Developing A Plan For Implementing Access Control Models In An Enterprise

The elements of access control I would us in my plan are: Authentication, Authorization and Identification. I would use all the three elements, since they work together to enforce information security. Identification provides a form of uniquely identifying an individual in an organization. It ensures that somebody is truly who they claim to be. To ensure maximum security, an identification value should not have a description of the users’ position or task and ach value should be unique.

Authentication ensures that only the right people gain access. It is the process of verifying the identity of each individual who claims to have permission to use resources. Authentication may involve fingerprints, smartcards, encryption keys, among many other forms. Authorization involves giving certain permissions to a user. These permissions are read, write and execute, which are tied to a particular user account. For instance, a user might have permission to read, but doesn’t have permission to alter anything on a file. Some of the best practices concerning access control are:

• Biometrics – Uses an individual’s attribute or behavior for identification purposes. It’s the most accurate method for performing verification and the most expensive form of authentication. Biometric systems include finger print, palm scan, voice print, iris and retina scan, signature dynamics and keyboard dynamics.
• Passwords – It is the most commonly used form of identification and authentication. A password consists of a string of characters used to authenticate a user. Passwords should meet a required length, should contain a specific combination of characters and should be encrypted and hashed. Passwords should also expire after some time, prompting a user to set a new password. There should be a pre-set number of logon attempts to enhance security.
• Creation of role-based access – It ensures that employees are clearly defined by their roles and access is only granted based on their job type. For example, the resources a manager may access may be different from those an accountant an accountant can access. This ensures that employees only get access to the information that they have to use for business purposes.
• Running system audits – This can be carried out by the use of software reporting capabilities. They aid in helping the admin to monitor whether the system is functioning properly, the need fix issues, make changes or do an update. This information can be deduced by inspecting reports.
• Implementation of security layers – Several access options should be considered when setting up access control, to enable maximum security. When one layer fails, the other layer should cover up for its vulnerabilities. When two or more layers of security are established, the vulnerabilities can be reduced or completely eliminated. A combination of different types of security should be established, such as use of door locks, sensors and biometric authentication systems.
• Training Employees – A system may be put at a high risk within a short period of time due to human error or factors such as haste. All employees should be taken through regular comprehensive of the company’s security policy, so as to prevent the occurrence of disasters that would have been avoidable. With knowledge of how to safely use the system, the system could face minimal or no disasters caused by human error.
• Multi-factor authentication – It is a mechanism that requires more than one form of an authentication, in order to verify a user’s identity when requesting to login or perform a transaction.

For example, an employee logging in from an unknown device in an unknown network may be asked for multiple authentication factors to be granted access. Authentication methods include:

• Hardware tokens – A user may carry small physical devices that may help with authentication. They may entail: a USB device that will generate a one-time passcode, smartcards with a card reader.
• Soft Tokens – They are software based applications whose task is to generate one-time use passcodes. A notification is sent to the mobile application upon which the user can accept or decline.
• SMS/text message work in the same way as software and hardware tokens, whereby a one-time password is sent.
• Email – The user receives an email with a link that requires them to confirm the authentication request.
• Security questions- Involves asking a user questions they had already answered during account creation, so as to ensure maximum security.