To ensure the security of data stored in computer systems, it is crucial to control who has access to the network. You then prevent unauthorized individuals from operating within it. In a multi-user computer system, each user is assigned a unique user code, which the system uses to monitor their resource usage and session duration.
So how does this entire process work? How can access to networks be controlled?
Introduction to Controlling Sessions on Computers
To protect the integrity, confidentiality, and usability of the data, it’s necessary to control access to the computer system, i.e. to stop any unauthorized people from working in the system.
A session is the time the user spends on the system. The network checks the logins to the computer system at the beginning of the session.
Each of the users who benefits from a multi-user computer system has a user code, which the system assigns to them. This code helps to analyze which user is using which resource(s) and for how long. This code is also useful for keeping operating rights, audit information, and stats, as well as user-related counting information. However, user controls do not end with testing the user code the operating system uses when logging in. The system usually generates codes using fairly simple logic, and that’s not confidential or secure.
If this sounds a bit confusing, consider instead a school. Let’s assume that this school’s computer system generates student user codes by adding a three-digit number in alphabetical order of surname, after the class code they relate to. In this case, any student could easily guess his friend’s code.
In addition to the user code, you need to use a second piece of information specific to the user. There are different ways to check whether someone who wants to start a session by entering the code is the real owner of it.
You can group them into three categories, from the simplest to the most complex: password-based, ID-card-based, and physical properties.
Password-Based Control
The most common tool for authenticating users who want to log in is using a password. When attempting to log in by entering the user code, the operating system prompts the user to enter a word that acts as a password. The operating system compares the password entered by the user with that registered in the system. If there’s a match, the session starts.
The operating system determines the password when the user registers in the system and transmits it to the user. However, the user can usually change this password freely at any time. Operating systems store passwords in encrypted form on the system, to deter direct theft of keys held as plaintext.
Users often prefer to choose passwords with easily memorable proper names. This makes it easier for others to guess these secret combinations. Someone attempting to initiate a session with another person’s user code may succeed in gaining access to the system by trying out a series of different passwords at the terminal like a dog’s name or a date of birth.
Operating systems implement various measures to prevent such password-guessing attempts. For example, there’s often a limit to the number of passwords users can enter. After a certain number of attempts, if the correct password still cannot be entered, the respective terminal gets locked for a specific period. To further complicate password guessing, multiple passwords can be used. Either the user enters these passwords consecutively at the beginning of the session or the system randomly requests them during operation from the user working at the terminal. This tightens the net to catch unauthorized users.
However, these controls can be inconvenient too. This negatively impacts the quality of service provided, so, in systems where stringent controls are necessary, instead of complicating the password system, organizations make the transition to special identity cards or controls based on physical properties.
ID Card-Based Control
A more reliable authentication method than password-based control is the use of identity cards. Each user has an identity card that can be read by the system; these typically contain a magnetic strip where user identity information is stored. Additionally, smart cards, where identity details are securely embedded within the card itself, exist. To access computer systems, users usually start their sessions by using a card reader integrated with a terminal unit to scan their cards.
To mitigate the risk of theft or loss, however, businesses often use identity cards in conjunction with passwords. When scanning the card, the system prompts the cardholder to enter their password; then, the system compares the entered password with the actual one stored on the card. If the two match, the session starts.
An example of this identity card-based authentication includes the electronic banking system, where bank machines serve as special terminal units. They make use of identity cards to enforce security and verify the users’ identities.
Control Based on Physical Properties
Ensuring identity verification means you have to rely on non-imitable information. In such cases, instead of providing users with personalized identity cards and passwords, the system might resort to using biometrics like fingerprints, pictures, voice, and eye retinas, which inherently differ from person to person.
Naturally, such verification processes based on this kind of information necessitate the use of typically-costly specialized input devices. For instance, in systems where verification relies on users’ facial images, it’s crucial that the network swiftly captures the current image of the person attempting to enter the system through a camera and make an instant decision by comparing it with the image stored within the system.
Voice and image-based recognition systems also require special (i.e. expensive!) equipment, as they must maintain a high processing speed. Often, these costs are the biggest hurdle for systems that will use physical properties-based verification mechanisms.
Importance of Access Control
So why do you need to tightly control access to computers? Because systems store a lot of important sensitive data! Additionally, access control not only safeguards critical assets but also aids in maintaining compliance with regulatory requirements and industry standards, fostering a culture of trust and accountability. Recognizing and prioritizing the significance of access control is essential in fostering a secure computing environment for individuals and businesses alike.