CH06.pdf

Transcript

CHAPTER 6

Mapping Business
Challenges to
Access Control
Types

Copyright © 2021 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com.
Learning Objectives and Key Concepts

Learning Objectives Key Concepts

Copyright © 2021 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com
 Design appropriate authentication  Access controls in relation to
solutions throughout an IT business challenges
infrastructure.
 Access control strategies to solve
 Implement appropriate access business challenges
controls and identity management
 Access control system design
techniques within IT infrastructures.
principles
Access Controls to Meet Business Needs

Goals of access control systems

Copyright © 2021 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com
Keep people out

Organize who has access to a particular resource

Meet a business need
Business Continuity and Disaster Recovery

Business continuity and disaster recovery

Copyright © 2021 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com
Keeps organizations operating efficiently and their essential functions continuing
in the event of a natural or manmade disaster

Business continuity plans

Controls designed to mitigate risks to an extent that they do not disrupt critical
business functions

Disaster recovery plans

Kick in when business continuity plans fail
Attempt to get the business up and running again as quickly as possible
Business Continuity

Creating a Business Continuity Plan

Copyright © 2021 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com
 Brainstorm “what-if” scenarios
 Some disasters cannot be prevented (earthquakes, natural disasters) whether
you plan for them or not
 Other disasters can be prevented or minimized through planning and strong
access controls
Disaster Recovery

Access controls are crucial in aftermath of disasters

Copyright © 2021 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com
Disaster recovery includes procedures in place to restore essential business as quickly as
possible and reassure customers the situation is under control

Possible Concerns Solutions
 Access to key personnel  Alternate facilities
 Servers offline  Backup systems to offsite servers
 Customer-facing websites down  Inform employees
 Damaged buildings or equipment  Mechanism to authorize first responders
to access crucial information
 Lack of power
 Training in disaster recover procedures
Customer Access to Data (1 of 3)

Copyright © 2021 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com
Key Specifications:

Allow customers to create and update their own account information
Allow customers to create orders
Deny access to any information not directly associated with that customer
Customer Access to Data (2 of 3)

 Need to know and least privilege
 Only those with a legitimate need have access to sensitive information

Copyright © 2021 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com
 Technological access controls
 Strong password policies
 Intrusion detection systems and firewalls

 Physical security
 Lock key facilities at all times
 Escort visitors to and from destinations
Customer Access to Data (3 of 3)

 Administrative policies
 Policies should be in place to handle lost or stolen ID badges, acceptable use of

Copyright © 2021 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com
computers and other resources, and other potential security risks

 Employee training
 Employees should be trained to recognize social engineering tactics*
 Employees should be periodically retrained in security policies and best practices

*”Social engineering attacks manipulate people into sharing information that they shouldn't
share, downloading software that they shouldn't download, visiting websites they shouldn't
visit, sending money to criminals or making other mistakes that compromise their personal or
organizational security.”
Risk and Mitigation (1 of 3)

Copyright © 2021 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com
Risk avoidance methods

Risk avoidance Risk acceptance Risk transference Risk mitigation
Risk and Mitigation (2 of 3)

Copyright © 2021 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com
Choosing to Accepting the Shifts the Combines
Risk avoidance

Risk acceptance

Risk transference

Risk mitigation
avoid an risk and doing potential attempts to
activity that what you negative minimize the
carries some need to do consequence probability
elements of anyway of a risk from and
risk one consequences
organization of a risk
to another
Risk and Mitigation (3 of 3)

Differences to A vulnerability is any weakness in a system that can be
keep in mind

Copyright © 2021 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com
exploited

A threat is a potential attack on a system

Risk occurs when a particular threat will exploit a vulnerability
 Copyright © 2021 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com
Confidentiality

Availability
Integrity
Threats and Threat Mitigation
Vulnerabilities and Vulnerability Management

Operating system

Copyright © 2021 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com
Vulnerable to viruses, malware, unauthorized access, overflow attacks
Keep operating systems up to date

Applications

Introduce vulnerability through design flaws or bugs
Managed through testing and patching

Users

Vulnerable to social engineering and insecure passwords
Controlled by training and policy mandates
Solving Business Challenges with
Access Control Strategies

Creating a comprehensive access control strategy:

Copyright © 2021 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com
1. Define your subjects and objects
 Common subjects – Users, applications, and network devices

2. Categorize them into groups and roles
 Groups allow you to generalize access privileges needed by several subjects
 Roles allow you to separate a subject’s function from its identity

3. Determine who needs access to what
4. Determine whether any external subjects will have access to internal systems
and data
Employees with Access to Systems and Data (1 of 3)

Who Needs Access should only be granted to users with a legitimate need
Access to

Copyright © 2021 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com
to access the data or resource
Which
Resources?
Modify access privileges if a users need changes in the future

Do not assign privileges based on user’s status within the
organization (focus on position)
Employees with Access to Systems and Data (2 of 3)

Copyright © 2021 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com
Creating groups and roles

Focus on roles and job functions rather than individuals when deciding
a user’s need to access resources
Groups and roles also simplify the task of administering permissions
Employees can be easily removed from groups as they transfer to other
departments or leave the company
Employees with Access to Systems and Data (3 of 3)

External Access to Systems and Data

Copyright © 2021 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com
 Determine if external subjects will have access to internal systems or data
 Common external subjects include
 Third-party vendors and application service providers (ASPs)
 External contractors
 Employees with remote access

 Access should be limited to the lowest level of privilege needed to perform
necessary tasks
Administrative Strategies

Copyright © 2021 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com
How will new accounts How will accounts be
be created and new removed and access
access levels be levels be lowered?
granted?
Technical Strategies

 Discretionary access control (DAC)
 Rights are assigned by the resource owner

Copyright © 2021 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com
 Mandatory access control (MAC)
 Rights are assigned by a central authority

 Role-based access control (RBAC)
 Rights assigned based on user’s role rather than identity

 Automated account review
 Accounts should be reviewed periodically to ensure access and privileges are still
required

 Automated expiration of temporary access
 Temporary access rights should be downgraded or removed promptly
Separation of Privileges

Separation of privileges

Copyright © 2021 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com
Ensures that if attacker compromises one account, they will be denied
access because it is protected by two separate conditions
Both conditions must be met for access to be granted

Aspects of separation of privileges

Compartmentalization: Practice of keeping sensitive functions separate
from non-sensitive ones
Dual conditions: Implemented through two-stage authentication methods
Least Privilege

Copyright © 2021 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com
Least privilege

A subject should be given the minimum level of rights necessary to perform
its legitimate functions

Least user access (LUA)

Requires that users commonly log onto workstations under limited user
accounts
Administrative accounts should be reserved for administrators, and then
used only when performing administrative tasks
Risks Associated with Users Having
Administrative Rights

Copyright © 2021 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com
Servers Workstations

On a workstation, major risks to
Administrators logged into a
allowing users to log into
privileged account create an
administrator account for routine
opportunity for administrative
tasks are malware and
session to be hijacked
misconfigurations
Common Roles

Administrator

Copyright © 2021 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com
Creates user accounts and assign privileges
Installs software and devices
Performs low-level system maintenance tasks

User

Views the status of services, drivers, processes and so on
Runs programs
Views log files
Adds, modifies, and deletes data and files owned by that user

Guest

Limited version of user account enabled to run only on specific programs and to review specific
data
Input/Output Controls

Copyright © 2021 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com
Controls how users
interact with data Output Controls
and devices that
introduce new data
in a system
Concerned with the
output of data, either
to a screen, printer,
or another device

Input Controls
Access Control System Design Principles

Copyright © 2021 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com
Economy of Least common
mechanism mechanism
Separation of The security principle of least common
Least privilege The principle of economy of
mechanisms disallows the sharing of
privileges mechanism states that security
mechanisms that are common to more
mechanisms should be as simple as
than one user or process if the users or
possible.
processes are at different levels of
privilege

Complete
Least
Open design mediation Default deny
astonishment Complete mediation means that every An Application Control scenario meaning
“Open Design” guarantees a transparent
a component of a system should behave access to every object should be the prohibition of any application that
and open process for planning and
in a way that most users will expect it to authorized. Access should be checked, was not specifically mentioned on
designing the software.
behave, and therefore not astonish or for example, not only when a file is administrator-prepared allowlists.
surprise users. opened, but also on each subsequent
read or write to that file.
Case Studies and Examples (1 of 3)

Private Sector Case Study

Copyright © 2021 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com
 Case study follows Cloud
Collaboration on the launch of a
Software-as-a-Service (SaaS)
office suite
 SaaS solutions:
 Offers access to applications for a
subscription fee (lowers costs)
 Application and data are secure
and portable
 Privacy is a challenge
FIGURE 6-1 Portability of SaaS.
Case Studies and Examples (2 of 3)

Public Sector Case Study

Copyright © 2021 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com
 Case study follows the US military
as they work to implement wireless
mesh networks, a new method to
improve communications
 Wireless mesh networks are based
on a distributed mesh topology with
each node in the network
connected to multiple nodes

FIGURE 6-2 Mesh network topology.
Case Studies and Examples (3 of 3)

Critical Infrastructure Case Study

Copyright © 2021 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com
 Power plants are part of critical infrastructure for local, state, and national
economies and required a need for deep and multilayered access controls due
to concerns over physical safety
 Case study examines how a plant in the upper Midwest uses ID badges that
includes images of the user and an RFID with the user’s access rights to
manage access controls.
Summary

 Access controls in relation to business challenges

Copyright © 2021 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com
 Access control strategies to solve business challenges
 Access control system design principles