CHARLES LIGHT AGNES

2105022039

ACCESS CONTROL FOR SECURE INFORMATION PROTECTION

PROJECT SUPERVISOR: DR ADERIBIGBE

1.1 Background of study

Access control is an important security mechanism that ensures that only authorized individuals

are granted access to protected resources. With the rapid growth of digital information, access

control has become essential to secure information protection. For that reason, the state of the art

of access control includes several technologies and approaches that are used to prevent

unauthorized access to information.

One of the most common access control mechanisms is authentication, which requires users to

provide valid credentials before accessing a resource. Authentication can take various forms,

such as passwords, biometric scans, and smart cards. Effective authentication is crucial for

preventing unauthorized access to sensitive information and is often used in combination with

other access control measures.

Another access control method is authorization, which determines what actions the authenticated

user is allowed to perform on a given resource. Authorization can use role-based access control,

which grants privileges based on the user's job responsibilities, or attribute-based access control,

which utilizes a user's characteristics such as location, time of day, or IP addresses.

Advanced security measures such as multifactor authentication (MFA) and context-aware access

control (CAC) have become increasingly popular. MFA combines two or more authentication

methods (such as password and biometric verification) to enhance security, while CAC uses

contextual information such as user location and network to dynamically adjust access control

policies based on changing user behavior.

identify and prevent unauthorized access. ML and AI use algorithms to analyze user behavior

patterns, identify suspicious activity, and quickly respond to potential threats.

1.2 Statement of the problem

The problem with access control for secure information protection is that unauthorized access to

sensitive data can have severe consequences, including financial loss, damage to a company's

reputation, and compromise of personal or confidential information. There has been an

increasing number of cyber-attacks in recent years where hackers gain unauthorized access to

systems, steal data, and hold it for ransom. Additionally, several regulatory requirements

mandate that organizations implement strong access control measures to preserve the

confidentiality, integrity, and availability of sensitive information.

An ineffective access control system creates vulnerabilities that malicious actors can exploit,

leading to unauthorized access, data theft, and breaches of confidentiality. Furthermore, complex

access control processes and policies can significantly impact an organization's operations,

making it challenging to balance information security needs and productivity requirements. With

the growth of remote work, access control systems must be able to accommodate remote access

to sensitive information while ensuring that the information remains secure.

Moreover, access control systems may face challenges in authenticating users' identities

accurately, detecting and responding promptly to threats, and adjusting access control policies to

support changing business needs. Thus, access control requires a meticulous balance of security,

convenience, and usability to prevent unauthorized access while ensuring that authorized
personnel can access the necessary data and resources. Therefore, it is essential to have effective

access control measures in place to safeguard sensitive information and reduce the risk of cyber-

attacks.

1.3 Goal of the project

The basic goals of access control is to preserve and secure the confidentiality, integrity and

accessibility of information, systems and resources.

1.4 Objectives of the project

The main objective of this project work is to create a secure and access management system that

protects the organization’s assets data, and resources and to develop a model for securing IOT

devices from intruders

 Traditional access control models Traditional access control models are based on

several of access controls in the form of (subject, object, and process) named

authorizations, specified by rules. Identify the resources (object) that can be achieved

for each entity (subject) and the activities (process) provided by the entity allowed to

execute on them

 Discretionary Access Control (DAC): Discretionary Access Control (DAC)

policy means that every entity has an owner in this form of access control. The

owner (issue) grants access to the resources to other users and/or groups (objects).

The way Matrix access rights used in this context and represented as: the matrix

determines the entire device policy relating to the interests of individual users.

There are two methods of having the matrix applied.

stores the matrix column, or the subject stores the matrix row. The matrix row

lists of access controls are used to store the rights with Object.

 Capability matrices are used to store rights Along with subjects, it deals with

biometrics, so that access is available in every operating system the checklists are

used for arbitrary access management. The (DAC) model helps users to make

easy changes to the access strategy. Even, however, it has some drawbacks, such

as Trojan horse security door

 Mandatory Access Control (MAC): Mandatory Access Control (MAC) policy

means that the central authority makes access control policy decisions, not the single

owner of an entity, and the owner cannot change the right of access. It is a mechanism

for secure access control at multilevel. It defines a Security Level Hierarchy. A

Security Policy describes rules that control access. The Department uses the out of

defense. The model successfully solves Trojan horse protection problems in the DAC

model

 Role Based Access Control (RBAC): Role Based Access Control requires control

over a number of users, a flat selection of positions for users, a collection of resources

and a system of access permits. The idea is encapsulate access rights subsets within

the named roles. Assign a user to the specific role implies that it has access to the

resources that it has they are within the confines of that role. The RBAC overcomes

the problem of fully automated access control allocates the right of access to subjects.

The RBAC model contains: First, the authorization is connected to the roles and then
 the user function is established. The User authorization is obtained by user positions,

and services (objects) are obtained.

1.5 Methodology

The methodology of access control involves a systematic approach to implementing and

managing access control measures within an organization. This methodology typically includes

the following steps:

1. Identify access control requirements: First, organizations need to identify their specific access

control needs and requirements. This involves understanding the types of resources that need to

be protected, the users who require access, and any regulatory or compliance requirements that

need to be met.

2. Conduct a risk assessment: A comprehensive risk assessment should be conducted to identify

potential security threats and vulnerabilities. This assessment helps to determine the level of

access control measures needed for different resources, systems, and devices.

3. Develop an access control policy: An access control policy is a set of rules and guidelines that

define how access to resources is granted, authenticated, and authorized. The policy should cover

access control principles, user roles and permissions, authentication methods, and monitoring

and auditing processes.

4. Implement access control mechanisms: Based on the access control policy, appropriate access

control mechanisms are implemented. This may include using passwords, biometric
authentication, security tokens, or other forms of multi-factor authentication. Other mechanisms

may include role-based access control (RBAC), attribute-based access control (ABAC), or

mandatory access control (MAC) depending on the specific requirements.

5. Configure access control settings: Access control settings need to be configured properly in all

relevant systems, devices, and applications. This includes setting user permissions, defining

access levels, and configuring authentication and authorization mechanisms.

6. Monitor access activities: Continuous monitoring of access activities is essential to detect and

respond to any suspicious or unauthorized access attempts. This monitoring may involve using

intrusion detection systems (IDS), security information and event management (SIEM) tools, or

log analysis systems to track and analyze access logs and audit trails.

7. Regularly review and update access controls: Access controls should be periodically reviewed

and updated to ensure they align with changing business requirements, emerging security threats,

and evolving regulatory or compliance standards.

8. Provide user training and awareness: Proper user training and awareness programs should be

conducted to educate employees and other users about the importance of access control, best

practices, and potential security risks. Regular training and reminders are crucial for maintaining

a strong security posture.

9. Conduct periodic assessments and audits: Regular assessments and audits should be conducted

to evaluate the effectiveness of access controls, identify vulnerabilities, and ensure compliance

with organizational policies and regulations.

protect their assets, systems, and data from unauthorized access, minimize security risks, and

maintain regulatory compliance.