Access Control Principals
WHO - WHEN - WHERE
Keys are primitive, Secure Access Control NOW!
Effective security starts with understanding the principles involved. Simply going through the motions of applying some memory set of procedures isn't sufficient in a world where today's "best practices" are tomorrow's security failures.
Among the most basic of security concepts is access control. Everything from catching a train, to launching nuclear missiles is protected, at least in theory, by some form of access control. Because of its universal applicability to security, access control is one of the most important security concepts to understand.
The key to understanding access control security is to break it down. There are three core elements to access control.
- Identification: For access control to be effective, it must provide some way to identify an individual. The weakest identification capabilities will simply identify someone as part of a vague, poorly defined group of users who should have access to the system. The keys to the building form the lowest form of access, and should not be considered as security for a premise due to the simple nature and weaknesses that can be exposed. Access credentials like a proximity card whoever allow far greater identification of a user.
- Authentication: Identification requires authentication. This is the process of ensuring that the identity in use is authentic — that it's being used by the right person. Pair a proximity credential with a access code, to be used at the entry point to a restricted area and we can start to realise the potential.
- Authorization: The set of actions allowed to a particular identity makes up the meat of authorization. On a access controlled door, authorization typically takes the form of read, authourize, and execution of the permissions tied to a username.
These three elements of access control combine to provide the protection you need — or at least they do when implemented so they cannot be circumvented. For the example of simple access to basic area in a building, identification is necessary for history recording (i.e., tracking user behavior) and providing something to authenticate. Authentication is necessary to ensure the identity isn't being used by the wrong person, and authorization limits an identified, authenticated user to the area they only need to access. A question that we put to customers is 'Should Jim be allowed access to your server room at 3am on Sunday?' after a momentary pause to reflect, its simple in its obviousness. If Jim is not allowed in the server room at 3am on Sunday, then DONT let him have access.
Depending on the type of security you need, various levels of protection may be more or less important in a given case. Access to a meeting room may need only a key kept in an easily broken lockbox in the receptionist's area, but access to the servers probably requires a bit more care.
However, even many companies aren't as aware of the importance of access control as they would like to think. Sure, they may be using a master key setup. But if all you need to physically get to the servers is a key, and even the cleaners have copies of the key, then is it really control.
Remember that the fact 90% of theft is from opportunity, its your responsibility to reduce that oppourtunity, and its Argon Security who will assist you achieve control of your premise.