Research Paper: Access Control in Information Security

Pages: 8 (2594 words)  ·  Bibliography Sources: 10  ·  Level: College Senior  ·  Topic: Education - Computers  ·  Buy for $19.77

Access Control in Information Security

In the contemporary business environment, sensitive and confidential information have become the intangible assets that organizations use to achieve competitive advantages. Typically, accurate information and data have become the powerful tools that corporations use to enhance effective decision making which consequently assist an organization to be ahead of competitors as well as achieving large market shares within competitive market environment. While organizations continue to rely on digital information faster than before to make faster decision and achieve a competitive market advantages, unfortunately, criminals equally sought after the same information to achieve their criminal objectives. Information security is a critical tool that organizations could employ to safeguard their sensitive and confidential information against external intruders. When organizations fail to protect their sensitive information against external intruders, the organizations could compromise their annual profits, competitive market advantages as well-being of their customers. Sensitive information if not properly protected could land onto the hand of competitors, and the results could jeopardize organizational market shares.

Information security is a critical tool to guide against unauthorized access to the company information. Typically, information security is the means and strategies that organizations could employ to safeguard their highly valued information against unauthorized access, modification, disruption, use, inspection, disclosure, or destruction. (Layton, 2007).

Despite the benefits that organizations could derive from the integration of information security in their business process, many current security protocols being implemented to deal with the security threats are too broad, and many of them could not deliver effective security protocols tailored to the firm's business objectives. Organizations need to focus on a specific security system to cater for their specific needs. Access control is an information security tool that small, medium and large organizations could employ to safeguard their data from unauthorized access.

"Traditionally, access control is understood as a purely technical mechanism which rejects or accepts access attempts automatically according to a speci-c precon-guration. However, such a perspective neglects the practices of access control and the embeddedness of technical mechanisms within situated action." ( Stevens, & Wuff, 2009 P. 12).

Fundamental objective of this research is to investigate the role of access control in enhancing the information security of corporations, government and private individuals.

Access Control in Information Security

Access control is an information security mechanism to verify the authenticity of a user before gaining access to the sensitive and privilege information. Access control verifies whether a user has a given privilege to gain access to information resources. Control access to information resources is very critical to enhance information security and organizations need to implement effective security procedures to control who could have access to their company resources and information assets in order to safeguard their highly valued information from unauthorized disclosure and modification. Access controls address three issues: integrity, confidentiality and availability.

Lee et al. (2011) argue that access control systems improve the security of intranet data using the encryption and decryption techniques. Within the contemporary business environment, the use of intranet is on the rise where organizations use authentication techniques to allow only authorized users to get access to the company data. However, a method to prevent erroneous or unauthorized access to data is through access control authentication. This technique prevents the information leakages and corruption by mistakes. Stevens, & Wuff, (2009) support this argument by pointing out that traditional access control protocol is an important security procedure that automatically accepts or rejects authorized or unauthorized access according to specific configuration. The authors categorize access controls as authorization, authentication, and encryption. The Encryption and authentication are the important security tools to control access via the public networks. While the authentication and encryption are the important aspects of information security, when comparing them to authorization, they are not access control tools per se. However, authorization is the access control relevant in safeguarding the information systems especially within public network systems. (Stevens, Quaisser, and Klann, 2006).

Tolone, et al. (2005) in their own case point out that the balancing collaboration and security is often challenging for many organizations. While the goal of collaborations is to build a fruitful connection among people, the security systems are to ensure confidentiality, integrity and availability of the same elements. Collaborative systems and multi-user application allow users to communicate without interference from an unauthorized intruder. Examples of such collaborative systems include video conferencing, work-?ow management systems, collaborative document editing and sharing. All these information-sharing resources contain information with different degree of sensitivity, and applications of security systems are needed to safeguard their con-dentiality, availability, and integrity across the network systems. However, balancing collaboration and security is often challenging.

Tolone, et al. (2005) argues that access control is one of the important security systems that enhances proper authentication which assist in managing which files to transfer and receive across the network systems. One of the examples of access control tool is RBAC (Role-Based Access Control). RBAC is an information security tool that allows authorized users to have access to information assets. Typically, RBAC is a scalable and greatly reduce costs and administrative overheads. (Tolone, et al. 2005).

Despite the importance of access control in protecting company information assets, the access control vulnerabilities are on the increase, which is posing serious security threats to web applications. Typically, access control vulnerabilities are the "Top 10 Most Critical Web Applications Security Risks," (Gauthier, and Merlo, 2012 P. 247).

Shortcomings Identified with Access Control

The shortcomings identified in the application of access control make access control vulnerabilities to be on the increase. Typically, unauthorized users often capture information in order to modify, edit, and otherwise corrupt the data. Comparative analysis of access control with cross-site scripting ?aws, and SQL injection shows that access control vulnerabilities receive less attention compared to other web application vulnerabilities. While access controls are the critical defense mechanisms, however, attackers could often compromise the entire application and get access to sensitive data.

Li and Tripunitara (2006) point out that management of large-based access control is often a challenging problem. The challenging access control situation often lies on the implementation of security analysis such as safety and availability, which often pose problem to manage. While the goal of the security analysis is to enhancing the protection of information systems, however access control could only be preserved as long as there is cooperation among trusted users. One of the important shortcomings of the traditional access control is its static roles. For example, the traditional RBAC supports the access control activation systems, however, this access control systems does not provide enough room for collaborative activities. More importantly, the BRAC allows the contexts of activation, deactivation and management of passive and active security systems; however, the traditional BRAC lacks effective ability to enhance fine-grained control over individual users. Moreover, the traditional BRAC model does not address the flexible constraints needed to support the emerging web application. (Ahn, & Sandhu, 2000).

The spatial access control is another information security tool that supports collaborative spatial environment, which explicitly hide the security mechanisms from end users. The model is used as the notion of credentials to gain access into the regions of information systems. The downside of this model is that it does not provide effective access control. Moreover, the model lacks the security complexity needed to provide important level of security systems. (Bullock, and Benford, 1999).

TBAC (Task-Based Access Control) is another information security device that supports instance, type-based, and usage-based access. Moreover, the TBAC supports authorizations that have a strict validity, runtime usage, and expiration characteristics. TBAC is very effective for the security modeling and enforcement from application and enterprises point-of-view.

(Kang, Park, and Froscher, 2001). While the TBAC incorporates contextual parameters into its security procedures, however, TBAC is not effective with related to workflow, activities and task progress. Typically, TBAC is only effective in keeping track of validity and usage of permission. While TBAC allows activation and deactivation in a timely manner, the drawback of this system is that it introduces several constraints such as race conditions, across distributing work-ow. More importantly, TBAC's specifications such as revocation and delegation and complex policies and management are very primitive.

TMAC (Team-Based Access Control) grants access rights to group of users rather than individuals. The TMAC often has advantages over RBAC because its provision in the fine grained control on individual users.

"As a further extension to this approach, Context-based TMAC (C-TMAC) integrates RBAC and TMAC by incorporating context as an entity in the architecture. C-TMAC seeks to include contextual information other than user and object contexts such as time, place, and so forth." (Tolone, Ahn, Pai, et al. 2005 P. 36-37).

While TMAC and C-TMAC have special features to support dynamic and contextual information systems, their shortcomings is that the models are not fully developed and they do not incorporate effective strategies to incorporate both TMAC and C-TMAC concepts into the RBAC framework. Moreover, both TMAC and C-TMAC lacks self-administration and "the ?ne-grained administration of TMAC and C-TMAC entities and relations is necessary to demonstrate applicability and usability… [END OF PREVIEW]

Network Hardening Plan Term Paper


Information Security in Cloud Computing Platforms Research Paper


Security Policy Term Paper


Information Security and Assurance Term Paper


Information Security Advanced Persistent Threat Research Paper


View 998 other related papers  >>

Cite This Research Paper:

APA Format

Access Control in Information Security.  (2012, December 29).  Retrieved November 15, 2019, from https://www.essaytown.com/subjects/paper/access-control-information-security/6330798

MLA Format

"Access Control in Information Security."  29 December 2012.  Web.  15 November 2019. <https://www.essaytown.com/subjects/paper/access-control-information-security/6330798>.

Chicago Format

"Access Control in Information Security."  Essaytown.com.  December 29, 2012.  Accessed November 15, 2019.
https://www.essaytown.com/subjects/paper/access-control-information-security/6330798.