Login Signup
Verified Document

Access Control In Information Security Research Paper

Related Topics:
Private Security Web Conferencing Security Computer Security
Open Document Cite Document

The table uses comparative terminology such as High, Medium and Low and, descriptive terminology such as Active, Passive, and Simple, and the standard Yes (Y) and No (N). The research provides the solutions based in the problems identified with the access controls evaluated. Table I: Evaluation of Access Control

Criteria

TMAC

SAC

Matrix

TBAC

C-TMAC

RBAC

Context-AW

Complexity

Medium

Low

Low

Medium

Medium

Medium

High

Understandability

Simple

Simple

Simple

Simple

Simple

Simple

Simple

Ease Use

High

Low

Medium

Medium

High

High

High

Applicability

Medium

Low

Medium

Medium

High

High

High

Groups of users / Collaboration Support.

Y

Y

Low

Y

Y

Y

Y

Policy- Speci-cation

Y

Y

Low

Low

Y

Y

Y

Policy -Enforcement

Y

Low

Low

Low

Y

Y

Y

Fine-grained control

Y

N

N

Low

Y

Low

Y

Active and passive

Active

Active

Passive

Active

Active

Passive

Active

Contextual information

Medium

Medium

N

Medium

Medium

Low

Medium

Solutions to Access Control Problems

To address the access control security problems, Gauthier, and Merlo, (2012) suggests ACMA (Access Control Model Analyzer) tool, which is an effective information security tool to repair and detect the access control vulnerabilities. The ACMA is anchored on the model checking theory and inter-procedural analysis, which has been proved fast, scalable and precise. The ACMA serves as a model-checking tool to detect access control vulnerabilities, which include forced browsing and faulty access control. The ACMA could achieve comparable result because the tools are 890 times faster. Typically, ACMA could be used to implement access control check on the hidden execution paths in the web application. (Gauthier, and Merlo, 2012). Despite the elegant benefits of ACMA in addressing the access control problems, the system may not deter sophisticated hackers from perpetuating their illegal acts. Sophisticated hackers are no more relying on manual methods of getting access into the information assets; sophisticated hackers now use automated tools to lay their hands onto the company's valuable and sensitive data.

On the other hand, Bullock and Benford (1999) argue that access control model is an effective security tool to manage collaborative environment. The authors recommend effective access control requirements, which include:

Access control must be used to enforce and apply the distributed platform level.

Access control model should be configured to meet the needs of wide varieties enterprises model. Such models must provide the efficient access rights.

Access control should enhance greater scalability than the traditional single user model.

Access control models should be able to protect the greater number of information resources within a shared environment.

Access control model must facilitate transparent access from authorized users and a strong exclusion of unauthorized users.

However, the solutions presented by the authors are purely technical in nature; such perspectives neglect the practice of effective control mechanisms.

This paper proposes a model called Computer-Information Systems Supported Access Control (CSSAC) that does not follow yes or no paradigm commonly used in practice. The CSSAC is structured on the combination of human and technical protection tools, which include:

Awareness

Protection

Negotiation.

Traceability

Restorability

Awareness does not protect information resources from unauthorized access; however, the technique could be used to restrict users ineffective behaviors that could open door for external aggressors.
Protection is a pattern where organizations safeguard the information resources using regulating access in order to determine the legitimacy of other actors. This technique is an access control tool to protect unauthorized access to information resources. Legitimacy to access control could be controlled using technical methodology. In this system, two different control systems will be used for access control and one for protection while other will be used to grant access.

Negotiability is the technique where the systems are aware of the intended access and develop a channel of communication to control who want to get access.

Traceability is built into the systems to evaluate the illegitimate access to information resources and the systems have ability to alert information system manager that illegal access control is about to happen. Technically, traceability is used as an alert protocol to safeguard the information resources from penetrators before it actually happen.

Restorability is the ability to undo the illegitimate access. The application of this security mechanisms assists in supporting ex-post protection.

Discussability in combination of traceability, which integrates communication channel into the information systems to guide against access to information resources not technically, implemented.

Conclusion

Access control is technically security mechanisms built on authentication. While organizations rely on digital information to make effective decision-making, many organizations still face challenges to protect their information assets from external intruders. Technically, access controls are continuingly being used to safeguard the information assets, despite the benefits derived from access controls, access controls vulnerabilities are still on the increase. This paper explores various types of access controls and their shortcomings. All the access controls indentified have their shortcomings and through these shortcomings, penetrators could often get access to organizational information resources. To address the access control problems, the research suggests Computer-Information Systems Supported Access Control (CSSAC) model to alleviate the common problems identified within the traditional access control systems. This study will address the common challenges that organizations, government and individuals often face in protection of their information resources.

References

Ahn, G.J. & Sandhu, R. (2000). Role-based authorization constraints speci-cation. ACM Trans.

Inf. Syst. Secur. 3(4).

Bullock, a. And Benford, S. (1999). Framework of the Access control for multi-user collaborative environments. In ACM Group. Phoenix, AZ.

Gauthier, F. & Merlo, E.(2012). Fast Detection of Access Control Vulnerabilities in PHP Applications. 2012 19th Working Conference on Reverse Engineering.

Kang, M.H., Park, J.S. And Froscher, J.N. (2001). Access control mechanisms for inter-organizational work-ow. In ACM Symposium on Access Control Model and Technology.

Chantilly, VA.

Layton, T.P. (2007). Information Security: Design, Implementation, Measurement, and Compliance. Boca Raton, FL: Auerbach publications. ISBN 978-0-8493-7087-8.

Lee, M. Deok, N. Lee, K. et al. (2011). Design and Implementation of am Intranet Security and Access Control Systems in UBI-COM. Computing & Informatics.

Li, N. & Tripunitara, M.V. (2006).Security analysis in role-based access control. ACM Transactions on Information and System Security (TISSEC). 9 (4): 391-420.

Stevens, G. & Wuff, V.(2009). Computer-supported access control. ACM Transactions on Computer-Human Interaction (TOCHI). 16 (3):12-26.

Stevens, G., Quaisser, G. Klann, M.(2006). Breaking it up: An industrial case study of componend-based tailorable software design. In End User Development, H. Liebermann et al.,

Eds. Springer, 269 -- 294.

Tolone, W. Ahn, G. Pai, T.et al.(2005). Access control in collaborative systems. ACM Computing Surveys (CSUR). 37(1): 29-41.

Continue Reading...
Sources used in this document:
References

Ahn, G.J. & Sandhu, R. (2000). Role-based authorization constraints speci-cation. ACM Trans.

Inf. Syst. Secur. 3(4).

Bullock, a. And Benford, S. (1999). Framework of the Access control for multi-user collaborative environments. In ACM Group. Phoenix, AZ.

Gauthier, F. & Merlo, E.(2012). Fast Detection of Access Control Vulnerabilities in PHP Applications. 2012 19th Working Conference on Reverse Engineering.
Cite this Document:
Copy Bibliography Citation

Related Documents

Essay
Security Information Security Is a Primary Concern
Words: 809 Length: 2 Document Type: Essay

Security Information security is a primary concern for consumers and businesses. In "IT security fails to keep pace with the rise of cloud computing," the author claims that in spite of the advancements in cloud technology, information security has not kept pace. This assessment is rooted firmly in fact and best practices in the information security industry. Although their analysis is thorough, the authors would do well to point out the

Read More
Essay
Access Control Types of Access
Words: 1816 Length: 7 Document Type: Term Paper

These certificates are issued by the certification authorities (CAs) and they contain the name, expiration dates as well as serial numbers of the certificates. OS Hardening Operating system hardening is the process of addressing the various security issues and vulnerabilities in a given operating system via the implementation of the latest Operating system patches, updates, hotfixes as well procedures and policies that are necessary for reducing the number of attacks as well

Read More
Essay
Security Policy: The Information Security Environment Is
Words: 1208 Length: 4 Document Type: Essay

Security Policy: The information security environment is evolving because organizations of different sizes usually experience a steady stream of data security threats. Small and large business owners as well as IT managers are kept awake with various things like malware, hacking, botnets, and worms. These managers and business owners are usually concerned whether the network is safe and strong enough to repel attacks. Many organizations are plagued and tend to

Read More
Essay
Information Security Management
Words: 1948 Length: 7 Document Type: Conclusion

Security Management During the span of one's college career, a select number of courses become something more than a simple requirement to be satisfied to assure graduation; these are moments in a student's educational process which make the most lasting impacts. In my personal case, the lessons I have learned as part of my studies in ISSC680 will likely be remembered in those terms, as my eventual career will find

Read More
Essay
Security Programs Implementation of Information Security Programs
Words: 1415 Length: 4 Document Type: Essay

Security Programs Implementation of Information Security Programs Information Security Programs are significantly growing with the present reforms in the United States agencies, due to the insecurity involved in the handling of data in most corporate infrastructure systems. Cases such as independent hackers accessing company databases and computerized systems, computer service attacks, malicious software such as viruses that attack the operating systems and many other issues are among the many issues experienced

Read More
Essay
Information Security Training Program
Words: 3414 Length: 12 Document Type: Research Paper

Federal Information Security Management Act (FISMA) The Federal Information Security Management Act places emphasis on the importance of training and awareness program and states under section 3544 (b).(4).(A), (B) that "security awareness training to inform personnel, including contractors and other users of information systems that support the operations and assets of the agency of- information security risks associated with their activities; and their responsibilities in complying with agency policies and procedures

Read More

Sign Up for Unlimited Study Help

Our semester plans gives you unlimited, unrestricted access to our entire library of resources —writing tools, guides, example essays, tutorials, class notes, and more.

Get Started Now