and malicious or flawed applications can easily cause failures in system security. The results of several of these projects in this area have yielded a strong, flexible mandatory access control architecture called Flask. This has been mainstreamed into Linux and ported to several other systems, including the Solaris™ operating system, the FreeBSD® operating system, and the Darwin kernel. This provides a mechanism to enforce the separation of information based on confidentiality and integrity requirements and it allows threats of tampering and bypassing of application security mechanisms to be addressed while enabling the confinement of damage that can be caused by malicious or flawed applications. This is simply an example of how mandatory access controls that can confine the actions of any process, including an administrator process, can be added into a system. The focus of this work has not been on system assurance or other security features such as security auditing, although these elements are also important for a secure system. The security mechanisms implemented in the system...

Words: 1522 - Pages: 7

Premium Essay

Cryptography Methods

...Unit 3 Discussion 1: Access Control Models 1. Select an access control model that best prevents unauthorized access for each of the five scenarios given in the worksheet 2. Which types of logical access controls should be used in each scenario? Justify your recommendations. Scenario 1. - Discretionary access controls I s a small company consisting of 12 computers only DAC allows each user to control access to their own data and is typically the default access control mechanism for most desktop operating systems. Scenario 2.-Role-based access control Because RBAC is based on a user's job function within the organization to which the computer system belongs. Scenario 3.-Mandatory access controls Because how big is the company MAC takes a hierarchical approach to controlling access to resources. Under a MAC enforced environment access to all resource objects (such as data files) is controlled by settings defined by the system administrator. As such, all access to resource objects is strictly controlled by the operating system based on system administrator configured settings. Mandatory Access Control the operating system checks the user's classification and categories and compares them to the properties of the object's security label. Scenario 4.- Mandatory access control The design of MAC was defined, and is primarily used by the government. Scenario 5.- Mandatory access control Because all access to resource objects is strictly controlled by the operating...

Words: 452 - Pages: 2

Premium Essay

Access Control Models

...ACCESS CONTROL MODELS An access control model is a framework that dictates how subjects access objects. There are three main types of access control model mandatory access control, discretionary access control and role-based access control. Discretionary (DAC) The creator of a file is the ‘owner’ and can grant ownership to others. Access control is at the discretion of the owner. Most common implementation is through access control lists. Discretionary access control is required for the Orange Book “C” Level. Mandatory (MAC) Much more structured. Is based on security labels and classifications. Access decisions are based on clearance level of the data and clearance level of the user, and, classification of the object. Rules are made by management, configured by the administrators and enforced by the operating system. Mandatory access control is required for the Orange Book “B” Level. Role-Based (RBAC) Continually administered set of controls by role within organization. Access rights assigned to roles – not directly to users. Roles are tighter controlled than groups - a user can only have one role. Can use different types of RBAC Role-based Role within organization. Task-based Specific task assigned to the user. Lattice-based Upper and Lower bounds Access Control Techniques and Technologies Once a company decides on the access control model to use, the technologies and techniques to implement that model need to be determined Role-based Can be used with...

Words: 1719 - Pages: 7

Premium Essay

Sscp Study Notes

...SSCP Study Notes 1. Access Controls 2. Administration 3. Audit and Monitoring 4. Risk, Response, and Recovery 5. Cryptography 6. Data Communications 7. Malicious Code Modified version of original study guide by Vijayanand Banahatti (SSCP) Table of Content 1.0 ACCESS CONTROLS…………………………………………………………...... 03 2.0 ADMINISTRATION ……………………………………………………………... 07 3.0 AUDIT AND MONITORING…………………………………………………...... 13 4.0 RISK, RESPONSE, AND RECOVERY………………………………………....... 18 5.0 CRYPTOGRAPHY……………………………………………………………....... 21 6.0 DATA COMMUNICATIONS…………………………………………………...... 25 7.0 MALICIOUS CODE……………………………………………………………..... 31 REFERENCES………………………………………………………………………........ 33 1.0 ACCESS CONTROLS Access control objects: Any objects that need controlled access can be considered an access control object. Access control subjects: Any users, programs, and processes that request permission to objects are access control subjects. It is these access control subjects that must be identified, authenticated and authorized. Access control systems: Interface between access control objects and access control subjects. 1.1 Identification, Authentication, Authorization, Accounting 1.1.1 Identification and Authentication Techniques Identification works with authentication, and is defined as a process through which the identity of an object is ascertained. Identification takes place by using some form of authentication. Authentication Types Example Something you know...

Words: 17808 - Pages: 72

Premium Essay

Maximum Security in Database Management

...information is stored in data bases that are run by organizations, locally hosted on personal computers. Intruders can access this information if it is not properly secured. Therefore the purpose of this study is to inform about the current savvy technologies that can be applied to completely thwart intruders from accessing such delicate information within Rackspace. Part 1: Project Identification and Business Environment For this project to go on in a smooth and effective manner different individuals must carry on certain specified task. For Rackspace, this means that every person must hold on to a responsibility to properly and pursue it to the end. Some of the responsibilities are interdepended and other are depended. In case of an interdependent responsibility there will be a proper communicated channel of events that will ensure that information is traversed from one source to another to smoothen up events. Therefore, the following a list of responsible individuals who will implement the process of securing the database of an organization. Company Chief Executive Officer Responsible for overseeing the success of the entire project and making decisions regarding the financial needs and effects of the project to the organization. Information and Communication Technology Manager The responsibilities include making major decisions in the department that controls an organization’s database. Acts a liaison between the chief executive officer and the technical department. Chief...

Words: 3927 - Pages: 16

Premium Essay

Impotent Music

...endorsement. The articles, documents, publications, presentations, and white papers referenced and used to compile this manual are copyright protected by the original authors. Please give credit where it is due and obtain permission to use these. All material contained has been used with permission from the original author(s) or representing agent/organization. ii T eofContent abl 1.0 INTRODUCTION........................................................................................................................................................... 2 1.1 BASIC INTERNET TECHNICAL DETAILS ........................................................................................................................ 2 1.1.1 TCP/IP : Transmission Control Protocol/Internet Protocol ............................................................................ 2 1.1.2 UDP:User Datagram Protocol............................................................................................................................ 2 1.1.3 Internet Addressing ............................................................................................................................................. 3 1.1.4 Types of Connections...

Words: 134858 - Pages: 540