Article Preview
TopIntroduction
As nearly all computing systems and applications in organizations have some form of access control mechanisms, managing restrictive and secure access has become an important but a challenging task (Caruso et al., 2013; Uzun et al, 2014). Access control is the measures organizations put in place to enforce control on persons, programs, and processes accessing computer systems, networks, data, and other information resources. These measures are the security features that control how users and systems communicate and interact with other systems and resources, with the aim of protecting information systems and resources from unauthorized access (Harris, 2013). Access control measures are intended to allow authorized users access to information and information processing facilities but deny unauthorized users access (ISO/IEC27002, 2013). Many security breaches come as a result of an unauthorized access to computing resources (Data Breach Investigations Report, 2013). In most cases, an attacker must first have to gain access to computing systems, applications and facilities before altering the data, stealing sensitive information, or damaging critical computing devices. Therefore, access control has become an important security measure (Braga, 2011; Gostojić et al., 2012). It requires employment of administrative, technical (logical), and physical access control measures. Evidence suggests that technical controls only detect one third of fraud cases (Goode & Lacey, 2011). Thus, technical solutions are not sufficient to protect information assets because security threats are fundamentally a people issue (Sarkar, 2010). As a result, technological, behavioural and organisational measures are essential.
The administrative access controls are management-oriented measures which deal with organizational issues of controlling access to resources, including access control policies, security documentation, personnel security, training, organizational structures, and separation of duties (Hertzman, Meagher, & McGrail, 2013). Technical access control mechanisms employ hardware and software measures (passwords, identification and authentication mechanisms, firewall, intrusion detection and prevention systems, and encryption) to control access to information systems (Hertzman, Meagher, & McGrail, 2013). Physical access controls (network segregation, security guards, locks, fencing, lighting, perimeter security, computer controls, work area separation, data backups, cabling, control zone) can have significant impact on protecting facilities that house information resources (Hertzman, Meagher, & McGrail, 2013). In general, physical access controls support and work together with administrative and technical controls to provide the required level of control. For example, network segregation can be carried out through both technical (logical separation of networks within software configuration settings) and physical means (physical separation of networks).
Therefore, integration of these measures, often referred to as defense-in-depth, is essential. Defense-in-depth is the coordinated use of multiple security controls in a layered approach. It is an implementation of multiple controls so that successful penetration and compromise of systems are more difficult to attain (Groat, Tront, & Marchany, 2012). This multilayered defense system minimizes the probability of successful penetration and compromise because an attacker must get through several different types of protection mechanisms before access is gained to critical resources (Harris, 2013). A prior study notes that all access control measures intended to provide defense-in-depth should begin with administrative control measures (Kosutic, 2015). Administrative controls can be the hardest to put into practice as management must define the policies and the users must understand, accept and implement the measures correctly. The physical and technical controls are then implemented based on the measures defined within the administrative access control measures. While defense-in-depth principle of combining administrative, technical, and physical access control security measures have been advocated (Goode & Lacey, 2011; Jansen & Grance, 2011; Sarkar, 2010), theoretical models to integrate the management of these measures are sparse (Goode & Lacey, 2011).