Chapter-3:

Authentication and Access Control

04/07/2024 Computer and Network Security 1 By: Mechal T.

 Outline

 Authentication

 Authorization

 Authentication factors

 Authentication techniques

 Access control elements

 Access control models

04/07/2024 Computer and Network Security 2 By: Mechal T.

 Authentication
 Authentication is the process of identifying someone's identity
by assuring that the person is the same as what he is claiming
for.

 It is used by both server and client.

 The server uses authentication when someone wants to access

the information, and the server needs to know who is accessing
the information.

 The client uses it when he wants to know that it is the same

server that it claims to be.
04/07/2024 Computer and Network Security 3 By: Mechal T.
 Authentication…
 The authentication by the server is done mostly by using the
username and password.

 Other ways of authentication by the server can also be done

using cards, retina scans, voice recognition, and fingerprints.

 Authentication does not ensure what tasks under a process one

person can do, what files he can view, read, or update.

 It mostly identifies who the person or system is actually.

04/07/2024 Computer and Network Security 4 By: Mechal T.

 Authentication…

Authentication Factors:

 As per the security levels and the type of application, there are

different types of Authentication factors:

 Single-Factor Authentication

 Two-Factor Authentication

 Multi-Factor Authentication

04/07/2024 Computer and Network Security 5 By: Mechal T.

 Authentication…
1. Single-Factor Authentication

 Single-factor authentication is the simplest way of

authentication.

 It just needs a username and password to allows a user to access

a system.

04/07/2024 Computer and Network Security 6 By: Mechal T.

 Authentication…
2. Two-factor Authentication

 As per the name, it is two-level security; hence it needs two-

step verification to authenticate a user.

 It does not require only a username and password but also

needs the unique information that only the particular user
knows, such as first school name, a favorite destination.

 Apart from this, it can also verify the user by sending the OTP
or a unique link on the user's registered number or email
address.
04/07/2024 Computer and Network Security 7 By: Mechal T.
 Authentication…
3. Multi-factor Authentication

 This is the most secure and advanced level of authorization.

 It requires two or more than two levels of security from

different and independent categories.

 This type of authentication is usually used in financial

organizations, banks, and law enforcement agencies.

 This ensures to eliminate any data exposer from the third party
or hackers.

04/07/2024 Computer and Network Security 8 By: Mechal T.

 Authentication…
Famous Authentication techniques

1. Password-based authentication

 It is the simplest way of authentication.

 It requires the password for the particular username.

 If the password matches with the username and both details

match the system's database, the user will be successfully
authenticated.

04/07/2024 Computer and Network Security 9 By: Mechal T.

 Authentication…
Famous Authentication techniques…

2. Passwordless authentication

 In this technique, the user doesn't need any password; instead,

he gets an OTP (One-time password) or link on his registered
mobile number or phone number.

 It can also be said OTP-based authentication.

04/07/2024 Computer and Network Security 10 By: Mechal T.

 Authentication…
Famous Authentication techniques…

3. 2FA/MFA

 2FA/MFA or 2-factor authentication/Multi-factor authentication

is the higher level of authentication.

 It requires additional PIN or security questions so that it can

authenticate the user.

04/07/2024 Computer and Network Security 11 By: Mechal T.

 Authentication…
Famous Authentication techniques…

4. Single Sign-on

 Single Sign-on or SSO is a way to enable access to multiple

applications with a single set of credentials.

 It allows the user to sign-in once, and it will automatically be

signed in to all other web apps from the same centralized
directory.

04/07/2024 Computer and Network Security 12 By: Mechal T.

 Authentication…
Famous Authentication techniques…

5. Social Authentication

 Social authentication does not require additional security;

instead, it verifies the user with the existing credentials for the
available social network.

04/07/2024 Computer and Network Security 13 By: Mechal T.

 Authorization
 Authorization is the process of granting someone to do
something.

 It means it a way to check if the user has permission to use a

resource or not.

 It defines that what data and information one user can access.

 The authorization usually works with authentication so that the

system could know who is accessing the information.

 Authorization is not always necessary to access information

available over the internet.
04/07/2024 Computer and Network Security 14 By: Mechal T.
Authentication Authorization
Authentication is the process of identifying a Authorization is the process of giving
user to provide access to a system. permission to access the resources.
In this, the user or client and server are verified. In this, it is verified that if the user is allowed
through the defined policies and rules.
It is usually performed before the authorization. It is usually done once the user is successfully
authenticated.
It requires the login details of the user, such as It requires the user's privilege or security level.
user name & password, etc.
Data is provided through the Token Ids. Data is provided through the access tokens.
Example: Entering Login details is necessary Example: After employees successfully
for the employees to authenticate themselves to authenticate themselves, they can access and
access the organizational emails or software. work on certain functions only as per their roles
and profiles.
Authentication credentials can be partially Authorization permissions cannot be changed by
changed by the user as per the requirement. the user. The permissions are given to a user by
the owner/manager of the system, and he can
only change it.
 Access Control
 Access Control is the prevention of unauthorized use of a
resource (including the prevention of use of a resource in an
unauthorized manner).

 It is the central element of computer security.

 Used for boundary protection

 Access control permits users and groups:

 to authenticate to system
 to be assigned access rights to certain resources in the system i.e.
authorized
04/07/2024 Computer and Network Security 16 By: Mechal T.
 Access Control Elements
 Subject - entity that can access objects
 a process representing user/application
 often have 3 classes: owner, group, world

 Object - access controlled resource

 e.g. files, directories, records, programs etc
 number/type depend on environment

 Access right - way in which subject accesses an object

 e.g. read, write, execute, delete, create, search

04/07/2024 Computer and Network Security 17 By: Mechal T.

 Access Control Categories
 There are two basic categories of access control:
 Physical Access Control and
 Logical Access Control

04/07/2024 Computer and Network Security 18 By: Mechal T.

 Access Control…

 Physical access control limits access to campuses, buildings,

rooms and physical IT assets.

 Logical access control limits connections to computer networks,

system files and data.

04/07/2024 Computer and Network Security 19 By: Mechal T.

 Access Control…

 To secure a facility, organizations use electronic access control

systems that rely on user credentials, access card readers,

auditing and reports to track employee access to restricted

business locations and proprietary areas, such as data centers.

 Some of these systems incorporate access control panels to

restrict entry to rooms and buildings, as well as alarms and

lockdown capabilities, to prevent unauthorized access or

04/07/2024 Computer and Network Security 20 By: Mechal T.
 Why is Access Control Important
 The goal of access control is to minimize the security risk of
unauthorized access to physical and logical systems.

 Access control is a fundamental component of security

compliance programs that ensures security technology and
access control policies are in place to protect confidential
information, such as customer data.

 Most organizations have infrastructure and procedures that limit

access to networks, computer systems, applications, files and
sensitive data, such as personally identifiable information and
04/07/2024 Computer and Network Security 21 By: Mechal T.
 Why is Access Control Important…

 Access control systems are complex and can be challenging to

manage in dynamic IT environments that involve on-premises

systems and cloud services.

 After high-profile breaches, technology vendors have shifted

away from single sign-on systems to unified access

management, which offers access controls for on-premises and

cloud environments.
04/07/2024 Computer and Network Security 22 By: Mechal T.
 How Access Control Works
 Access controls identify an individual or entity, verify the person
or application is who or what it claims to be, and authorizes the
access level and set of actions associated with the username or IP
address.

 Directory services and protocols, including Lightweight Directory

Access Protocol and Security Assertion Markup Language,
provide access controls for authenticating and authorizing users
and entities and enabling them to connect to computer resources,
such as distributed applications and web servers. Organizations
use different access control models depending on their compliance
04/07/2024 Computer and Network Security 23 By: Mechal T.
 Access Control Models

 The main models of access control are the following:

 Mandatory access control (MAC).

 Discretionary access control (DAC).

 Role-based access control (RBAC).

 Rule-based access control (RBAC).

 Attribute-based access control.

04/07/2024 Computer and Network Security 24 By: Mechal T.

 Access Control Models…
1. Mandatory Access Control

 The operating system in MAC will provide access to the user

based on their identities and data.

 For gaining access, the user has to submit their personal

information.

 It is very secure because the rules and restrictions are imposed

by the admin and will be strictly followed.

 MAC settings and policy management will be established in a

secure network and are limited to system administrators.
04/07/2024 Computer and Network Security
25 By: Mechal T.
 Access Control Models…
Attributes of MAC

 It has tighter security because only the administrator can access

or alter controls. And also it an help to reduce system errors.

 MAC has an enforced operating system that can label and

delineate incoming application data.

 Maintenance will be difficult because only the administrator can

have access to the database.

 Ex: Access level of windows for ordinary users, admins, and

guests are some of the examples of MAC.
04/07/2024 Computer and Network Security
26 By: Mechal T.
 Access Control Models…
2. Discretionary Access Control (DAC)

 DAC is identity-based access control.

 DAC mechanisms will be controlled by user identification such

as username and password.

 DAC is discretionary because the owners can transfer objects or

any authenticated information to other users.

 In simple words, the owner can determine the access privileges.

04/07/2024 Computer and Network Security 27 By: Mechal T.

 Access Control Models…
Attributes of DAC

 Users can transfer their object ownership to another user.

 The access type of other users can be determined by the user.

 Authorization failure can restrict the user access after several

failed attempts.

 Unauthorized users will be blind to object characteristics called

file size, directory path, and file name.

 Ex: Permitting the Linux file operating system is an example of

DAC.
04/07/2024 Computer and Network Security 28 By: Mechal T.
 Access Control Models…
3. Role-based access control (RBAC)

 This is a widely used access control mechanism that restricts

access to computer resources based on individuals or groups
with defined business functions.

 Ex: executive level, engineer level 1, etc. -- rather than the

identities of individual users.

 The role-based security model relies on a complex structure of

role assignments, role authorizations and role permissions
developed using role engineering to regulate employee access
04/07/2024 Computer and Network Security 29 By: Mechal T.
 Access Control Models…
4. Rule-based access control

 This is a security model in which the system administrator

defines the rules that govern access to resource objects.

 These rules are often based on conditions, such as time of day

or location.

 It is not uncommon to use some form of both rule-based access

control and RBAC to enforce access policies and procedures.

04/07/2024 Computer and Network Security 30 By: Mechal T.

 Access Control Models…
5. Attribute-based access control

 This is a methodology that manages access rights by evaluating

a set of rules, policies and relationships using the attributes of
users, systems and environmental conditions.

04/07/2024 Computer and Network Security 31 By: Mechal T.

 Implementing Access Control
 Access control is integrated into an organization's IT
environment.

 It can involve identity management and access management

systems.

 These systems provide access control software, a user database

and management tools for access control policies, auditing and
enforcement.

 When a user is added to an access management system, system

administrators use an automated provisioning system to set up
04/07/2024 Computer and Network Security 32 By: Mechal T.
 Implementing Access Control…
 The best practice of least privilege restricts access to only
resources that employees require to perform their immediate job
functions.

04/07/2024 Computer and Network Security 33 By: Mechal T.

 Challenges of Access Control…
 Many of the challenges of access control rise from the highly
distributed nature of modern IT.

 It is difficult to keep track of constantly evolving assets because

they are spread out both physically and logically.

04/07/2024 Computer and Network Security 34 By: Mechal T.

 Challenges of Access Control…

 Specific examples of challenges include the following:

 Dynamically managing distributed IT environments;

 Password fatigue;

 Compliance visibility through consistent reporting;

 Centralizing user directories and avoiding application-specific

classification; and

 Data governance and visibility through consistent reporting.

04/07/2024 Computer and Network Security 35 By: Mechal T.
 Access Control Software

 Many types of access control software and technology exist,

and multiple components are often used together as part of a

larger identity and access management (IAM) strategy.

 Software tools may be deployed on premises, in the cloud or

both.

 They may focus primarily on a company's internal access

management or outwardly on access management for

04/07/2024 Computer and Network Security 36 By: Mechal T.
 Access Control Software…
 Types of access management software tools include the
following:
 Reporting and monitoring applications
 Password management tools
 Provisioning tools
 Identity repositories
 Security policy enforcement tools
 Microsoft Active Directory is one example of software that
includes most of the tools listed above in a single offering.
04/07/2024 Computer and Network Security 37 By: Mechal T.
 Thank You

04/07/2024 Computer and Network Security By: Mechal T. 38