Access Controls

Biometric Technology - Part IV

Technology attacks and attendant security compromises are never easily managed. Parallel to the ingenuity of attackers and proportional to the value placed on entrusted information assets, effective security access controls are imperative. Given the current accuracy of automated user identification and authentication processes, no single security system should ever be promoted as infallible. However, there is sufficient merit in most available biometric systems to warrant deployment consideration for information assets protection. Coupled with other access restriction techniques, biometric technology systems can be a formidable deterrent to unauthorized activities that may disable an entity’s information security infrastructure.

“View Part I of the Biometric Technology series here“

Biometric Technology - Part III

Through the identification or authentication process, decisions are made regarding access. Typically, biometric identification supports physical access controls, while biometric authentication supports logical access controls. With reliance on biometrics for asset protection, security managers must accept humanness features are dynamic, yet reproducible. Consequently, it is difficult to find a single perfect access security system employing physical and/or behavioral traits.

Voices change over time or under abnormal conditions and can be modulated. Handprints can be altered — by a cut or bruise — as well as replicated. Even eyes and ears can undergo biological transformation from one day to the next. Furthermore, behaviors can be affected by emotional or fatigue states. Thus, biometric systems developed for identifying and/or authenticating authorized users that eliminate all potential errors can be prohibitively time-consuming and expensive, especially in high-traffic areas.

“View Part I of the Biometric Technology series here“

Biometric Technology - Part II

Most information security practitioners accept biometrics as the science employing distinctive human attributes to discern access right validity. Specifically, imparting the Information Systems Audit and Control Association’s definition, biometrics is the process for identifying or authenticating a living person’s identity based on physiological or behavioral characteristics. Delineated, biometrics identification usually involves a one-to-many individual characteristics search utilizing linked data repositories; whereas biometric authentication entails establishing a one-to-one relationship verifying the claim to an identity made by an individual.

“View Part I of the Biometric Technology series here“

Biometric Technology - Part I

As technological advancements are increasingly immersed in routine human endeavors, few security professionals doubt the criticality for parallel and proportional achievements in information asset protection mechanisms to defend against threats from individuals or groups chasing infamy dreams. Contextually, those engaged in nefarious IT activities vigorously pursue stardom elevation by orchestrating information security attacks that render barriers to obtaining or affecting a targeted object impotent. When an information asset is deemed valuable, authorization through a single access scheme appears woefully inadequate compared to the estimated number of ‘hackers’ or ‘crackers’ probing IT operational defenses. Predictively, considering published organizational information security incidents, two or more authentication factors will inevitably become the security deployment norm, with one architectural authentication factor relying on a biometrically based process; unless superior alternative access control remedies are devised.

Access Control Convergence - Part 2

Integrated policies improving access control are needed to increase safeguarding capabilities. Furthermore, due to technological and operational diversity, it is critical to have standard processes to control access that will permit economies of scale. Potential candidates for access control convergence include Tokens, Biometrics, Smart Cards and Tracking Systems. When physical and logical penetration protection mechanisms are converged under a unified access control policy, the resulting combination can operate as a baseline, customized to redress entity-centric needs for effective threat countermeasures. Beneficially, regarding operational complexity, access control convergence can simplify security administration. To enable organizational coexistence with technological convergences, an entity’s security function should assume responsibility for implementing and sustaining blended physical and logical controls.

Physical information security is a critical aspect to adequate perimeter and interior controls. Yet, physical controls alone cannot ensure that information assets are protected. For this reason, it is important to establish logical security controls that rebuff information confidentiality, integrity, and availability threats. Both control types should have as their primary objective appropriate asset protection, particularly information in electronic form. Consequently, where feasible, entities should deploy cost-effective processes for protecting the network infrastructure through converged physical and logical security controls.

Access Control Convergence - Part 1

Computer technology continues to advance toward a tiered decentralized world of distributed platforms for entering, processing, and retrieving information. Technological implementations are diverse and complex; however, all IT deployments should be protected from unauthorized usage utilizing suitable information asset access controls. Given IT interconnectivity, entities should also protect information assets from unauthorized manipulation to safeguard investments from risks associated with resource misuse. Consequently, information assets access control is typically viewed from two abstraction perspectives: physical and logical security.

Physical security provides tangible assets protection whether an item is at rest or in transit. Sub-categorically, information physical security involves reducing technological vulnerabilities, usually by limiting access to the buildings and rooms where information assets are housed, or by installing mechanical locks on devices. However, physical access controls should address not only the area containing hardware, but also wiring locations utilized to connect system elements, supporting services, backup media, and other items required for IT operational effectiveness.

Distinctively, logical security focuses on safeguarding intangible assets whether data is at rest or in transit. Logical access controls are the manual and electronic policies, procedures, and organizational structures deployed to safeguard symbolic objects. Essential elements for adequate logical access control are identification, authentication, authorization, and accountability.