Customer Whitepaper: Motion Tablet PC Security Basics, Rev A03 Page 4
Access Control
Access control is the process by which users are identified and granted privileges to information,
systems or resources. Controlling how privileges are granted and how resources are accessed is
critical to protecting private and confidential information from unauthorized users. Access control
technologies properly identify people and verify their identity through an authentication process so
they can be held accountable for their actions. The access control system should record and
timestamp all communications and transactions so that they can be audited for security breaches
and misuse.
There are two general types of access control, discretionary and mandatory. Discretionary access
control allows the owner of the information or resource to decide how to manage it. They
determine read and write privileges, and if the requestor can execute a particular file or service.
Mandatory access control systems do not allow the creator of the information to determine who
can access it or modify data. System administrators predetermine who can access and modify
data, systems, and resources. Mandatory access control systems are commonly used in high
security environments or where government regulations require privacy protection of data (e.g.
HIPAA requirements regarding electronic medical records).
Some of the mechanisms available to address access control include unique user names and
passwords, smart cards, TPMs and digital certificates.
Application and Data Protection
Application and data protection involves addressing security concerns associated with the
operating system, the application programs and the data. The goal is to enable better application
and data availability, reduce exposure to data loss and to maintain integrity of the applications
and data.
Some of the mechanisms available to address these vulnerabilities include solid system and
application configuration and patch management schemes, anti-virus, anti-spam, and anti-
spyware applications, data encryption and signing and application hashing techniques.
Platforms Protection
Platform protection is primarily focused on addressing physical attacks on the client hardware.
The threats include hardware theft, tampering, or destruction, and data disclosure, tampering or
destruction. Some of the threats can be as simple as illicit copying of files from an unattended
tablet PC. This is very dangerous because the loss of data can go completely unnoticed.
Some of the mechanisms available to address these vulnerabilities include never leaving the
tablet PC unattended or in an operational mode when it’s not being used, or using a cable lock or
software-based tracking/recovery application to protect the hardware when it is left alone.
Network Protection
Network-based protection is implemented to address both "attacks attempted across a network"
as well as "attacks against the networking protocols”. Network-based attacks attempt to
compromise a system through flaws in the internet protocol standard. These attacks are typically
used to gain access to systems, applications and data. These attacks can also be used to cause
a “denial of service” failure that would prevent users for accessing network resources. The
network attack is usually the entry point for the next level of attack on the client and/or network.
Some of the mechanisms available to address these vulnerabilities include identifying and
authenticating users, programs and systems, as well as restricting and monitoring activities to
those whom have been authorized. Encryption and other methods should be utilized to provide
confidentiality and integrity protection for data transmitted over the networks.
To Next Page
Loading...
