Bringing Unbreachable Access Control to the Small Business World

Access control and security are pressing concerns for virtually all small and medium enterprises in the UK. No matter the industry in which a company is involved, the same security issues arise and, for most organizations, the same problems of finding robust solutions that protect premises from unwanted trespassers exist.

Currently external and internal access control to most buildings is by use of keys, keypads and swipe cards. All of these methods have obvious drawbacks as keys and swipe cards can be stolen or copied in order to gain illicit access to a premise whilst keypads rely on a user’s memory and integrity to maintain a trouble-free access control system for any organization.

By contrast a biometric access control system only allows authorized individuals entry to an area by inspecting an array of human physical characteristics that are unique to each and every individual on the planet.

Systems developed in the last five years can authenticate a person’s identity with total accuracy by comparing fingerprint patterns, iris structures and even facial features against a database that contains those same details and measurements of individuals allowed access to a particular building.

The obvious advantages of biometric access control systems based on unique human physical attributes are that it is impossible for an unwanted intruder to gain access by theft - there is nothing that can be stolen or replicated - and neither does a biometric system rely on the honesty and memory of an employee in the way that a keypad system does.

In simple terms a biometric access control system is extremely secure because it relies on unique human physical attributes that cannot be stolen or replicated. The system is unbreakable by any unauthorized personnel or unwanted visitors. It is an ultimate and incorruptible key.

Many people are aware of biometrics because we see the media stories about the technology now being integrated into passports so that more accurate citizen identifications can be made at airports by passport control officials. News stories such as these give a misleading impression that biometric access control is very expensive to install and is the preserve of governments, multinational corporations and extremely well-heeled celebrities.

In actual fact, top quality biometric systems are now being designed and sold with the needs and resources of small and medium sized businesses specifically in mind. Normally utilizing fingerprint pads located outside entrances, the retail systems now available have impeccable pedigree as they use the same technology that has been rigorously and repeatedly security tested by governments and multinational corporations keen to protect their own interests at almost any costs. Such systems can now be commonly installed and operated by smaller businesses with no upfront costs and a low monthly service charge.

At first glance the types of businesses that can benefit from the added security of biometric access control are self-evident: leisure centres; retail outlets; industrial unit tenants; serviced office blocks and so on. Almost all companies operating in sectors such as these can improve their security and access control arrangements by installing biometric fingerprint pads at both external entrance points and at restricted areas within buildings.

But biometric access control systems should not just be thought of in the context of upgraded preventative security measures. For many companies, the installation of an unbreachable access control system is a real business positive! As well as entitling many organizations to lower commercial insurance rates, the presence of a biometric system can actively bring in valuable extra customer business.

Owners of businesses that protect and store securely the property of others can use biometric access control as a value-added selling point. Bonded warehouse, self-storage operators and private safe deposit box companies are all examples of enterprises that can gain extra income from the installation of biometric access control.

More important than the protection of goods to many businesses is the protection of people. Nurseries, retirement homes and hospices are all businesses that can offer added peace of mind to existing and potential customers by installing biometric access control systems.

At the moment the potential for the use of biometric access control within small and medium sized enterprises has scarcely been touched by those who sell systems. This will change dramatically as business proprietors become aware of the advantages of biometric systems over conventional access and security measures employed currently.

And given that robust proven systems are already available at low cost outlay, it is actually very probable that the inevitable move towards biometrics is more likely to become a stampede among small and medium sized business proprietors over the next couple of years.

Peter Dickson is a marketing specialist currently employed by Easydentic, a pan-European biometric security company. They can be found online at http://www.easydentic.com

Access Control - Who Has Access To Registrant Data?

As a busy event planner – in seemingly endless contact with venues, catering companies, and the oh-so-demanding event sponsor – can you afford to spend time developing registration spreadsheets, keeping track of each registrant’s information, recording travel and hotel details, and taking and processing credit card info? For most event planners, the answer is a resounding no. The process of registration is often the straw that breaks the camel’s back, causing an event planner’s stress level to rise to supreme heights. Keeping track of all the technicalities of registration is a full time job that many planners are still attempting to juggle along with planning the event itself.

So, with the vast reach and simplicity of the internet, why are so many event planners hesitant to switch to an online registration company that will take care of all these technicalities for them? The answer is simple: they either don’t know about it, or they are worried that such companies could in fact complicate their lives. How can I know that information being put out on the internet will be safe? What if my registrants’ information is compromised? Will the online registration company use or sell my registrants’ information after they have it in their System?

With the right company, all of these questions can be avoided because registrants’ information will be secure and held safe for the sole use of the event planner. Even more importantly, with the right registration company, credit card information will be encrypted to the highest degree allowed by law, guaranteed by a SSL (Secure Socket Layer) encryption testing company, such as Thawte. Once you have chosen a company that you know to be secure, you will enjoy features such as an event website with its own URL for registration, custom reports, and the ability to export reports to a wide variety of formats. Using a safe and secure online registration system can simplify the event planning process while increasing registration! And you can be sure that registrants’ personal and financial information will be protected at the highest possible levels.

Registrant and event planner information that is protected to the highest degree possible offers you a guarantee that the information will be stored exclusively for the event planner’s use and will only be stored as long as is necessary. Holding to such standards, ensures that the event registration system is highly resistant to any breach, but if a breach does, in fact, occur, the system will have been monitored so effectively that it can be traced a remedied with accuracy and speed. A vulnerability recovery plan like this one is an essential part of upholding a strong security system to ensure that the system will not be breached. Your registrants will know that their information is safe.

Manually collecting registrations has long been one of the most tedious jobs involved in the event planning process, but it is no longer necessary for event coordinators if they choose a company that will offer the highest possible level of security so that they can enjoy the ease of use of such a comprehensive online registration system. With no need to worry whether or not their information will be hacker-safe, registrants will flock to your event because registering online is truly a far easier process than completing registration be old-fashioned snail-mail. Although giving up control over such a vital piece of the event planning process can be a frightening concept, doing your research to find a company that offers the strongest security for your registrants’ data, will save you time to deal with all of the other details of planning your next fantastic event.

Ryan is a member of the marketing team for RegOnline, a producer of easy-to-use conference registration software, and a company dedicated to making event planners' lives easier.

Two Factor Authentication - A Secure Method of Access Control

The corporate network infrastructure can withhold a huge amount of data relevant to the company. It is imperative that this data has restricted access, and can not be viewed by unauthorised personnel. There are many ways of implementing an ‘Access Control’ solution which generally utilise a username/ password scenario or possibly having an agent on the end user point that verifies its authenticity. However, for increased protection to highly sensitive networks it is strongly advisable to consider a more secure approach. ‘Two Factor Authentication’ provides a solution to this scenario which is trusted and utilised in the most security conscious of environments including banks and finance sectors.

So why is the old username/ password system considered inappropriate by many top establishments? Firstly the username is generally easy to guess. In normal circumstances it will be based on a very simple formula which revolves around the employees name, which is the same formula used for all employees. So the first step in the process is already relatively insecure. Secondly, the username is combined with a password that goes hand in hand with the username. Passwords are generally easier to guess than people acknowledge and can vary around birthdays, mothers’ maiden names, and are probably very similar to passwords they use for a variety of other accounts. This is generally because so many accounts require passwords; users try to make them as simple as possible so they won’t forget them themselves. To make matters worse, many companies have the policy that passwords expire on a regular basis and force their employees to constantly change them. How does this make matters worse? Well it actually makes the password harder to remember for the operator, who is generally the weakest link in your company’s security. If the operator finds it hard to remember then they are likely to leave a reminder somewhere so they don’t forget themselves. This can be a post it note on the monitor or scraps of paper around the desk either under the keyboard, in the top drawer or in the nearby vicinity.

So what does ‘Two Factor Authentication’ offer? Using this method the user will require an additional piece of information in conjunction with their username/ password to gain access to the network. There are various vendors out there providing different versions of this solution, though the common approach is for a ‘token’ to be issued. The token is a small device which will comfortably fit into your pocket and is quite often able to attach onto your key ring. At any one time the token will display a numerical value. This value will provide an authorisation code unique to the individual employee that when combined with the username/ password will grant access to the network. How is this secure? Well the numerical value on the token changes every 60 seconds. The network infrastructure will be aware of the number that is expected and will verify it against the number being produced. If they match, then the connection will be successful otherwise they are not allowed to connect. This provides huge advances for the security of the network as this token won’t be found next to the computer when the user is away and due to the sheer complexity of the algorithms used to generate the values, the code has never been cracked. Even if someone was given the formula, they couldn’t process the figures quick enough to calculate the next number in anywhere near under a minute. In fact competitions are held regularly where some of the top mathematical minds are allowed months to attempt it, and it is still safe. Also, each number can only be used once, so if a number is compromised after the users fingers are seen typing the digits in, and a hacker tries to repeat that code within the 60 second window, it will already be void.

It also provides a solution for commuting staff that are looking to obtain remote access. They can use this process across a remote access solution, and are able to verify themselves in a very safe and secure manner. No agents will be required to be uploaded to the end user point so staff are not necessarily restricted to what computer they can access the infrastructure on.

This is a brief introduction to ‘Two Factor Authentication’ and provides a very strong and trusted solution for Network Managers.

‘Secure in the Knowledge’

Dean Grimshawe is Head of Marketing at Toranet Ltd - The Network Security Specialists. Toranet work closely with businesses to provide an intricate balance between access and security. By optimising this relationship companies are able to secure their infrastructure while still experiencing efficiency. This scenario produces the greatest return on investment for the client. For further information visit http://www.toranet.net

Recognize and be Able to Differentiate and Explain the Following Access Control Models

· MAC (Mandatory Access Control)

· DAC (Discretionary Access Control)

· RBAC (Role Based Access Control)

To understand MAC, DAC and RBAC you must first understand Access Control.

Access Control is the control of user and process control access to network and
operating system resources. For example, many spyware and adware applications not
only download themselves on to your computer without your permission, but they also
help themselves to your systems CPU, hard drive and memory. What happens to most
of us is that we get hit with 10 or 15 of these applications by accessing the Internet
without protection. Imagine 10 to 15 badly written memory hogs using your CPU and
memory to access your cached references to your web surfing habits (or worse credit
card, ssn) and send that potentially valuable information to some server in Nigeria
or Russia.

Mandatory Access Control (MAC)

Mandatory Access Control is military grade security. Like DAC, it has been around
since the 60’s. With MAC, the security on all resources are strictly policy controlled.
All processes and users (or subjects) must specifically given permission to access
a resource (or object).

Subjects are given a number indicating their level of access. Subjects can access
any object with a lower number. With modern military and national security systems
this permissions matrix is supplemented with a classification level.

Discrestionary Access Control (DAC)

Discretionary Access Control is where a subject has control over an object. In
this case a “subject” could be a home user. And lets say the home user has admin
privileges because he wants to download applications like Kazaa Lite ++. The “object”
or resource is Money Quick, a financial application that creates important bank
account spreadsheets.

The home user is no fool so he locks the Money Quick application down so that
only the administrator has permissions to the file. She is the only administrator
on the computer so there is no problem right? Wrong. With DAC any application that
runs while the current user is logged on has the same permissions.

So, the home user finds Kazaa Lite ++ on Internet and downloads it. The shareware
app is of course loaded with all kinds of spyware, adware, Trojan filth that goes
directly for her Money Quick software.

Is very popular and has been in use primarily in the commercial and academic
worlds since the ’60’s.

Role Based Access Control (RBAC)

Role Based Access Control is fairly new and is considered the evolution of the
DAC & MAC. With RBAC, each subject is assigned a role. Users without roles can be
put into groups that pertain to a certain department or job such as sales or management.
Objects only allow subjects on a permission basis. Modern operating systems such
as Solaris, Linux and Window 2k/XP/03 are perfect example of how Role Based Access
Control works.

The RBAC started in the 1990s and fully materialized in the RBAC96. There is
currently a lot of research being done on the RBAC.

Rob Elam has authors the eLamb ★ Computer security blog at
http://elamb.org. He has been doing
security for the Department of the Defence for 10 years and is currently a System
Security Engineer in Colorado.