ITS 4210 - Access Control, Authentication, and PKI

Chapter  1, Access Control Framework

This lesson presents some background material from chapter 1. Objectives important to this lesson:

  1. What is Access Control?
  2. Components of Access Control
  3. Three Stages of Access Control
  4. Logical Access Control
  5. Authentication Factors
Chapter 1

The chapter begins with a discussion of two terms. The first is access which the authors define formally as "the ability of a subject and an object to interact". (Chapple, et al, page 3) This use of those two nouns is like what you may have learned in an English class about diagramming sentences. The subject, in this case, is the person or thing in the sentence that is taking action. The object is the thing that the subject is acting upon. Typically, the subject is a user on a network, and the object is a file that needs to be edited, or a printer the user would like to use, or some other object for which the system controls access.

That takes us to the second term. The point is that there needs to be an access control that allows or denies access to resources. If there is no control, then anything is available to everyone, which is not desirable on most networks. On a network, access control means that rights (privileges) with respect to particular objects, are granted or denied to particular subjects.

That brings us to two sets of bullet point on page 4 which you might confuse. The first set is the components of an access control system:

  • Policies - rules that determine whether a subject has access to an object
  • Subjects - A subject may be a user, a network itself, a process running on a computer, or an application that requests access to a resource.
  • Objects - resources that a subject wants to use

The text calls the second set of bullet points elements of an access control system. That means that these are internal parts of the system itself:

  • Policies - this may mean the business requirements that determine who may access a resource; this may also mean a mechanism in a system (like Microsoft Active Directory) that applies such rules to subjects and objects
  • Procedures - methods used to enforce policies, typically carried out by people
  • Tools - methods used to enforce policies, typically used with or by devices on the network

The discussion on page makes little sense unless you understand the authors' use of the word subject. It is good that they define it again. The text says that there are three types of subjects. It may be clearer to say that there are three categories that a subject may fall under with regard to any particular resource (object).

  • Authorized - those who are known to the system, and are permitted access to the resource
  • Unauthorized - those who are known to the system, but are not permitted access to the resource
  • Unknown - those who are not known to the system; unknown users are typically allow to authenticate, but not much else

The text states the definitions differently, but those definitions use a word that has not been defined yet. A user who has presented proper credentials to a system and been identified as a known person is a user who has been authenticated. Note that authenticated and authorized are two different things. This leads to the next set of bullet points:

  • Authentication - the process by which users prove their identities to a system
  • Authorization - This one doesn't feel right in the text. A better definition is the process of granting or denying permissions to authenticated users.
  • Accounting - The process by which a system maintains records of the actions of users.

The text expands its list of entities that could act as subjects by explaining that some resources can be subjects:

  • Networks - The text explains that a network is usually an object, but a network may be granted permissions, so that those permissions apply to all users logged in to that network. The example in the text tells us that a firewall rule may state that all addresses on a given network may access the Internet. This is done by granting that permission to the address of the network itself, which makes the network the subject, and the gateway to the Internet is the object.
  • Systems - The text gives an example of a PC that is given permission to use a printer. This would be best done by placing PCs in a group object, and granting permissions to that group. This would allow any user who happened to be using that computer the permission to use the associated printer.
  • Processes and Applications - A process may need access to a network drive when it needs to read or write material there. An application may need the same thing. The process of granting this access is not specified, so we will ignore it for now.

The text begins a new topic, discussing three types of objects that may be protected with access controls:

  • Information - all types of data
  • Technology - applications, systems, networks, and devices attached to them; the text points out that if a user has access to a file server, all files on it may be compromised by that user
  • Physical locations - buildings, rooms, doorways (entrances and exits)

Page 7 shows a classic view of an Access Control process. It has three steps which are once again confusing.

  1. Identification - A user identifies him/herself to the system. This is often done with a User ID and a Password, but it may be done many other ways.
  2. Authentication - The access control system confirms the provided information. The user is now authenticated. The confusing part is that the step above is often referred to as authentication.
  3. Authorization - Assuming the User ID that has been authenticated was previously assigned some right or privileges on the system in question, those rights are now applied to the user's current login session. The confusing part here is that the actual assignment of rights must have been done before this login. That is also called authorization. The authorization that is taking place in this step is the application of those rights to the current session on the network.

Image of a SecurID deviceMost security is based on one or more of three types of things: something you have (like a key or an ID card), something you know (like a PIN or a password), or something you are (like a fingerprint).

When a person logs in from a standard workstation in a normal environment, one level of protection, like an ID and password pair, may be secure enough.

For a situation that is more vulnerable, like logging in from a remote location through a public data network, two levels may be required, such as a user name-password pair along with a one-time password from a security device (that may require a Personal ID Number as well). You see the layers? My password (something I know) is no good unless I use the one-time key from the device (something I have), which is no good unless I know the PIN that proves I am allowed to use the device (something else I have to know). The one-time password shown in the image on the right, by the way, is only good for one minute. After that minute, a new six numeral code will be generated. Sorry guys, the minute for that key passed by long ago. Any complaints should be addressed to the Paladin of the Lost Hour. The device in the photo is an example of a hard token. The functions of such a device can also be implemented in software as a soft token, but I consider that to be a less secure idea. Using a soft token lets the hacker strike another object off his "have to steal all of these" list.

As the text points out, the thing that makes secrets valuable is secrecy. If everyone can look up a password, as you can do for the default administrator passwords on most routers, there is not much value in using that password. Passwords usually expire, and you can usually change one any time you need to do so. They should all be changed from time to time. Any time you install something that uses a factory default password, you should change that password, and make a note of it in a secure place.

On page 9, the text discusses logical access controls. This is another way of looking at the rules you need to implement on your network. You need to remember these concepts. A good way is to memorize a line from Rudyard Kipling about six honest serving men:

I keep six honest serving-men
(They taught me all I knew);
Their names are What and Why and When
And How and Where and Who.

(The rest of the poem is not important in this context.)

  • Who are we granting the permissions to? Have we made certain of their identity with the level of security required to access this resource?
  • What kind of access is being granted? Is it the correct kind of access?
  • When is the subject allowed to access this resource? Is there a reason to restrict access by the hour of the day, day of the week, or by a term of service? The text cautions against the overuse of this kind of policy, because it can become an impediment to users instead of a mere restriction.
  • Where is the user, and does that matter? This can be done several ways. Using a logical location, we might restrict access based on an IP address (part of a known network), or a MAC address (from a known device). Using a geographic location may be harder. If access is granted only from devices known to be in a secure location, we are still using logical IDs to grant the access, but we are doing it for a different reason. The main reason to do something like this is to make sure there is no access across a public gateway. Why not allow that? If you are using a VPN, that may be fine, but if you are not, then your transmissions, wireless or not, may be monitored by someone we don't want seeing them.
  • Why is the access being granted? Is this reason compliant with security policies?
  • How will you grant this access? Will we grant access to the subject, to a group that includes the subject, or to a network the subject is using? How much permission will you give? The text tells us that most systems support at least four levels of access to files and folders:
    • Administrative access - all rights to all files in the container (read, write, update, delete)
    • Author access - read and write access, or all rights, but only to files you own in either case
    • Read only access - read access, but none of the other rights
    • No access - just like it sounds, no rights to any files in the container

On page 11, the text discusses granting access according to group membership. This is a much easier approach than applying rights to each individual, especially in an environment in which people frequently change jobs or duties. Since people can be assigned to multiple groups in most systems, their cumulative rights are the sum of those that they receive from each group.

The text also discusses being very granular, and granting rights to specific resources, such as files, tables, and databases. It tells us that each of these things, in its own context, may be treated as an object.

The text ends the chapter with another discussion of the three elements of authentication: something you know, something you have, and something you are. It expands a bit on each one:

  • Something you know - The text recommends selecting passwords and personal ID numbers that are hard for someone to guess. Never write them down on a visible note, never use a number that means something other people know about you or can learn about you, and try the suggestion about using a pass phrase instead of a single word. Another suggestion would be to make an acronym from a longer pass phrase, like a line from a song. You should probably use a song you know well, and make sure you never tell anyone what song you are using.
  • Something you have - The text describes the kind of token I described above, and another that requires the user to ask for a challenge code, enter it in the device, read a response code from the device, then enter the response in the system they are trying to access. This is obviously a more secure system than the code that can be read from the token directly.
  • Something you are - The text discusses standard biometric measures, such as fingerprints, retinal scans, and hand or face geometry. These are all physical characteristics. The text also discusses the use of behavioral characteristics. Some smart devices offer this sort of security when they allow you to unlock the device with a specific sweep of your fingers. This category also includes a system learning the typing rhythm of a user, the way a user speaks, or the way the user writes a phrase on a scanning screen. These behaviors might all be copied, and so they should be considered less secure than the physical measures.



  1. Begin the reading assignments for the course, weeks 1, 2, and 3.
  2. Complete the assignment and class discussion made in this module.
  3. We will have a discussion about the planned exams in our first class.