Question

Info Information Security & Assurance question:

what is authentication&access control and why is it important?

Answer 1

`Hey,

Note: Brother in case of any queries, just comment in box I would be very happy to assist all your queries

Authentication

Modern computer systems provide services to multiple users and require the ability to accurately identify the user making request. In traditional systems, the user's identity is verified by checking a password typed during the login; the system record the identity and use it to determine what operations may be performed. The process of verifying the user's identity is called authentication. Password-based authentication is not suitable for use on computer networks. Password send across the networks can be intercepted and subsequently used by eavesdroppers to impersonate the user. In addition to the security concern, password based authentication is inconvenient; user does not want to enter password each time they access the network service. this has led to the use of the even weaker authentication on computer networks. To over come these problems we need a stronger authenticatin methods based on cryptography are required. When using authentication based on cryptography, an attacker listing to the network gain no information that would enable it to falsely claim another's identity. Kerberos is the most commonly used example of this type of authentication technology.

Authentication is critical for security of of computer systems. Without the knowledge of the identity of a principal requesting an operation, it is difficult to decide weather the operation should be allowed.

Access Control

The purpose of access control is to limit the actions or operations that a legitimate user of a computer system can perform. Access control constrains what a user can do directly, as well as what programs executing on behalf of the users are allowed to do. In this way access control seeks to prevent activity that could lead to a breach of security.

Access control relies on and coexists with other security services in a computer system. Access control is concerned with limiting the activity of legitimate users. It is enforced by a reference monitor which mediates every attempted access by a user ( or program executing on behalf of that user) to objects in the system. The reference monitor consults an authorization database in order to determine if the user attempting to do an operation is actually authorized to perform that operation. Authorizations in this database are administered and maintained by a security administrator. The administrator sets these authorizations on the basis of the security policy of the organisation. Users may also be able to modify some portion of the authorization database, for instance, to set permissions for their personal files. Auditing monitors and keeps a record of relevant activity in the system.

It is important to make a clear distinction between auhentication and access control. Correctly establishing the identity of the user is the responsibility of the athentication service. Access control assumes that the authentication of the user has been successfully verified prior to enforcement of access control via a reference monitor

Kindly revert for any queries

Thanks.