Access Control In Relation To Risk
SHARATH KUMAR REDDY KUCHUR
Professor: Denise Blanson
Course: ISOL 534 Application security
Access control in relation to risk, threat and vulnerability:-
What is Risk?
Risk is defined as function of threats finding vulnerabilities and ways to obtain and gain access to damage and destroy assets.
What is Vulnerability?
Vulnerability is defined as a potential gap or weakness in security program that can be helpful to find threats and gain access to unauthorized content. It can be used by cyber hackers or threats to get access for unauthorized content in a system of an organization.
What is Threat?
Threats can be anything which may be within the system or exterior, whether happens intentionally or accidentally and may damage an asset or destroy system security.
Access control and its relation to the above defined factors:-
Access control to any organization is helpful to minimize the potential risks to the organization by preventing any ways of possible vulnerabilities getting into the system.
Risk is a function of threats exploiting vulnerabilities to damage assets , thus threats may exist but if the vulnerabilities are less then there a chance of very less risk .In a similar manner if we have vulnerability and we have no or little threat , we have little /no risk.
Access control eliminates Vulnerabilities by:
Encrypting URL content , data
Maintenance and creating time out sessions
Encrypting data in the database itself so that no one can fetch the data by using simple SQL injection queries
Access control eliminates threats by:
Verifying digital signatures in the web pages
Parsing each HTTPS requests in order to verify the previously logged in user.
Using the IP address or location of person who is trying to authenticate.
The Relation between Access control and its Impact on CIA:
CIA describes the major foundation of any organization .
Relation with confidentiality:
It is securing the secret or privacy of credentials on the server or cloud. Data confidentiality should be addressed whether the data is stored, rest and transported in the cloud or in the premises of data center. Data kept in the cloud or data center should be fully encrypted to prevent unauthorized access. In this way, access control helps an organization in maintaining this factor.
Relation with Availability:
This factor is ensuring that application is always available for intended user to access their personal data.
Access control helps the user in authenticating from anywhere around the globe at any time. It helps user getting access to any confidential data of the organization. Cyber-attacks may threaten the application security being available for all the time. In order to prevent that DDos appliance protection to prevent from happening layer 7 attacks
Relation with Integrity:
Integrity promises that a particular application is working as intended and the secret data is available to intended users only. Development operations team need to create and ensure security of all their applications data and also have the control of managing changes so that unintended changes won’t impact this factor in any way in an application..
Access control and its level of importance within information security:
Access controls are security features the controls the system how people are interactive, authorized to use the system resources in an organization. The main objective of the access control is to protect application from being used by unauthorized resource. Mainly there are two types of access control physical and logical of which the former one restricts the access to campuses, buildings, IT assets and the later one for access to limit connections to computer networks, system files and data. To secure a facility, organization using access control that rely on user access, card readers and restricted areas such as data centers should be implemented. Access control systems perform identification authentication and authentication of users by requiring login credentials that required password, PINS, security tokens and other authentication factors. Multi factor authentication is a famous, where two or more authentication tokens are required to protect multilayered defense by using access control systems.
Need for organizations to take implement access controls in relation to maintaining CIA:
There is no doubt in stating that implementing access control is the primary method for an organization to maintain the fundamentals of information security i.e. confidentiality, Integrity, Availability.
Access to information must be restricted to those resources who were supposed to be authorized to access the data. Data can be divided into categories based on the type of damage that could happen for it falling into unauthorized hands .According to these categories protecting measures should be implemented. Ultimately protecting confidentiality is must.
Integrity assures that sensitive data is trustworthy and accurate .consistency, trustworthy and accuracy of data should be maintained over its life time. Sensitive data should not be manipulated or altered in transit and security measures such as file permissions and user access should be taken care that unauthorized users cannot modify the content .
Availability is the guarantee of constant and reliable access to the sensitive data by authorized users only. Hence there is a need for the organization to prevent down time of server due to DDos attacks. Hence there is a need to implement strict access control to maintain the above three factors information security in an organization.
Yes, it is a risky practice to store the customer information for repeated visits if session management is not properly implemented. i.e. it must be ensured that session must be expired after a certain amount of time and ask the user to re authenticate.
Necessary components within an organizations Access control metric:
Organizations planning to implement access control should consider the following three components.
Access control policies
Access control policies are high level requirements that specify how access is managed and who can access information under what situations. To illustrate policies may pertain to resource usage within or across organization units.
At high level access control policies are enforced through a mechanism that translates an user access request often in terms of a structure that system provides. Access control list is a familiar example.
Dcosta, A. (2011, July 8). Effective Steps in a Risk Management Plan. Retrieved from Bright Hub Project Management: http://www.brighthubpm.com/risk-management/5145-effective-steps-in-a-risk-management-plan/
Ingram, D. (2014, December 29). The Difference between Risk and Loss. Retrieved from Willis Towers Watson Wire: http://blog.willis.com/2014/12/the-difference-between-risk-and-loss/
Penetration Testing Tools. (2016). Differenc Between Threat, Vulnerability, and Risk. Retrieved from Penetration Testing Tools: http://www.pen-tests.com/difference-between-threat-vulnerability-and-risk.html
Pinkerton. (2014, October 16). Risk vs Threat vs Vulnerability – and Why You Should Know the Differences. Retrieved January 17, 2016, from Pinkerton: http://www.pinkerton.com/blog/risk-vulnerability-threat-differences
Sidel, R. (2015, August 18). Target to Settle Claims Over Data Breach. Retrieved from The Wall Stree Journal: http://www.wsj.com/articles/target-reaches-settlement-with-visa-over-2013-data-breach-1439912013