Authorization and Access Control - Essay Example

ization and Access Control ization and Access Control Introduction Security in Windows Server gets control over systems and networks through mechanisms of Authentication and Authorization. Windows operating system implements the process of authorization and access control that can be applied to handle resources and to determine whether the authenticated user has used the correct resources. Authorization and Authorization Authorization and Authorization are the processes by which the network resources allow or deny access to the data. Most of the computer security based systems can be implemented using two types of processes (Mark, 2008). First is Authentication and the second is Authorization. Authentication is a process through which system identifies the user. After completion of the authentication process, the process of authorization is executed, which permits the user to access required resources through which user could be identified. Authorization determines what type of resources, activities or services a user is permitted to access (Mark, 2008). Access Control Access control refers to the system through which access to the information and services, resources is provided to the authorized entity. In computing, access control is a process which ascertains how users and systems are communicating or interacting with each other (Messaoud, 2006). ‘Entity’ is a term used in access control to start or perform computational tasks. For example, it can be the end user that invokes the command or the computer program, which sends instructions for performing the task. Programming task can work as a user through the diamond process (Messaoud, 2006). Authorization and Access Control in CIA Confidentiality, Integrity and Availability (CIA) is a model designed to handle policies for the information system in any organization. This model is sometimes called as the CIA triad. (Messaoud, 2006) CIA triad is a well-known mechanism for security model development and is used to develop necessary solutions for information security. CIA provides protection and secrecy of data when needed in database (Messaoud, 2006). Confidentiality The term confidentiality refers to a set of rules that limit information access in a real and accurate manner. Data secrecy or confidentiality refers to prevention of unauthorized access to data. Confidentiality operation makes sure that data is delivered to the intended persons (Messaoud, 2006). An example of confidentiality is a bank account number, which assigns an individual identity to every account holder. Data encryption is the best way for ensuring confidentiality of this type of data. Data encryption, which transforms data into code, is applied on the data stored in the account holder’s database or whenever data is inserted or retrieved from this database (Messaoud, 2006). Integrity Integrity is used in the database to maintain data consistency. Integrity implies that data could not be altered or modified, and particular steps are being taken to deliver data in the accurate, valid and consistent manner (Messaoud, 2006). Data integrity is usually applied at the design phase of database development through standard rules and procedures. Data integrity is maintained through different error checking methods and validation procedures to handle the database. The integrity increases stability, reliability, maintainability, and performance of the system being designed (Messaoud, 2006). Availability The last term ‘availability’ of data refers to the system access and authentication mechanism that must be properly working during the information retrieval and delivery of data to users. CIA provides protection and secrecy of data when needed in database (Messaoud, 2006). Data availability is mostly used for protection and recovery of data in various forms of hardware and software. Availability also deals with other aspects such as technical problems and communication failures, and even failures resulting from occurrence of natural phenomenon i.e. wind, fire or water. Data errors are avoided that may result from different attacks made by unauthorized users (Messaoud, 2006). Methods of Authorization In security systems, authorization is based upon authentication. Authorization is a way to determine whether the entity has used correct resource and what kind of data is requested to the server. The response is evaluated by the database to accept or reject the client’s request. Entity can be allowed to set these permissions. Authorization also follows these permissions. These kinds of permissions in authorization are based on the query language, processes in the relational database system and in some situations the user is restricted to execute these queries in the relational database (Messaoud, 2006). Some of the Authorization methods are given bellow: · Create role: These methods include some of valid roles that are used by report server database. · Delete role: This role deletes the role from the report that is stored in the server database. · Get permissions: Returns permissions that are used by users to access a particular dataset in the report server database. · Get policies: This method returns policies from the report server database that is accessed. · Get system policies: This method returns the system policies that are associated with data. · List secure methods: This method returns a list of simple object access protocols that need a secure connection when invoked. · Set system policies: This method sets policies of the system and defines groups and defines the associated roles. Methods of Authorization in Microsoft SQL Server SQL server does not concern with authentication of users to any kind of source, but instead of that it handles this process within the database server. While using SQL server authentication, user must create a user name and password within SQL server after that the user can be able to communicate with SQL server (Tony, 2004). Every SQL user must have a login ID in order to access SQL server applications and procedures. SQL server authentication does not have any advanced feature of Windows operating system. The following are possible authentications procedures in the SQL server, which control access (Tony, 2004). • Single sign in User must be log in in order to connect with Windows for which user name and password must be created whenever user attempts to establish a connection with SQL server. Therefore, the user must create a login account then the admin will allow him to communicate with SQL server (Tony, 2004). • Central account administration For this, Windows uses different kinds of tools to set different environments for the user and set permissions for the user. This means that during the communication with Windows the user must need to follow this permission after which Windows environment will get ready for communication (Tony, 2004). • Windows handles the Authentications SQL server allows or disallows users to access objects in the database. The Windows environment facilitates SQL server to provide security and account lockout, which are the main features of Windows XP and 2000 (Tony, 2004). Method of Authorization in Oracle Database In Oracle database, whenever authentication with the database is completed, the next step is to determine the type of objects and resources that are to be accessed by the user. The next step is to control data resources. This involves determining how username and password in the user account are being accessed and how they can be used to limit resources. Oracle database focuses on two types of privileges such as system privileges and object privileges. The user can adopt both privileges. For using profile management, there is never enough power of the processor to handle the user’s query because these queries run inherently and move from top to bottom of profiles. Profile management provides the mechanism to handle how the user incorporates these queries and execute them when required. In addition, use of  profile management for the purpose of authorization of profile that knows how database controls users’ password and recognizes how passwords are to be created, reused, and validated. This means password length should be long along with other requirements such as first letter to be upper case, and other should be lower case (Tony, 2004). Authorization of Oracle database in Java language Authorization means giving privileges to an authorized entity. The role of Oracle database is defined in J2EE while determining the access of different objects. Application server provides the best security to implement J2EE, which allows the user to fully secure his or her application without writing Java code (John, 2004). Once the server authenticates an entity such as the user, it is granted a role that allows it to access through necessary parts of the application. This type of authorization is managed by oracle Internet and XML file. Placing authorization in OID allows centralized management of privileges in organization. OID (Oracle Internet Directory) is a part of application server that provides a security as username and password. OID provides capabilities and power of security. Oracle Internet Directory is a complete directory based on LDAP (Lightweight Access Control). LDAP is a method of viewing e-mail, data and information on the Internet, but it is quickly expanded to a new method for storing and retrieving all types of data (John, 2004). Methods of Access Control in Windows This is a security feature that is usually found in Windows operating system, which controls how users communicate with each other within a particular system and how system interacts with the user. The access control system permits resources to access or deny the system. The benefit of using the access control system is to prevent data loss and damage. Microsoft Tech Net explains some of the concepts of access control in Authentication, Authorization and Accounting (John, 2004). Authentication Suppose an individual is traveling to a foreign country. The individual would show his or her passport to the security personnel for identification purposes. The security personnel inspect the passport to verify the traveler’s identity. In the same manner, identification and authentication processes are carried out when dealing with database security. Usually, this process involves making use of certain authentication codes and passwords (John, 2004). Authorization For authentication, the security personal verifies the individual’s passport, and then he or she denies or allows the individual to make an entry into the country based on the passport type, nationality, and visa status. Authorization in database security works on the same principles. Once the process of authentication is completed, the system determines whether the person trying to gain access to certain data possesses the authorization to view, alter or delete that particular information (John, 2004). Accounting Upon determining the level of Authorization of the individual, the security personnel may log his or her passport data and take his or her fingerprints for tracking purposes. In database security system, the record is usually maintained for all those individuals that have accessed the system for certain information (John, 2004). Access control Methodology Access controls are implemented at various levels of an organization; networks and individual systems are based on resources that have been determined for a particular system or network. Physical access control usually deals with the system that identifies who is accessing the particular system. These control systems identify who is allowed to enter or exit a system and what type of resources is used during processing. Some operating systems are designed to implement and recognize these situations. These situations are the source of many security issues in the system. In Windows Vista, there is a capability to implement these situations that can be used to identify these issues (Avik, 2008). Method of Access control in Oracle Database Database security allows or disallows user to perform certain actions in the database. Oracle database uses schemas and securities that are used to access and control a particular database. Schemas are a collection of objects, such as tables and views. Schemas help database administrators to manage the database security. Oracle provides a comprehensive discretionary access control. Discretionary access control handles all users’ issues by determining and assigning privileges. Privileges are used to access objects in the database. For example, permission to send a query to access data and tables can be thought of as a privilege (Avik, 2008). Oracle introduced a new module that helps user management. This module provides secured user administration capabilities. After the release of this module, Oracle implemented a new role known as a Role Based Access Control (RBAC). RBAC is an ANSI standard that is related to the user access control. RBAC supports the access control that is based on the assigned roles of users in any organization (Avik, 2008). The benefits of implementing RBAC include: • Reduction in the cost of administrating user access. • Providing the security policies. Consequences No Authorization/Access control In the case when authorization is not provided then there can be great loss related to keeping the data and information secured. This loss or leakage of the data means that data cannot be successfully delivered to the source or the client. Therefore, authorization is very necessary to handle such situations. Access control is also the same phenomena related to how resource and client are ready to communicate with each other. In these conditions, the security plays a vital role as it handles how the communication occurs between the resource and clients. Without using the security measures, there is a possibility of damaged data and unauthorized persons getting access to the data. Improper authorization/Access control When improper authorization is implemented then the end user or resource cannot get the accurate data. It means that data or information sent to by any source through the network or any other resource cannot be accessed in a secured manner, and there will be chances of loss or damage of data. Conclusion From above discussion, it is concluded that authorization and access control are key areas of access management of database. Authorization is the best way of accessing, maintaining, and inserting data in a particular database in a secured manner or when database and resources are to be communicated then security is very necessary that is provided by authorization. Reference List Avik, C., 2008. Foundations of Access Control for Secure Storage. USA: ProQuest. John, J., 2004. Oracle Application Server 10G Administration Handbook. New Delhi: Tata McGraw-Hill Education. Mark, C., 2008. Security+ Guide to Network Security Fundamentals. Cengage Learning. Messaoud, B., 2006. Access Control Systems. New York: Springer. Shio, K., 2011. Database Systems. New York: Pearson Education. Tony, B., 2004. Beginning SQL Server 2000 DBA: From Novice to Professional. New York: Apress. Read More