Chapter 9: Access Control Management
Download as PPTX, PDF2 likes2,558 views
This document discusses access control management and security. It explains key access control concepts like default deny, least privilege, and need-to-know approaches. Authentication methods like single-factor, multi-factor and biometric identification are covered. The document also addresses authorization models, network segmentation for access control, layered border security, remote access security, user access controls, and monitoring access.
Chapter 9: Access Control Management
- 1. Security Program and Policies Principles and Practices by Sari Stern Greene Chapter 9: Access Control Management
- 2. Copyright 2014 Pearson Education, Inc. 2 Objectives ■ Explain access control fundamentals ■ Apply the concepts of default deny, need-to-know, and least privilege ■ Understand secure authentication ■ Protect systems from risks associated with Internet connectivity, remote access, and telework environments ■ Manage and monitor user and administrator access ■ Develop policies to support access control management
- 3. Access Control Fundamentals ■ Access controls ❑ Security features that govern how users and processes communicate and interact with systems and resources ❑ Primary objective is to protect information and systems from unauthorized access, modification, or disruption ■ Three common attributes of access controls ❑ Identification scheme ❑ Authentication method ❑ Authorization method Copyright 2014 Pearson Education, Inc. 3
- 4. Copyright 2014 Pearson Education, Inc. 4 What Is a Security Posture? ❑ It is the organization’s approach to access control ❑ Two fundamental security postures: ■ Secure, which implements the “default deny” model ■ Open, which implements the “default allow” model ❑ Every access control decision for a company is based on that company’s security posture
- 5. Copyright 2014 Pearson Education, Inc. 5 What Is a Security Posture? Cont. ■ Default allow versus default deny ❑ Default allow: By default, out-of-the-box, no security is deployed, everyone can do everything ■ Easier to deploy, works out-of-the-box ■ No security ❑ Default deny ■ Aka “deny all” ■ Access is unavailable by default until the appropriate control is altered to allow access
- 6. Copyright 2014 Pearson Education, Inc. 6 What Is a Security Posture? Cont. ■ Principle of Least Privilege ❑ Definition: The least amount of permissions granted users that still allow them to perform whatever business tasks they have been assigned, and no more. ❑ This is a strong foundation for any access control policy. ❑ Protects the data but also protects users. They can’t be accused of having deleted a file to which they can’t gain access! ❑ From a cultural stand point, it is important to explain to employees why they are not “trusted” with all the company’s data.
- 7. Copyright 2014 Pearson Education, Inc. 7 What Is a Security Posture? Cont. ■ Need-to-know ❑ Definition: Having a demonstrated and authorized reason for being granted access to information ❑ Should be made a part of the company’s culture ❑ Should be incorporated in security training curriculum ❑ At the least protects the confidentiality of corporate data, but may also protect integrity and availability depending on the attack type
- 8. How Is Identity Verified? ■ First step to granting access is user identification ❑ Authentication: Subject must supply verifiable credentials offered referred as factors ■ Single-factor authentication ■ Multifactor authentication ■ Multilayer authentication Copyright 2014 Pearson Education, Inc. 8
- 9. How Is Identity Verified? Cont. ■ Three categories of factors ❑ Knowledge: Something you know ■ Password ■ PIN ■ Answer to a question ❑ Possession: Something you have ■ One-time passcodes ■ Memory cards ■ Smart cards ■ Out-of-band communication ❑ Inherence: Something you are ■ Biometric identification Copyright 2014 Pearson Education, Inc. 9
- 10. Copyright 2014 Pearson Education, Inc. 10 What Is Authorization? ■ The process of assigning authenticated subjects permission to carry out a specific operation ■ Three primary authorization models ❑ Object capability ■ Used programmatically and based on a combination of a unforgettable reference and an operational message ❑ Security labels ■ Mandatory access controls embedded in object and subject properties ❑ Access Control Lists ■ Used to determine access based on some criteria
- 11. What Is Authorization? Cont. ■ Categories of access control lists ❑ MAC (Mandatory Access Control): Data is classified, and employees are granted access according to the sensitivity of information ❑ DAC (Discretionary Access Control): Data owners decide who should have access to what information ❑ RBAC (Role-based Access Control): Access is based on positions (roles) within an organization ❑ Rule-based access control: Access is based on criteria that is independent of the user or group account Copyright 2014 Pearson Education, Inc. 11
- 12. Infrastructure Access Controls ■ Include physical and logical network design, border devices, communication mechanisms, and host security settings ■ Network segmentation ❑ The process of logically grouping network assets, resources, and applications ❑ Type of network segmentation ■ Enclave network ■ Trusted network ■ Semi-trusted network, perimeter network, or DMZ ■ Guest network ■ Untrusted network Copyright 2014 Pearson Education, Inc. 12
- 13. What Is Layered Border Security? ■ Different types of security measures designed to work in tandem with a single focus ❑ Firewall devices ❑ Intrusion detection systems (IDSs) ❑ Intrusion prevention systems (IPSs) ❑ Content filtering and whitelisting/blacklisting ❑ Border device administration and management Copyright 2014 Pearson Education, Inc. 13
- 14. Copyright 2014 Pearson Education, Inc. 14 Remote Access Security ■ Remote Access ❑ Users who have a demonstrated business-need to access the corporate network remotely and are authorized to do so must be given that privilege ❑ Not all employees should be given this privilege by default ❑ Remote access activities should be monitored and audited ❑ The organization’s business continuity plan must account for the telecommuting environment ■ Remote access technologies ❑ Virtual Private Networks (VPNs) ■ Secure tunnel for transmitting data over unsecure network, such as the Internet ❑ Remote access portals ■ Offers access to one or more applications through a single centralized interface
- 15. User Access Controls ■ Used to ensure authorized users can access information and resources while unauthorized users cannot access information and resources ■ Users should have access only to information they need to do their job and no more ■ Administrative account controls ❑ Segregation of duties ❑ Dual control Copyright 2014 Pearson Education, Inc. 15
- 16. Copyright 2014 Pearson Education, Inc. 16 What Types of Access Should Be Monitored? ■ Three main monitoring areas: ■ Successful access ■ Failed access ■ Privileged operations
- 17. Copyright 2014 Pearson Education, Inc. 17 Is Monitoring Legal? ❑ Employees should have no expectation of privacy while on company time or when using company resources ❑ Courts have favored an employer’s right to protect their interests over individual privacy rights because: ■ Actions were taken at the employer’s place of work ■ Equipment used – including bandwidth – was company- provided ■ Monitoring the work also helps ensure the quality of work ■ The employer has the right to protect property from theft and/or fraud
- 18. Copyright 2014 Pearson Education, Inc. 18 Is Monitoring Legal? Cont. ❑ Courts indicate that monitoring is acceptable if it is reasonable: ■ Justifiable if serving a business purpose ■ Policies are set forth to define what privacy employees should expect while on company premises ■ Employees are made aware of what monitoring means are deployed ❑ Acceptable use agreement should include a clause informing users that the company will and does monitor system activity ❑ Users must agree to company policies when logging on
- 19. Copyright 2014 Pearson Education, Inc. 19 Summary ■ Access control is a complex domain. Access to information is extremely important to regulate. ■ User access and user actions on the network must be monitored and logged, whether they are located on premises or gaining access to the network remotely. ■ Monitoring is useless if the information gathered is not reviewed regularly.