Add to collection(s) Add to saved
  1. No category
Uploaded by Enrique-Nicholas Ruiz

IFT381 Ch06

advertisement 
CHAPTER 6
Access Controls
Copyright © 2023 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com.
Learning Objective(s) and Key Concepts
Key Concepts
 Explain the role of access controls
in an IT infrastructure.
 Access control concepts and
technologies
 Identification, authentication, and
authorization
 Formal models of access control
 Threats to access controls and
control violations
 Centralized and decentralized
access controls
Copyright © 2023 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com
Learning Objective(s)
Defining Access Control
 Prevents unauthorized use
 Mitigations put in place to protect a resource from a threat
Copyright © 2023 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com
 The process of protecting a resource so that it is used only by those allowed to
use it
Four-Part Access Control
Description
Identification
Who is asking to access the asset?
Authentication
Can their identities be verified?
Authorization
What, exactly, can the requestor access? And what can they do?
Accountability
How are actions traced to an individual to ensure the person
who makes data or system changes can be identified?
Copyright © 2023 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com
Access Control
Component
Policy Definition and Policy Enforcement Phases
 Policy definition phase
 Policy enforcement phase
 Grants or rejects requests for access based on the authorizations defined in the first
phase
 Tied to identification, authentication, and accountability phases
Copyright © 2023 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com
 Who has access and what systems or resources can they use?
 Tied to the authorization phase
Two Types of Access Controls
 Physical
 Logical
 Controls access to a computer system or network
Copyright © 2023 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com
 Controls entry into buildings, parking lots, and protected areas
Physical Access Control
 Example: Smart cards
Programmed with ID number
Used at parking lots, elevators, office doors
Shared office buildings may require an additional after-hours card
Cards control access to physical resources
Copyright © 2023 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com




Logical Access Control
 Deciding which users can get into a system
 Restraining or influencing a user’s behavior on that system
Copyright © 2023 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com
 Monitoring what each user does on that system
The Security Kernel
 Enforces access control for computer systems
 Implements the reference monitor concept
 Mediates all access requests
 Permits access only when appropriate rules or conditions are met
Copyright © 2023 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com
 Central point of access control
Enforcing Access Control
Copyright © 2023 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com
Access Control Policies
Four central components of access control:
 People who use the system or processes (subjects)
 Resources
 Protected objects in the system
 Actions
 Activities that authorized users can perform on resources
 Relationships
 Optional conditions that exist between users and resources
Copyright © 2023 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com
 Users
Authorization Policies
 Authorization
 In most organizations, authorization is based on job roles, background
screening, and government requirements
 Conditions or policies are decided by:
 Individual users (user is assigned privileges; most detailed and difficult to maintain)
 Group membership policy
 Authority-level policy
Copyright © 2023 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com
 The process of deciding who has access to which resources
Methods and Guidelines for Identification
 Methods
 Guidelines
 Nonrepudiation
 Accounting
Copyright © 2023 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com
 Username
 Smart card
 Biometrics
Processes and Requirements for Authentication
 Knowledge
 Ownership
 Something you have
 Characteristics
 Something unique to you
(something you are)
 Action/performance
 Something you do/how you do it
 Some observable trait or behavior
that is unique to you
 Location
 Somewhere you are
 Relationship
 A trusted individual with whom you
have a relationship/someone you
know
Copyright © 2023 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com
 Something you know
 Behavior
Authentication by Knowledge
 Password
 Password account policies
 Passphrase
 Stronger than a password
 Account lockout policies
 Audit logon events
Copyright © 2023 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com
 Weak passwords easily cracked by brute-force or dictionary attack
 Password best practices
Authentication by Ownership
 Synchronous token
 Time-based synchronization system
 Event-based synchronization system
 Continuous authentication
 Asynchronous token
 Uses challenge-response technology




Key-fob sized device
Token software installed on a validated mobile device
USB token
Smart card
Copyright © 2023 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com
 Calculates a number at both the authentication server and the device
Asynchronous Token Challenge–Response
Copyright © 2023 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com
Authentication by Characteristics/Biometrics
 Static (physiological) measures
 Dynamic (behavioral) measures
 What you do
 Examples: Voice inflections, keyboard strokes, signature motions
Copyright © 2023 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com
 What you are
 Examples: Fingerprint patterns, iris granularity, retina blood vessels
Concerns Surrounding Biometrics
 Accuracy
 Reaction time
Copyright © 2023 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com
 Acceptability
Types of Biometrics
 Facial recognition
 Palm print
 Voice pattern
 Hand geometry
 Keystroke dynamics
 Vein analysis
 Signature dynamics
 Retina scan
 Gait analysis
 Iris scan
Copyright © 2023 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com
 Fingerprint
Advantages and Disadvantages of Biometrics
 Advantages
Person must be physically present to authenticate
There is nothing to remember
Biometrics are difficult to fake
Lost IDs or forgotten passwords are not problems
 Disadvantages






Physical characteristics might change
Physically disabled users might have difficulties
Not all techniques are equally effective
Response time may be too slow
Required devices can be expensive
Privacy issues
Copyright © 2023 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com




Authentication by Location and Action
 Location
 Action
 Stores the patterns or nuances of how you do something
 Record typing patterns
Copyright © 2023 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com
 Strong indicator of authenticity
 Additional information to suggest granting or denying access to a resource
Single Sign-On (SSO)
 Reduces human error
 Difficult to put in place
Copyright © 2023 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com
 Sign on to a computer or network once and then be allowed into all computers
and systems where authorized
Advantages and Disadvantages of SSO
 Advantages
Logon process is efficient
Users are generally willing to use stronger passwords
Provides continuous, clear reauthentication
Provides failed logon attempt thresholds and lockouts
Provides centralized administration
 Disadvantages





Compromised passwords grants access to an intruder
Static passwords provide very limited security
Difficulty adding SSO to unique computers or legacy systems
Scripts can expose data and do not provide two-factor authentication
Authentication server can become a single point of failure
Copyright © 2023 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com





SSO Processes
 Kerberos
 Lightweight Directory Access Protocol (LDAP)
Copyright © 2023 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com
 Secure European System for Applications in a Multi-vendor Environment
(SESAME)
Policies and Procedures for Accountability
 Log files
 Data retention
 Media disposal
 Compliance requirements
Copyright © 2023 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com
 Monitoring and reviews
Formal Models of Access Control
 Discretionary access control (DAC)
 Nondiscretionary access control
 Rule-based access control
Copyright © 2023 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com
 Mandatory access control (MAC)
DAC
 Operating systems-based DAC policy considerations
 Application-based DAC
 Denies access based on context or content through the application by presenting
only options that are authorized for the current user
 Permission levels




User based
Job-based, group-based, or role-based access control (RBAC)
Project based
Task based
Copyright © 2023 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com
 Access control method
 New user registration
 Periodic review
MAC
 Determine level of restriction by sensitivity of resource (classification label)
 System and owner make the decision to allow access
 Temporal isolation/time-of-day restrictions
 MAC is stronger than DAC
Copyright © 2023 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com
 Individuals then formally authorized (i.e., obtain clearance) to access sensitive
information
Nondiscretionary Access Control
 Sensitive files are write-protected for integrity and readable only by authorized
users
 More secure than DAC
 Ensures that system security is enforced and tamperproof
Copyright © 2023 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com
 Access rules are closely managed by security administrator, not system owner
or ordinary users
Rule-Based Access Control
Copyright © 2023 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com
Access Control Lists (1 of 2)
 Linux and macOS
 Read, write, execute
 Applied to
 File owners, groups, global users
Copyright © 2023 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com
 Permissions
Access Control Lists (2 of 2)
 Windows
Copyright © 2023 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com
 Share permissions
 Full, change, read, deny
 Security permissions
 Full, modify, list folder contents, read-execute, read, write, special, deny
An Access Control List
Copyright © 2023 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com
Role-Based Access Control
Copyright © 2023 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com
Content-Dependent Access Control
Copyright © 2023 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com
Constrained User Interface
 Methods of constraining users
Menus
Database views
Physically constrained user interfaces
Encryption
Copyright © 2023 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com




Other Access Control Models
 Bell–LaPadula model
 Clark–Wilson integrity model
 Brewer–Nash integrity model
Copyright © 2023 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com
 Biba integrity model
Brewer–Nash Integrity Model
Copyright © 2023 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com
Effects of Breaches in Access Control
 Disclosure of private information
 Loss of business intelligence
 Danger to facilities, staff, and systems
 Damage to equipment
 Failure of systems and business processes
Copyright © 2023 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com
 Corruption of data
Threats to Access Controls
 Gaining physical access
 Bypassing security
 Exploiting hardware and software
 Reusing or discarding media
 Electronic eavesdropping
 Intercepting communication
 Accessing networks
 Exploiting applications
Copyright © 2023 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com
 Eavesdropping by observation
Effects of Access Control Violations
 Loss of customer confidence
 New legislation and regulations imposed on the organization
 Bad publicity
 More oversight
 Financial penalties
Copyright © 2023 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com
 Loss of business opportunities
Credential and Permissions Management
 Microsoft offers Group Policy and Group Policy Objects (GPOs) to help
administrators manage access controls
Copyright © 2023 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com
 Systems that provide the ability to collect, manage, and use the information
associated with access control
Centralized and Decentralized Access Controls
 Centralized authentication, authorization, and accounting (AAA) servers
Copyright © 2023 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com
 RADIUS: Most popular; two configuration files
 TACACS+: Internet Engineering Task Force (IETF) standard; one configuration file
 DIAMETER: Base protocol and extensions; uses User Datagram Protocol (UDP) in
peer-to-peer (P2P) mode rather than client/server mode
 SAML: Open standard based on XML for exchanging both authentication and
authorization data
P2P Mode and Client/Server Mode
Copyright © 2023 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com
Decentralized Access Control
 Common decentralized access control protocols:
 Password Authentication Protocol (PAP)
 Challenge-Handshake Authentication Protocol (CHAP)
 Mobile device authentication, Initiative for Open Authentication (OATH)
 HMAC-based one-time password (HOTP)
 Time-based one-time password (TOTP)
 Identity and access management (IAM) and Privileged Access Management
(PAM) can work together to provide controlled access to an organization’s
services, resources, and data
Copyright © 2023 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com
 Handles access control decisions and administration locally; access control is in
hands of the people closest to the system users
Privacy
 Monitoring in the workplace includes:







Opening mail or email
Using automated software to check email
Monitoring keystrokes and time spent at the keyboard
Checking logs of websites visited
Getting information from credit-reference agencies
Collecting information through point-of-sale (PoS) terminals
Recording activities on closed-circuit television (CCTV)
Copyright © 2023 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com
 Communicate expectations for privacy in acceptable use policies (AUPs) and
logon banners
Cloud Computing
Description
Private
All components are managed for a single organization; may
be managed by the organization or by a third-party provider
Community
Components are shared by several organizations and
managed by one of the participating organizations or by a
third party
Public
Available for public use and managed by third-party providers
Hybrid
Contains components of more than one type of cloud,
including private, community, and public clouds
Copyright © 2023 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com
Category
Cloud Service Provider (CSP)
 Common cloud services
Copyright © 2023 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com
 Infrastructure as a Service (IaaS)
 Platform as a Service (PaaS)
 Software as a Service (SaaS)
Advantages and Disadvantages of Cloud Computing
 Advantages
No need to maintain a data center
No need to maintain a disaster recovery site
Outsourced responsibility for performance and connectivity
On-demand provisioning
 Disadvantages




More difficult to keep private data secure
Greater danger of private data leakage
Greater demand for constant network access
Greater need for clients to trust outside vendors
Copyright © 2023 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com




Summary
 Access control concepts and technologies
 Formal models of access control
 Threats to access controls and control violations
 Centralized and decentralized access controls
Copyright © 2023 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com
 Identification, authentication, and authorization
Related documents
Writing can be very hard, in this module we'll be looking at the basic steps of writing a creative story
Writing can be very hard, in this module we'll be looking at the basic steps of writing a creative story
Public Finance (Overview)
Public Finance (Overview)
Training Evaluation Sheet - Overall Feedback (1)
Training Evaluation Sheet - Overall Feedback (1)
Risk Management Lecture 1 - Spring 2023
Risk Management Lecture 1 - Spring 2023
Children's Activitity
Children's Activitity
Download
advertisement