You can make a strong argument that the entire field of cybersecurity rests almost completely on identity verification and access control. Without those two functions, almost no other security technique matters. Every other element of security depends on the system identifying the user and validating their permissions to various objects.
Access control topologies in information technology span the digital and the physical realms. It’s as important to secure a server room door with a lock as it is to secure the server itself with a password.
And there is considerable crossover between digital and physical security in modern access control systems, where entryways are often secured by RFID (Radio-frequency Identification), keypad, or biometric readers that rely on electronic databases for identity verification and authorization. In such cases, the controls are only as strong as the weakest link—a door can be jimmied or a database hacked.
Identity management and access control are never far from the minds of cybersecurity teams. Nonetheless, even major agencies with large information security teams occasionally fumble the implementation of access control schemes. In 2016, a Government Accountability Office report found that four government agencies, including NASA and the Department of Homeland Security had failed to put in place adequate access control schemes for sensitive information.
How Do I Know You Are Who You Say You Are?
In most information systems, identity verification is extraordinarily rudimentary: as far as a computer is concerned, you are a username and a password, and anyone with that username and password is you. No access control mechanism in the world is sufficient to protect information if the person wishing to view it is believed (by the system controlling the data, at least) to be the rightful owner.
As long as the combination of username and password is, in fact, a uniquely identifying signature, this is no problem at all. But the relative weakness of most user-originated passwords and a long history of successful cryptographic attacks on password mechanisms have raised concerns about how much we can rely on the old user name/password combination.
Two Factor Schemes Rely on Tokens in Combination with Passwords
An alternative verification mechanism to the password is the key fob token. Tokens are small devices that generate a time-based key code that acts as an authentication mechanism. Unlike password controls, a fob can only be in the physical possession of a single person at a time (this ignores the problem of duplication, a concern dealt with by adequate cryptographic controls).
But in the real world, keys are lost or stolen, leading to a similar weakness as the password scheme. The upside is that users can more reliably detect when a physical object has been stolen versus a password.
Recognizing the weakness of relying on either of these imperfect mechanisms, many organizations now require a combination of the two as proof of identity. Two-factor authentication relies on something the user knows (a password) and something they have (a key or one-time code). It is, then, twice as difficult to compromise this system as either of them separately.
But even two-factor schemes are susceptible to attack. According to a June 2016 article in Engadget, civil rights activist DeRay McKesson had his Twitter account hijacked by hackers who use social engineering to redirect the text-based one-time login code from his phone to one of their own. Using the code, the hackers triggered a password reset and promptly owned the account.
Biometrics: The Next Phase in the Evolution of Access Control
More exotic authentication mechanisms rely on biometric data, personally identifying physical characteristics like fingerprints and iris scans. This type of authentication relies on something the user is and is much harder to spoof. But even biometric access control schemes are susceptible to hacking, with artificial fingers being used to fool early versions of fingerprint scanners, reverse-engineered irises passing muster with retina scanners and even face masks made convincingly enough to fool facial recognition technology.
The challenge for cybersecurity professionals in an unending arms race with hackers will be to develop more reliable methods of user verification that are also simple enough to be practical. A full FBI background check would, presumably, be reliable enough, but could also cause login attempts to take three to six months.
Access Controls Determine What Rooms You Can Enter Once You Are in the Front Door
Once a user has proven they are who they say they are to the system they are accessing, that system must implement controls to ensure they are only allowed to access the parts of that system they have permission to view or use.
This opens up the realm of access control. Access controls are the doors and walls of the system. Just as there are various methods for authenticating identity, there are a number of techniques that can be used for controlling access to resources:
- Role-based Access Control (RBAC) is determined by system policy and user role assignment
- Mandatory Access Control (MAC) is a rule-based system for restricting access, often used in high-security environments
- Discretionary Access Control (DAC) allows users to manipulate access settings of objects under their control
Implementing Policy-Based Access Controls
Of these, RBAC is probably the most common in today’s network settings. By establishing the bounds and rights of various role-based archetypes in an organization, administrators can easily define access permissions for a particular job function and then assign that role to everyone in the organization that performs that function. This eliminates the laborious and time-consuming task of reevaluating access for every individual.
This is an example of policy-based access control and is a key feature of enterprise authentication systems like Microsoft’s Active Directory.
The way in which these schemes are applied to data and services can further fall into one of two basic categories:
- Access Control Lists (ACLs)
- Capability-based Controls
ACLs (often pronounced like “hackles” without the “h”) rely on labeling each object in a system with a set of permissions designating what level of access various groups should be allowed. These permissions often have finite levels of discretion; one group may be able to read an object, for instance, but only members of another group can change or delete it.
Capability-based models rely on something like a virtual key fob, a token that is bestowed to a user account after authentication and verification, allowing the account to perform certain functions for a certain limited amount of time. Although secure, managing capability-based schemes is cumbersome and centralized.
Selecting the proper combination of identity and access control schemes to secure any particular system requires knowledge and experience. Information security specialists that understand how the pieces fit together generally have a background that includes studying cybersecurity at the graduate level.