Access controls restrict unauthorized individuals from using information resources. These controls involve two major functions: authentication and authorization. Authentication confirms the identity of the person requiring access. After the person is authenticated (identified),the next step is authorization. Authorization determines which actions, rights, or privileges the person has, based on his or her verified identity.

Authentication

To authenticate (identify) authorized personnel, an organization can use one or more of the following methods: something the user is, something the user has, something the user does, and/or something the user knows.

Something the user is, also known as biometrics, is an authentication method that examines a person’s innate physical characteristics.

Common biometric applications are fingerprint scans, palm scans, retina scans, iris recognition, and facial recognition. Of these applications, fingerprints, retina scans, and iris recognition provide the most definitive identification.

Something the user has is an authentication mechanism that includes regular identification (ID) cards, smart ID cards, and tokens. Regular ID cards, or dumb cards, typically have the person’s picture and often his or her signature.

Smart ID cards have an embedded chip that stores pertinent information about the user.

Tokens have embedded chips and a digital display that presents a login number that the employees use to access the organization’s network. The number changes with each login.

Something the user knows is an authentication mechanism that includes passwords and passphrases. Passwords present a huge information security problem in all organizations. Most of us have to remember numerous passwords for different online services, and we typically must choose complicated strings of characters to make them harder to guess.

Security experts examined the frequency and usage of passwords belonging to 500,000 computer users. They found that each person had an average of 6.5 passwords that he or she used for 25 different online accounts. The basic guidelines for creating strong passwords are:

• They should be difficult to guess.
• They should be long rather than short.
• They should have uppercase letters, lowercase letters, numbers, and special characters.
• They should not be recognizable words.
• They should not be the name of anything or anyone familiar, such as family names or names of pets.
• They should not be a recognizable string of numbers, such as a Social Security number or a birthday.

Unfortunately, strong passwords are more difficult to remember than weak ones. Consequently, employees frequently write them down, which defeats their purpose. The ideal solution to this dilemma is to create a strong password that is also easy to remember. To achieve this objective, many people use passphrases.

Authorization

After users have been properly authenticated, the rights and privileges they have on the organization’s systems are established in a process called authorization.

A privilege is a collection of related computer system operations that a user is authorized to perform. Companies typically base authorization policies on the principle of least privilege, which posits that users be granted the privilege for an activity only if there is a justifiable need for them to perform that activity.