Add to collection(s) Add to saved
  1. Business

Data Access Control, Password Policy and Authentication Methods

advertisement 
Data Access Control, Password Policy and
Authentication Methods for Online Bank
Md. Mahbubur Rahman Alam
B. Sc. (Statistics) Dhaka University
M. Sc. (Statistics, Major in Econometrics) Dhaka University
PGD(ICT)BUET
M. Sc. (ICT) BUET
Assistant Professor, BIBM, Mirpur, Dhaka.
Cell: 01556323244, Mail: alam_mr@yahoo.com Website: mralam.net
1
Call Center
Branch
Customer
Internet
Other
Bank
Mobile
POST
PSTN
Kiosk
Branch
2
ATM
Md. Mahbubur Rahman Alam, Assistant Professor (ICT), BIBM. Mail: alam_mr@yahoo.com
3
Data Access Control
Data access typically refers to
Network
software and activities related
to storing, retrieving, or acting
on data housed in a database
or
other
Access
repository.
Data
simply
the
is
authorization
you
have
to
Operating
System
Application
Software
(CBS)
Data
access different data files.
Md. Mahbubur Rahman Alam, Assistant Professor (ICT), BIBM. Mail: alam_mr@yahoo.com
4
Access Controls
Access Controls should provide reasonable assurance that data and
applications are protected against unauthorized modifications,
disclosure, loss or impairment. Such controls include physical
controls, such as keeping a computer in a locked room to limit
physical access, and logical controls such as security software
programs designed to prevent or detect unauthorized access to
sensitive files.
Md. Mahbubur Rahman Alam, Assistant Professor (ICT), BIBM. Mail: alam_mr@yahoo.com
5
Restricting Access
 Implement Separation of duties (SOD) a preventive control.
 Establish test and production environments which are
preventive control.
 Restrict user account and Database administrator access which
is a preventive control.
Md. Mahbubur Rahman Alam, Assistant Professor (ICT), BIBM. Mail: alam_mr@yahoo.com
6
Identification, Authentication and Process
Elements to restrict include:
Data access (Successful/Failed Selects)
Data Changes (Insert, Update, Delete)
System Access (Successful/Failed Logins);
User/Role/Permissions/Password changes
Privileged User Activity (All)
Schema Changes (Create/Drop/Alter Tables, Columns, Fields)
Md. Mahbubur Rahman Alam, Assistant Professor (ICT), BIBM. Mail: alam_mr@yahoo.com
7
Authentication Methods
We can authenticate an identity in three ways:
Something the user knows (such as a password or personal
identification number)
Something the user has (a security token or smart card)
Something the user is (a physical characteristic, such as a
fingerprint, called a biometric).
Md. Mahbubur Rahman Alam, Assistant Professor (ICT), BIBM. Mail: alam_mr@yahoo.com
8
Hand or Palm Geometry
Fingerprint Recognition
Md. Mahbubur Rahman Alam, Assistant Professor (ICT), BIBM. Mail: alam_mr@yahoo.com
9
Facial Recognition
Md. Mahbubur Rahman Alam, Assistant Professor (ICT), BIBM. Mail: alam_mr@yahoo.com
10
Eye Scans
Md. Mahbubur Rahman Alam, Assistant Professor (ICT), BIBM. Mail: alam_mr@yahoo.com
11
USB Security Token or One Time Password
RSA Security LLC
RSA stands for Ron Rivest, Adi Shamir and Leonard Adleman
Md. Mahbubur Rahman Alam, Assistant Professor (ICT), BIBM. Mail: alam_mr@yahoo.com
12
Login Authentication
AUTHENTICATION
Database Server
Verifies
Trusted Connection
Windows 2000
Group or User
OR
Database Server
Login Account
Windows 2000
Database
Server
Database Server
Verifies Name
and Password
Database User Accounts and Roles
Windows 2000
Group User
Windows
2000
Database Server
Verifies
Trusted Connection
Database
Server
Database Server Assigns
Logins to User Accounts
and Roles
Database
User
OR
Database Role
Database Server
Login Account
Database Server
Verifies Name
and Password
Permission Validation
2
3
1
Permissions OK;
Performs Command
Database User
Executes Command
SELECT * FROM Members
Database Server
Checks
Permissions
Permissions not OK;
Returns Error
Granting Permissions to Allow Access
User/Role
Eva
Ivan
David
public
SELECT
INSERT
UPDATE
DELETE
Denying Permissions to Prevent Access
User/Role
Eva
Ivan
David
public
SELECT
INSERT
UPDATE
DELETE
Revoking Granted and Denied Permissions
User/Role
Eva
Ivan
David
public
SELECT
INSERT
UPDATE
DELETE
Password Policy
 Use of both upper- and lower-case letters (case sensitivity)
 Inclusion of one or more numerical digits
 Inclusion of special characters, e.g. @, #, $ etc.
 Prohibition of words found in a dictionary or the user's personal
information
 Prohibition of passwords that match the format of calendar dates,
license plate numbers, telephone numbers, or other common
numbers
 Prohibition of use of company name or an abbreviation
Md. Mahbubur Rahman Alam, Assistant Professor (ICT), BIBM. Mail: alam_mr@yahoo.com
19
Password Duration
Some policies require users to change passwords periodically,
e.g. every 90 or 180 days. The benefit of password expiration,
however, is debatable. Systems that implement such policies
sometimes prevent users from picking a password too close to a
previous selection.
Md. Mahbubur Rahman Alam, Assistant Professor (ICT), BIBM. Mail: alam_mr@yahoo.com
20
Common Password Practice
 Never share a computer account
 Never use the same password for more than one account
 Never tell a password to anyone, including people who claim to
be from customer service or security
 Never write down a password
 Never communicate a password by telephone, e-mail or instant
messaging
Md. Mahbubur Rahman Alam, Assistant Professor (ICT), BIBM. Mail: alam_mr@yahoo.com
21
Common Password Practice
 Being careful to log off before leaving a computer unattended
 Changing passwords whenever there is suspicion they may have
been compromised
 Operating system password and application passwords are
different
 Password should be alpha-numeric
 Never use online password generation tools
Md. Mahbubur Rahman Alam, Assistant Professor (ICT), BIBM. Mail: alam_mr@yahoo.com
22
Password Strength
Password strength is a measure of the effectiveness of a
password in resisting guessing and brute-force attacks. In its usual
form, it estimates how many trials an attacker who does not have
direct access to the password would need, on average, to guess it
correctly. The strength of a password is a function of length,
complexity, and unpredictability.
Md. Mahbubur Rahman Alam, Assistant Professor (ICT), BIBM. Mail: alam_mr@yahoo.com
23
Multi-factor Authentication (MFA)
MFA, two-factor authentication, TFA, T-FA or 2FA is an approach
to authentication which requires the presentation of two or more of
the three authentication factors: a knowledge factor ("something
only the user knows"), a possession factor ("something only the user
has"), and an inherence factor ("something only the user is"). After
presentation, each factor must be validated by the other party for
authentication to occur.
Md. Mahbubur Rahman Alam, Assistant Professor (ICT), BIBM. Mail: alam_mr@yahoo.com
24
Multi-factor Authentication (MFA)
Something only the user knows (e.g., password, PIN, pattern);
Something only the user has (e.g., ATM card, smart card, mobile phone);
Something only the user is (e.g., biometric characteristic, such as a
fingerprint).
Md. Mahbubur Rahman Alam, Assistant Professor (ICT), BIBM. Mail: alam_mr@yahoo.com
25
Thank You
Questions
are
Welcome
26
Related documents
Furniture and appliances available after our move
Furniture and appliances available after our move
Document
Document
How to start Whitepins - AMAS-Team
How to start Whitepins - AMAS-Team
Slide 1
Slide 1
How to Create an Email Account
How to Create an Email Account
636
636
Download
advertisement