Using Roles
Using Roles
Access control is the process of authorizing user’s access to a particular resource. It is security features that control access to files, folders, or specific portions of the network on the system. It prevents unauthorized users from gaining access to resources. This is done by IT administrators assigning rights to personnel that fit their job roles which is based on the need of their current position. Controlling the access that users have on the network is vital. It is important to keep the network secure, by authenticating, authorizing, and auditing access to the system.
McBride financial houses employee information as well as sensitive customer data. Financial records that if altered, stolen or lost, could put McBride and their customers’ at risk. McBride is trying to ensure that the network is secure, users only have the necessary access to files, folders and other resources on the network. Resources generally include: applications, operating systems, firewalls, routers, files and databases. (Stallings & Brown, 2012). The goal is to structure the network and formulate the proper protocols that allow users to successfully complete their duties with compromising the network.
One way to protect the network is by using the Separation of Duty concept. Separation of Duty is when no two users can start action on the same task. This means that there is a restriction of power. The individual that creates and designs the network cannot be the same person that audits the network (Coleman, 2008). This cuts down on conflicts of interest, wrongful acts, fraud and abuse of the system. Separation of the duty ensures that the system detects failures such as security breaches, information theft, and circumvention of security controls.
Separation of Duty ensures that no lone person can compromise the security of the network. Separation between the operations department, development and testing of security and all controls will help reduce the risk of unauthorized users accessing the system. A separation of Duty sets up checks and balances within the infrastructure.
With the sensitive information that McBride deals with, setting up the infrastructure using the separation of duty concept is ideal. No one person can have control over the system and it allows for reduction of conflict of interest situations.
Another way to bolster the network and keep the information secure is by setting access controls. There are a few different types of access controls. There are network access control (NAC), identity management (IDM), Web access control, remote access control, and device or endpoint access control (Bigelow, 2008). Access control uses authentication to confirm a user’s credentials. Credentials can include a username, PIN, or a smart card. Once the user is identified, authorization is given which allows access to databases, files, data storages, and servers. The third process in access control is auditing. Auditing allows for the monitoring of the system and the review of any user activity.
There are different methods of access control. Mandatory Access Control (MAC), Discretionary Access Control (DAC), and Role Based Access Control (RBAC). MAC matches sensitivity labels to users and resources that allow access to objects using their sensitivity labels. DAC allows the owner of a resource to determine who can access specific resources. RBAC is the most common method used to control access. Privileges and rights are assigned to groups of users. Access control is implemented into the existing infrastructure. Access controls are