Computer systems, databases, and storage and retrieval systems contain information that has some monetary or intrinsic value. After all, the organization that has acquired and set up the system has expended valuable resources to establish and operate the system. After undergoing this effort, one would think that the organization would wish to control who can access the information that it has collected and stored.
Access controls are used to control access to information and functions. In simplistic terms, the steps undertaken are something like this:
- Reliably identify the subject (e.g., the person, program, or system)
- Find out what object (e.g., information or function) the subject wishes to access
- Determine whether the subject is allowed to access the object
- Permit (or deny) the subject’s access to the object
- Repeat
The actual practice of access control is far more complex than these five steps. This is due primarily to the high-speed, automated, complex, and distributed nature of information systems. Even in simple environments, information often exists in many forms and locations, and yet these systems must somehow interact and quickly retrieve and render the desired information, without violating any access rules that are in place. These same systems must also be able to quickly distinguish “friendly” accesses from hostile and unfriendly attempts to access—or even alter—this same information.
The success of an access control system is completely dependent upon the effectiveness of the business processes that support it. User access provisioning, review, and revocation are key activities that ensure only authorized persons may have access to information and functions.
— excerpt from an upcoming textbook on information systems security
Peter H. Gregory 