User identification, access control, and audit requirements

Abstract

Good computer security depends upon knowing who is using the system and managing how each individual is able to access the information on the system. The next generation of computer should build in the kind of controls which are often added on to today's systems. This session will discuss the objectives for positively identifying system users, controlling their use of computerized resources, and providing accountability for users who are authorized and for those who attempt to exceed their authority. Traditionally, user identification depends upon an identification code (ID) and a password. Password security has proven to be weak: where users are allowed to select their own passwords, they tend to select ones that are easily guessed, and where passwords are assigned, the users tend to write them down. Future user identification systems should expand into something a user has (e.g. a badge) or something a user is (e.g. fingerprints). Signature verification is a technology which is worth improving since it offers good security within existing legal and social contexts. Ideally, user identification and authentication should be based upon a combination of two or more technologies.