Database access control is a method of allowing access to company’s sensitive data only to those people (database users) who are allowed to access such data and to restrict access to unauthorized persons. It includes two main components: authentication and authorization. Show
Authentication is a method of verifying the identity of a person who is accessing your database. Note that authentication isn’t enough to protect data. An additional layer of security is required, authorization, which determines whether a user should be allowed to access the data or make the transaction he’s attempting. Without authentication and authorization, there is no data security. Any company whose employees connect to the Internet, thus, every company today, needs some level of access control implemented. Types of Access ControlObsolete access models include Discretionary Access Control (DAC) and Mandatory Access Control (MAC). Role Based Access Control (RBAC) is the most common method today, and the most recent model is Attribute Based Access Control (ABAC). Discretionary Access Control (DAC)With DAC models, the data owner allows access. DAC is a means of assigning access rights based on user-specified rules. Mandatory Access Control (MAC)MAC was developed using a nondiscretionary model, in which people are granted access based on an information clearance. MAC is a policy in which access rights are assigned based on central authority regulations. Role Based Access Control (RBAC)RBAC grants access based on a user’s role and implements key security principles such as “least privilege” and “separation of privilege.” Thus, someone attempting to access information can only access data necessary for their role. Attribute Based Access Control (ABAC)In ABAC, each resource and user are assigned a series of attributes. In this dynamic method, a comparative assessment of the user’s attributes, including time of day, position and location, are used to make a decision on access to a resource. How it WorksLet’s take a look how access control works in DataSunrise. Two-Factor AuthenticationDataSunrise includes two-factor authentication mechanisms based on emails and one-time passwords (OTP) which allow to access the target database. Database users should input database’s password and complete email-based or Google Authenticator based authentication to get access to the target database. Database Access RestrictionDataSunrise features Data Security component which enables you to restrict access to a complete database or certain database objects depending on the following factors:
Thus, DataSunrise utilizes the ABAC method of access control. Data Security’s functionality is based on security rules created by DataSunrise administrator. What is authentication?Authentication is the process of determining whether someone or something is, in fact, who or what it says it is. Authentication technology provides access control for systems by checking to see if a user's credentials match the credentials in a database of authorized users or in a data authentication server. In doing this, authentication assures secure systems, secure processes and enterprise information security. There are several authentication types. For purposes of user identity, users are typically identified with a user ID, and authentication occurs when the user provides credentials such as a password that matches their user ID. The practice of requiring a user ID and password is known as single-factor authentication (SFA). In recent years, companies have strengthened authentication by asking for additional authentication factors, such as a unique code that is provided to a user over a mobile device when a sign-on is attempted or a biometric signature, like a facial scan or thumbprint. This is known as two-factor authentication (2FA). Authentication factors can even go further than SFA, which requires a user ID and password, or 2FA, which requires a user ID, password and biometric signature. When three or more identity verification factors are used for authentication -- for example, a user ID and password, biometric signature and perhaps a personal question the user must answer -- it is called multifactor authentication (MFA). Why is authentication important in cybersecurity?Authentication enables organizations to keep their networks secure by permitting only authenticated users or processes to gain access to their protected resources. This may include computer systems, networks, databases, websites and other network-based applications or services. Once authenticated, a user or process is usually subjected to an authorization process to determine whether the authenticated entity should be permitted access to a specific protected resource or system. A user can be authenticated but not be given access to a specific resource if that user was not granted permission to access it. The terms authentication and authorization are often used interchangeably. While they are often implemented together, they are two distinct functions. Authentication is the process of validating the identity of a registered user or process before enabling access to protected networks and systems. Authorization is a more granular process that validates that the authenticated user or process has been granted permission to gain access to the specific resource that has been requested. The process by which access to those resources is restricted to a certain number of users is called access control. The authentication process always comes before the authorization process. How does authentication work?During authentication, credentials provided by the user are compared to those on file in a database of authorized users' information either on the local operating system server or through an authentication server. If the credentials entered match those on file and the authenticated entity is authorized to use the resource, the user is granted access. User permissions determine which resources the user gains access to and also any other access rights that are linked to the user, such as during which hours the user can access the resource and how much of the resource the user is allowed to consume. Traditionally, authentication was accomplished by the systems or resources being accessed. For example, a server would authenticate users using its own password system, login IDs, or usernames and passwords. However, the web's application protocols -- Hypertext Transfer Protocol and HTTP Secure -- are stateless, meaning that strict authentication would require end users to reauthenticate each time they access a resource using HTTPS. To simplify user authentication for web applications, the authenticating system issues a signed authentication token to the end-user application; that token is appended to every request from the client. This means that users do not have to sign on every time they use a web application. What is authentication used for?User and process authentication are used to ensure that only authorized individuals or processes are allowed to access company IT resources. Depending on the use cases for which authentication is used, authentication can consist of either SFA, 2FA or MFA. The most common implementation of authentication is SFA, which requires a user ID and a password for sign-on and access. However, since banks and many companies now use online banking and e-commerce to conduct business and store customer Social Security and credit and debit card numbers, there is an increased use of 2FA and even MFA, which requires users and customers to enter not only a user ID and password, but also additional authentication information.
From an IT standpoint, organizations use authentication to control who has access to corporate networks and resources, as well as to identify and control which machines and servers have access. Companies also use authentication to enable remote employees to securely access their applications and networks. For enterprises and other large organizations, authentication may also be accomplished using a simplified single sign-on system, which grants access to multiple systems with a single set of login credentials. What are authentication factors?Authenticating a user with a user ID and a password is usually considered the most basic type of authentication, and it depends on the user knowing two pieces of information -- the user ID or username, and the password. Since this type of authentication relies on just one authentication factor, it is a type of SFA. Strong authentication is a term that is typically used to describe a type of authentication that is more reliable and resistant to attack. Strong authentication typically uses at least two different types of authentication factors and often requires the use of strong passwords containing at least eight characters, a mix of small and capital letters, special symbols and numbers. An authentication factor represents a piece of data or attribute that can be used to authenticate a user requesting access to a system. An old security adage has it that authentication factors can be something you know, something you have or something you are. Additional factors have been proposed and put into use in recent years, with location serving in many cases as the fourth factor and time serving as the fifth factor. Currently used authentication factors include the following:
Despite being used as supplemental authentication factors, user location and current time by themselves are not sufficient, without at least one of the first three factors, to authenticate a user. Authentication vs. authorizationAuthorization includes the process through which an administrator grants rights to authenticated users, as well as the process of checking user account permissions to verify that the user has been granted access to those resources. The privileges and preferences granted for an authorized account depend on the user's permissions, which are either stored locally or on an authentication server. The settings defined for all these environment variables are established by an administrator. What are the different types of authentication?Traditional authentication depends on the use of a password file, in which user IDs are stored together with hashes of the passwords associated with each user. When logging in, the password submitted by the user is hashed and compared to the value in the password file. If the two hashes match, the user is authenticated. This approach to authentication has several drawbacks, particularly for resources deployed across different systems. For one thing, attackers who are able to gain access to the password file for a system can use brute-force attacks against the hashed passwords to extract the passwords. In addition, this method would require multiple authentications for modern applications that access resources across multiple systems. Password-based authentication weaknesses can be addressed to some extent with smarter usernames and passwords based on rules such as minimum length and complexity using capital letters and symbols. However, password-based authentication and knowledge-based authentication are more vulnerable than systems that require multiple independent methods. Other authentication methods include the following:
User authentication vs. machine authenticationMachines also need to authorize their automated actions within a network. Online backup services, patching and updating systems, and remote monitoring systems, such as those used in telemedicine and smart grid technologies, all need to securely authenticate to verify that it is the authorized system involved in an interaction and not a hacker. Machine authentication can be carried out with machine credentials, similar to a user's ID and password but submitted by the device in question. Machine authentication may also use digital certificates issued and verified by a certificate authority as part of a public key infrastructure to prove identification while exchanging information over the internet. With the increasing number of internet-enabled devices, reliable machine authentication is crucial to enable secure communication for home automation and other internet of things applications, where almost any entity may be made addressable and able to exchange data over a network. It is important to realize that each access point is a potential intrusion point. Each networked device needs strong machine authentication, and despite their normally limited activity, these devices must be configured for limited permissions access to restrict what can be done even if they are breached. Learn the difference between API keys and tokens in this article. This was last updated in September 2021 Continue Reading About authentication
Dig Deeper on Identity and access management
Why is it useful to have host based firewalls quizlet?*A host-based firewall can be used to protect a computer when no network-based firewall exists (e.g., when connected to a public network). *Host-based firewalls are less expensive and easier to use than network-based firewalls, but they don't offer the same level of protection or customization.
Which firewall concept applies a set of rules to each incoming and outgoing IP packet and then forwards or discards the packet?It applies a set of rules (based on the contents of IP and transport header fields) on each packet and based on the outcome, decides to either forward or discard the packet. Packet filter firewall controls access to packets on the basis of packet source and destination address or specific transport protocol type.
What is the difference between an internal and an external firewall quizlet?What is the difference between an internal and an external firewall? External: Provides a measure of access control and protection for the DMZ systems. Internal: Has stricter filtering rules in order to protect enterpriser servers from external attacks.
What information is used by a typical packet filtering firewall to filter traffic?The packet filtering firewall filters IP packets based on source and destination IP address, and source and destination port.
|