Chat with us, powered by LiveChat <p | Study Help
  

Access Control Framework

CHAPTER 1

Copyright © 2021 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com.

Copyright © 2021 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com

Learning Objective and Key Concepts

Define access control and identity management concepts.

Principal components of access control

Identification, authentication, and authorization

Logical access controls

Authentication factors

Learning Objective

Key Concepts

Copyright © 2021 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com

Access Control Framework

Access Control Framework

Copyright © 2021 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com

10/6/20

3

Access controls

Access control systems

Grant and restrict user access to information, systems, and other resources

Implement business rules

Direct policy implementation

Allow individuals access to information and resources necessary to perform their job but no more

Access and Access Control

Businesses need to protect:

Data

Systems

Network bandwidth

Other assets

How do you lock virtual doors and protect from unauthorized access?

Copyright © 2021 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com

What does access mean?

What is an access control?

What Is Access?

Access

The ability of a subject and an object to interact

Copyright © 2021 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com

What Is Access Control?

Copyright © 2021 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com

Access Control

Based on the formalization of those rules for allowing or denying access

Defines allowable interactions between subjects and objects

Based on granting rights or privileges to a subject with respect to an object

What Is Identity Management?

Identity management

Process of creating, maintaining, and revoking user accounts

Provides the mechanism used to authenticate users

Identity and access management (IAM)

Authentication

Allows you to confirm a person is who they claim to be

Authorization

Allows you to restrict activities to authorized actions

Copyright © 2021 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com

Principal Components of Access Control

Principal Components of Access Control

Policies: Rules that govern who gets access to which resources

Subjects: The users, networks, processes, or applications requesting access to a resource

Objects: Resources to which the subject requests access

Copyright © 2021 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com

10/6/20

8

Access Control Systems

Organizations use procedures and tools to enforce policies.

Copyright © 2021 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com

Policies

Statements of business requirements regarding access to resources

Procedures

Nontechnical methods used to enforce policies

Tools

Technical methods used to enforce policies

Access Control Subjects (1 of 3)

Copyright © 2021 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com

Authorized

Authenticated credentials presented and approved

Unauthorized

Authenticated credentials presented but not approved for access

Unknown

Authenticated credentials have not been presented

Access Control Subjects (2 of 3)

Components of AAA (“triple A”) security

Authentication

Ensures users are who they claim to be

Authorization

Ensures an authenticated user is allowed to perform the requested action

Accounting

Maintains records of actions performed by authorized users

Copyright © 2021 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com

Access Control Subjects (3 of 3)

Subjects may include technological resources

Copyright © 2021 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com

Networks

Systems

Processes

Applications

Access Control Objects

Copyright © 2021 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com

Three main categories of objects protected by access control

Information – Any type of data asset

Technology – Applications, systems, and networks

Physical location – Buildings and rooms

Information – Most common asset in terms of IT access controls

Physical security – The process of ensuring no one without proper credentials can access physical resources

Access Control Process (1 of 2)

Identification

Subject presents credentials to the access control system

Authentication

System verifies and validates the subject’s identity

Authorization

System grants or denies access to an object

Copyright © 2021 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com

Access Control Process (2 of 2)

FIGURE 1-1 The access control process.

Copyright © 2021 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com

Identification

Is the first step in any access control process

System applies labels to the subject and the object

Subject labels – user ID, email, employee ID, other unique identifier

Object labels – Printer 1, Printer 2, on a network

Universal labels may be assigned that remain throughout the life cycle of the interaction

Unique labels provide accountability

Correlate subjects with actions when used with system logging facilities and authentication systems

Copyright © 2021 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com

Authentication (1 of 2)

Builds upon identification by requiring that the subject provide proof of its identity

Authentication Factors

Copyright © 2021 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com

Something you know

Password/passphrase, shared secret, PIN number

Something you have

Something only the subject has, such as a token, smart card, or ID badge

Something you are

Biometrics, iris scan, fingerprints

Authentication (2 of 2)

FIGURE 1-2 Iris scanning as an authentication technique.

© United States Department of Defense

Copyright © 2021 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com

Authorization

Set of rights defined for a subject and an object

Based on subject’s identity

Rules may be simple or complex

Balance between more secure complex systems and more administrative work and inconvenience

Copyright © 2021 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com

Complexity

Convenience

Logical Access Controls

Tools used to provide:

Identification

Authentication

Authorization

CONTROL

Copyright © 2021 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com

Logical Access Controls for Subjects (1 of 2)

Copyright © 2021 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com

Who

Identity of subject

What

Type of access being requested

When

The time of day or day of week the request is made

Where

How

Physical or logical location

Type of access that can be granted to a subject

Logical Access Controls for Subjects (2 of 2)

Copyright © 2021 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com

Access Levels

Administrative – Ability to read, write, create, and delete files

Author – Right to read and write to own files

Read only – Read but not edit files

No access – Denial of access

Group-Based Access Controls

Efficient

Effective in large organizations

Cluster individuals into groups (department, job role or title, or classification)

Access level assigned to group as a whole

Individuals may be members of multiple groups with different access levels for each group

Simplifies management of the rules

Copyright © 2021 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com

Logical Access Controls for Objects (1 of 2)

Copyright © 2021 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com

Data element

Table

Database

Application

System

Operating system

Network

Logical Access Controls for Objects (2 of 2)

FIGURE 1-3 An example of access rights in action.

Copyright © 2021 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com

Authentication Factors

Most authentication systems rely on something you know

Username and password

Access to highly sensitive data

Combine first two factors

Most sensitive data

Protect by using all three factors

Copyright © 2021 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com

Something you know

Something you have

Something you are

Something You Know

Simple passwords

Easy to use and remember

Easy for malicious users to guess

Creating stronger passwords

Use passphrases

Set minimum character length

Require uppercase and lowercase characters

Require numbers and punctuation marks

Use separate passwords for work and personal accounts

Copyright © 2021 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com

Something You Have (1 of 3)

Physical tokens or devices provide physical security

Time variable tokens automatically change password at regular intervals

Challenge-response tokens

Challenge

Response

FIGURE 1-4 Smart card authenticator issued to U.S. government employees.

© United States Department of Defense

Copyright © 2021 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com

Something You Have (2 of 3)

FIGURE 1-5 Google Authenticator app configured to work with a variety of services.

Google, Google Authenticator, and the Google logo are registered trademarks of Google Inc., used with permission.

Copyright © 2021 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com

Something You Have (3 of 3)

FIGURE 1-6 Push authentication request from Duo to a user’s smartphone.

Courtesy of Duo Security.

Copyright © 2021 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com

Something You Are (1 of 2)

Physical biometrics

Fingerprints, retinal scans, hand geometry, and facial recognition

Reliable and unique to individual

FIGURE 1-7 Fingerprint scanning for authentication.

© United States Department of Defense

Copyright © 2021 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com

Something You Are (2 of 2)

Behavioral biometrics

Speed of typing, writing rhythms, voice recognition

Requires training period for system to learn behavior pattern

FIGURE 1-8 Facial recognition in use at airport security screening (U.S. government photo).

© Glenn Fawcett/U.S. Customs and Border Protection

Copyright © 2021 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com

Summary

Principal components of access control

Identification, authentication, and authorization

Logical access controls

Authentication factors

Copyright © 2021 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com

10/6/20

33

CHAPTER 2

Business Drivers for Access Controls

Copyright © 2021 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com.

Copyright © 2021 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com

Learning Objective and Key Concepts

Analyze how an information classification standard impacts an IT infrastructure’s access control requirements and implementation.

Business requirements for asset protection

Classification of information

Business drivers for access control

Privacy and privacy laws

Learning Objective

Key Concepts

Copyright © 2021 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com

Business Requirements for Asset Protection

Protect business assets

Inventory and raw materials are kept secure to avoid theft of damage

Information assets must be kept secure to avoid compromise

Copyright © 2021 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com

Importance of Policy and Senior Management Role

Organizations value intellectual property

Must control access to information to ensure survival

Protecting confidential information involves:

Technical controls

Clear policies and sound business processes that implement those policies

Access control policies are effective only with support of senior executives

Copyright © 2021 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com

Classification of Information

Copyright © 2021 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com

Information classification

The process of assigning information to different categories based on sensitivity

Sensitive information

Classifying sensitive information limits its availability outside of the organization

Classification Schemes

Classification scheme is a method of organizing sensitive information into access levels

Only a person with the approved level of access is allowed to view information, referred to as clearance

Every organization has its own method of determining clearance levels

Copyright © 2021 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com

Need to Know and Least Privilege

Need to know

Requester should not receive access just because of his or her clearance, position, or rank

Requester must establish a valid need to see information

Access should be granted only if information is vital for requester’s official duties

Least privilege

A computer user or program should have only the access needed to carry out its job

Copyright © 2021 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com

National Security Classification

US government classifies sensitive information into four categories based on degree of damage to national security if disclosed

The Freedom of Information Act (FOIA) requires the federal government to disclose records to citizens or organizations that request them. Classified information is exempt from such requests.

Copyright © 2021 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com

Unclassified

Confidential

Secret

Top Secret

Corporations

Copyright © 2021 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com

Public

Internal

Sensitive

Highly sensitive

Non-public information but may be released without damaging company

Information that could cause serious damage to the company if disclosed

Information that is extremely damaging to the company if disclosed

Information that is freely released to the public

Reasons for Classification

Copyright © 2021 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com

Damage to the organization if disclosed

Maintain competitive advantage

Protect trade secrets

Protect national security

Declassification

Copyright © 2021 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com

Automatic

Systematic

Mandatory declassification review

Freedom of Information Act (FOIA request)

Personally Identifiable Information (PII)

“Information which can be used to distinguish or trace an individual’s identity, such as their name, social security number, biometric records, etc. alone, or when combined with other personal or identifying information which is linked or linkable to a specific individual, such as date and place of birth, mother’s maiden name, etc.”

Copyright © 2021 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com

Privacy Act Information

Privacy Act of 1974

Collection, maintenance and dissemination of PII inside the federal government

Social Security numbers, education, and medical, criminal and employment history

May not be disclosed without written consent

Copyright © 2021 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com

EXCEPTIONS

US Census

Law enforcement

Other administrative purposes

Bureau of Labor Statistics

Congressional investigation

Historically significant documents

Privacy Controls Catalog

National Institute for Standards and Technology (NIST) Special Publication 800-53 (SP 800-53), Appendix J, Privacy Controls

Authority and purpose

Authority to collect PII

Is the purpose of collection clearly stated

Accountability, audit, and risk management

Implementation of privacy governance, privacy requirements, and support structures

Data and quality integrity

Ensure quality and integrity of PII collected is maintained

Data minimization and retention

Retain only minimum amount of information necessary to carry out stated purpose

Destroy data collected when it is no longer required

Copyright © 2021 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com

Competitive Use of Information

Information about competitor or its products provide competitive advantage

Lure customers away

Use contractual information to craft more competitive offers and bids

Vital to keep information secret, like formulas and recipes

Information about Competitor

Copyright © 2021 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com

Valuation of Information

Copyright © 2021 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com

Strategic importance

Tactical important

Impact to business

Information as a Competitive Advantage

Copyright © 2021 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com

Information

Allows firms to differentiate themselves from competitors

Security

Competitive advantage

Paramount to a company’s success

Loss

Leads to decrease in market share and reduced profits

Penalties for Improper Disclosure

Description Penalty
Unknowingly disclosed $100 per violation or record affected
Reasonable cause to disclose $1,000 per violation or record affected
Disclosure due to willful negligence situation that is corrected $10,000 per violation or record affected
Disclosure due to willful negligence that is not corrected $50,000 per violation or record affected
Disclosure due to criminal intent Up to $250,000 and 10 years in jail

Penalties for disclosing medical/patient information in violation of the Health Insurance Portability and Accountability Act (HIPAA)

Copyright © 2021 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com

Business Drivers for Access Control

Copyright © 2021 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com

Cost-benefit analysis

Risk assessment

Business facilitation

Cost containment

Operational efficiency

IT risk management

Cost-Benefit Analysis

Copyright © 2021 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com

Cost-benefit analysis

A list of pros and cons to help businesses make decisions

Advantage gained from keeping the information secret

Risks avoided by controlling access to the information

Advantage Gained

Copyright © 2021 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com

Advantages

Is there an advantage to securing information?

Will competitors gain an advantage if they have access to the information?

Is the information already secret?

Risks Avoided

Penalties for allowing sensitive information to be disclosed

Fines, jail time

Undercut by competition

Every organization should know what information it possesses and how important that information is in terms of access control

Copyright © 2021 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com

Risk Assessment

Copyright © 2021 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com

Prioritized list of threats

and vulnerabilities

Inventory of assets, including sensitive information

Business Facilitation

Information is the backbone of many business processes

Manufacturing: Inventory and order numbers determine assembly line productivity

Finance: Changing stock prices dictate buy and sell decisions

Controlling access to information is critical for facilitating the day-to-day operations of a business

Operating systems implement access rights by giving users read, write, and execute privileges

Copyright © 2021 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com

Access Levels

Copyright © 2021 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com

Access Levels

No access

Read access

Read-write access

The Life Cycle of an Order

FIGURE 2-1 Access to information through the life cycle of an order.

Copyright © 2021 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com

Cost Containment

What is the cost to a company if a given piece of information is released to the public?

There may be monetary fines for releasing information

The cost to the company would be measured in terms of a competitive advantage or lost productivity

Copyright © 2021 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com

Accidental Dissemination of Electronic Information

FIGURE 2-2 Accidental dissemination of electronic information to unintended recipients.

Copyright © 2021 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com

Operational Efficiency

Copyright © 2021 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com

Information

Too much

Wrong

Operational efficiency

Right Info

Right people

Right time

The Right Information, The Right Time, The Right People

Copyright © 2021 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com

The right information

Must have access to the right information necessary to do the job

The right people

Productivity can be impacted if the wrong people have access to information or if too many people are brought into the decision-making process

The right time

The right person must receive information at the right time or productivity and efficiency are impacted

IT Risk Management (1 of 2)

REPORT CONTENTS

Copyright © 2021 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com

Full asset inventory

Vulnerability assessment

Threat assessment

Mitigation plans

Risk assessment policies

IT Risk Management (2 of 2)

Full asset inventory

Contains a list with the location of every major resource within the IT infrastructure

Vulnerability assessment

Examines the weaknesses of the system

Threat assessment

Examines the potential of the weaknesses within the system to be exploited

Mitigation plans

Plans for mitigating vulnerabilities and risks

Risk assessment policies

Describes the company’s policies governing how often a risk assessment should be conducted, methods used, who should be involved, and who is to receive a copy of the report

Copyright © 2021 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com

Controlling Access and Protecting Value (1 of 2)

Importance of internal access controls

Salary and benefit information

Importance of external access controls

Trade secrets, business plans

Implementation of access controls with respect to contractors, vendors, and third parties

Contractors

Conflicts of interest

Security safeguards for equipment

Copyright © 2021 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com

Controlling Access and Protecting Value (2 of 2)

Vendors

Client company responsible to ensure vendor has access controls in place

Use contractual obligations to specify required safeguards

Other third parties

Owner of property is responsible to ensure it’s handled securely

Conduct due diligence and investigate third party’s access control policies

Copyright © 2021 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com

Case Studies and Examples

Case Study in Access Control Success

Acme Insurance

Customer data in an information store

Sharing data incorrectly could violate federal law or expose proprietary information

Solution: Multilayered access control list

Case Study in Access Control Failure

Company X

Physical security breach resulted in exposure of trade secrets

Copyright © 2021 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com

Summary

Business requirements for asset protection

Classification of information

Business drivers for access control

Privacy and privacy laws

Copyright © 2021 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com

.MsftOfcThm_Accent2_lumMod_75_Stroke {
stroke:#C1360D;
}

.MsftOfcThm_Text1_Stroke {
stroke:#3C4743;
}

.MsftOfcThm_Accent2_lumMod_60_lumOff_40_Stroke {
stroke:#F6977B;
}

.MsftOfcThm_Accent5_lumMod_60_lumOff_40_Stroke {
stroke:#37FFD3;
}

error: Content is protected !!