OCU C)ISSO A Discussion Lesson 04
- This topic has 9 replies, 7 voices, and was last updated 2 weeks, 2 days ago by
.
-
Posts
-
-
Choose one of the following to discuss in detail. Give at least 4 examples that include information from the text and videos (at least 2 examples from each).
- Access control characteristics and threats to access control.
- Information Classification: Reasons, criteria, levels, and benefits.
- Access Control Models and Technologies: models, and model types
- Access Control Methods: administration, RADIUS pros, cons, and characteristics
-
Access control is the process of making sure only the right people can access certain information, systems, or physical areas. One important characteristic is identification, in which a user must claim who they are, such as with a username or ID. The second is authentication, which confirms that identity using passwords, PINS, or biometrics. Another key characteristic is authorization, in which determines what a user is allowed to do once they are logged in. Finally, accountability ensures all user actions are tracked through logs and monitoring. There are also threats to access control. One common threat is password attacks, where attackers try to guess or steal login credentials. Another threat is social engineering, tricking users into giving up secure information. Privilege escalation is when an attacker gains higher access than they should. Lastly, insider threats happen when someone within the organization misuse their access on purpose or accidentally.
-
I like how you clearly described identification, authentication, authorization, and accountability. These steps really help keep systems safe. The threats you mentioned, like password attacks, social engineering, and insider misuse, are also major issues today. Understanding these risks helps companies set stronger controls and protect their information more effectively.
-
-
Access control methods decide how users get permissions and how those permissions are managed and enforced. One method is administrative control, where policies and procedures define who gets access and how. For example, administrators must follow a formal process for granting user rights based on job roles. The video shows a Security Officer reviewing user access logs to ensure proper administration of permissions. Another method is using the RADIUS protocol for authentication, authorization, and accounting (AAA).
One pro of RADIUS is that it provides a central point of control for user logins across many services, making administration easier. It also supports multiple authentication methods and works well for large networks. A con of RADIUS is that it only encrypts the password in transit and may leave other data exposed. Also, setting up a RADIUS server can be complex and requires significant resources. By combining strong administrative practices with RADIUS’s technical capabilities, organizations can enforce good access control and maintain strong security.
-
Hi, Mjulius. I like your description of administrative control and the RADIUS protocol. Although RADIUS is an important tool, its cons have led to some people using DIAMETER. DIAMETER can support capability negotiation, new defined commands, and Stream Control Transmission Protocol. However, what is ultimately important is what the organization needs and is able to get for their system.
-
-
-
Access control models are important tools for an organization to carry out certain goals from their security policy. These models must be clear ways to regulate the interactions between subjects and objects.
Discretionary access control models are very popular because the person who owns the data must determine who is allowed to access it, depending on the user’s identity. The person can use access control lists to do this, but it does not provide an extremely high level of security that some businesses may require. Mandatory access control grants users access depending on how important/sensitive the information they are trying to access is. A user must have clearance to gain access, making this system more secure.
Role-based access control means that the level of access a user receives depends on that user’s role in the organization. Administrators will assign certain people roles as a way to only grant specific people access. Rule-based access control is a model gives rules that will apply to everyone, regardless of role, identity, etc.
-
-
Hello Isabelle!
You explained the access control models really well. I agree that discretionary access control is flexible but less secure, while mandatory access gives stronger protection for sensitive data. Role based access makes sense for big organizations because it keeps everything organized. Good breakdown of how each model works and why they matter!
-
Access control models and technologies play a critical role in regulating how users interact with information and systems. The Discretionary Access Control model gives the data owner control to decide who has resources, usually through some form of access control list. Although this is often used with discretionary access control, it can be risky with high-security requirements. MAC assigns access based upon clearance levels and the sensitivity of information, hence stronger protection. Role-Based Access Control grants permissions depending on one’s role within the organization; setting up such roles simplifies administration while maintaining security. Rule-Based Access Control applies access rules across an organization, regulating the access of all users independent of user identity or position. Both the video and text depict that these models play an important role in consistently enforcing security policies, maintaining data confidentiality, and minimizing the risk of unauthorized access.
-
- You must be logged in to reply to this topic.
