Access Control In Relation To Risk
SHARATH KUMAR REDDY KUCHUR
Professor: Denise BlansonCourse: ISOL 534 Application security
Access control in relation to risk, threat and vulnerability:-
Risk is defined to be an activity of finding threat full methods and weakness getting access to destroy assets.
It is defined to be a space or weakness in system’s security that helps to find threats and obtain access to unintended people. It can be useful for cyber hackers to obtain access for content into a system of an organization even though they are unauthorized to do so.
Threats can be anything which is present interior to the system or exterior, whether happens coincidentally or in an accident manner and may destroy security of organization.
Access control and its relation to the above defined factors:-
Access control to any organization is helpful to reduce the potential risks to the company by prevention of possible vulnerabilities attacking system.
Risk is nothing but an activity detecting threats and exposing vulnerability to harm assets .Threats might exist but if the system is less vulnerable ,thus a chance of very less risk .In a similar way if the system is vulnerable and we have no or little threat, we have little risk.
Access control eliminates Vulnerabilities by the following ways:
Encryption of URL content and data
creating time out sessions
Encrypting data ,so that no one can fetch the data by using simple SQL injection queries
Access control eliminates threats by following methods:
Verifying digital signatures in the web pages
Parsing each HTTPS requests in order to verify the previously logged in user.
Using the IP address of network physical location of person who is trying to authenticate.
The Relation between Access control and its Impact on CIA:
CIA describes the major foundation security modules of any organization.
Relation with confidentiality:
It is securing the secret or privacy of credentials on the server or cloud. Data confidentiality should be addressed whether the data is present in any format and in any place like the cloud or in the premises of data center. Data stored in cloud or data center should be fully encrypted. In this way, access control helps an organization in maintaining this factor.
Relation with Availability:
This factor is ensuring that application is always available for intended user to access their personal data. Access control helps the user in authenticating from anywhere around the globe at any time. It helps user getting access to any confidential data of the organization. Cyber-attacks may threaten the application security being available for all the time. In order to prevent that appliance protection should be implemented to prevent from cyber-attacks.
Relation with Integrity:
Integrity promises that a particular application is working as intended and the secret data is available to intended users only. Development operations team need to create and ensure security of all their applications data and also have the control of managing changes so that unintended changes won’t impact this factor in any way in an application.
Access control and its importance within info security:
Access controls are security features that controls the system how people interact with other, authorized to use the system resources in an organization. The main target of the access control is to protect application from being used by unauthorized resource. Mainly there are two types of access control physical and logical, of which the former one restricts access to campuses, buildings, IT assets and the later one for access to limitation of computer networks and data. To secure a facility, organization using access control that rely on user access, card readers and biometrics should be implemented. Access control systems perform identification authentication and authentication of users by requiring login credentials that required phrase-password, PINS, security tokens. Multi factor authentication is a famous, where two or more authentication tokens are required to protect multilayered defense by using access control systems.
Need for organizations to take implement access controls in relation to maintaining CIA:
There is no doubt in stating that implementing access control is the primary method for an organization to maintain the fundamentals of information security.
Access to information should not be restricted to those resources who were supposed to be access the data. Data is divided into categories based on the type of damage that might happen. According to these categories protecting measures must be implemented. Ultimately protecting confidentiality is must.
Integrity assures that sensitive data is trustworthy and accurate .consistency, trustworthy and accuracy of data should be maintained over its life time. Sensitive data should not be manipulated or changed in transit and security measures such as system logins and user access should be taken care that unauthorized users cannot modify the content .
Availability is the guarantee of constant and continuous access to the sensitive data by intended user only. Hence there is a need for the organization to prevent down time of server due to cyber-attacks. Hence there is a need to implement strict access control to maintain the above three factors security in an organization.
Yes, it is a risky practice to store the customer information for repeated visits if session management is not properly implemented. I.e. it must be ensured that session must be expired after a certain amount of time and ask the user to re authenticate.
Necessary components within an organizations Access control metric:
Organizations planning to implement access control should consider the following three components.
Access control policies
Access control policies are top level requirements that specify how we can manage access and who can access our information under what circumstances. To illustrate policies may pertain to using of resource within or outside organization units.
Dcosta, A. (2011, July 8). Effective Steps in a Risk Management Plan. Retrieved from Bright Hub Project Management: http://www.brighthubpm.com/risk-management/5145-effective-steps-in-a-risk-management-plan/
Ingram, D. (2014, December 29). The Difference between Risk and Loss. Retrieved from Willis Towers Watson Wire: http://blog.willis.com/2014/12/the-difference-between-risk-and-loss/
Penetration Testing Tools. (2016). Differenc Between Threat, Vulnerability, and Risk. Retrieved from Penetration Testing Tools: http://www.pen-tests.com/difference-between-threat-vulnerability-and-risk.html
Pinkerton. (2014, October 16). Risk vs Threat vs Vulnerability – and Why You Should Know the Differences. Retrieved January 17, 2016, from Pinkerton: http://www.pinkerton.com/blog/risk-vulnerability-threat-differences
Sidel, R. (2015, August 18). Target to Settle Claims Over Data Breach. Retrieved from The Wall Stree Journal: http://www.wsj.com/articles/target-reaches-settlement-with-visa-over-2013-data-breach-1439912013