Of all the concepts in Information Security, Access Control is, by far, the most widely known. It is the public face of Information Security. It is the Lock for every key, The Deadbolt for every door, and the Login Prompt for every Operating System. In short Access Control is the device by which unauthorized users/resources are prevented from using a system while, at the same time, allowing authorized users/resources through.
In the beginning, there was physical security. This is the type of security that most people were familiar with before the invention of the computer network. In those times being secure simply meant that only authorized people could get to specific locations. Padlocks and deadbolts were the order of the day, and no one could get in, or out, without a key. With this setup a key is the users authorization and the lock is the access control. Problem is, keys are easy to copy and you would need guards asking for identification to implement authentication.
Today, with technologies like The Internet, and wireless local area networks things can get a lot more complex. A lock on the datacenter door may not be enough to keep some 16 year old sitting in the parking lot with wireless sniffer/wardriving software on his/her laptop. Access must be controlled from all possible conduits of information interchange.
Information must remain secure when it leaves a secure location, be that by shredding printouts of patient data before they are thrown away, using a VPN over a public Internet connection, by using leased lines between buildings, and definitely by using security protocols like WPA or (LEAP or PEAP over WEP) on wireless networks connected to the corporate LAN.
At the same time, access through these security measures must be limited to authorized personnel or resources. Two examples of how access is granted to a user are through using Access Control Lists, and Role-Based Access.
Access Control Lists, (ACLs) have commonly been used in the past, they are simple to implement but notoriously hard to maintain. It is as simple as its name implies. For any resource there is a list of users/resources authorized to use it. When a user wishes to print a document, the user simply presents the printer with their authentication credentials and if the printer sees that user on its ACL it will print, otherwise it will refuse. Easy right? The problem comes in when you have to keep the lists up to date, when someone leaves you must remove their credentials from all the resources. Another problem is when new users are added to the system and are to be given the same access as another user. An administrator must them look through every resources finding which ones have the original user in their ACL. Then for each one that does, they must add the new user. Now imagine hundreds, if not thousands of users and you can see what a maintenance nightmare this can become.
Newer Information Security Systems are Role-Based Access for its maintenance simplicity. In Role-Based systems it’s not a user, or another resource, that is granted access to a resource, but a role that may contain users, or other roles for that matter. You wouldn’t grant “Nurse Doe” access to the computer on the front desk nursing station, you would grant the role “Clinic Nurses” access to it. Then you would add “Nurse Doe” to the role of “Clinic Nurses”. Then you could also add the role “Clinic Nurses” to the role of “3rd Floor Personnel” which has been granted rights to the 3rd Floor Lounge Computer. This way if, for some reason, “Nurse Doe” moves to another hospital, no administrator will need to dig around for all the resources they have been granted access to in order to remove “Nurse Doe”‘s access, They simply remove him/her from the role of “Clinic Nurses”. And when anyone else needs to be setup with the same access as “Nurse Doe” they simply add them to the “Clinic Nurse” role as well.
