SYSTEM ACCESS CONTROL SLIDE CONT.pptx

Full Transcript

Ghana communications technology university
LEVEL 200
SYSTEM ACCESS CONTROL
Course Description:
This course provides an in-depth understanding of information systems and access control
mechanisms. It covers fundamental concepts, practical applications, and advanced techniques
essential for managing and securing information systems. Students will gain knowledge and skills
to design, implement, and evaluate access control systems.

Learning Objectives:
By the end of this course, students will be able to:

1. Understand the core concepts of access control.
2. Describe the principles and practices of access control.
3. Implement various access control models and mechanisms.
4. Analyze and evaluate the effectiveness of different access control systems.
5. Apply access control techniques in real-world scenarios.
 What is Access control..?
What is access control?

Access control is a security technique that regulates who or what can
view or use resources in a computing environment. It is a fundamental
concept in security that minimizes risk to the business or
organization.

There are two types of access control:

a.Physical access control

b.Logical access
Physical Access control
Physical Access Control :

is a security measure designed to regulate who can physically access
buildings, rooms, or physical assets. It involves the use of various
technologies and procedures to ensure that only authorized individuals
can enter specific areas or interact with physical resources. This type of
access control is essential for protecting sensitive information, valuable
assets, and ensuring the safety of personnel.
Security principles of Physical Access Control:
1.Identification:
Methods:Use of badges, key cards, biometric identifiers (fingerprints, facial
recognition), and personal identification numbers (PINs). Purpose:To identify
individuals seeking access to a physical space.
2.Authentication:
Methods:Verification of identification credentials using systems like card
readers, biometric scanners, or PIN pads.Purpose:To confirm the identity of
the individual seeking access.
3.Authorization:
Methods:Access control lists (ACLs) that define who is allowed to enter
specific areas.Purpose:To ensure that only individuals with the appropriate
permissions can gain access to restricted areas.
TYPES OF PHYSICAL ACCESS CONTROL MECHANISMS
Access Control Tools:

Locks and Keys: Traditional mechanical locks, combination locks, and digital locks.
Electronic Access Systems:Key card or RFID card readers, biometric scanners (fingerprint, retina, facial
recognition).
Security Personnel: Guards and receptionists who verify credentials and control access.
Physical Barriers: Fences, gates, turnstiles, and security doors that restrict physical entry.

Monitoring and Surveillance:

CCTV Cameras: Continuous or motion-activated video surveillance to monitor access points and record
activity.
Alarm Systems: Sensors that detect unauthorized entry attempts and trigger alarms.
Access Logs: Electronic or manual records of who accessed a location and when, providing an audit trail.

Environmental Controls:

Lighting:Adequate lighting in and around access points to deter unauthorized access.
Signage:Clear signage indicating restricted areas and access control procedures.
Environmental Barriers:Use of landscaping and architectural features to guide or restrict access.
Benefits of Physical Access Control
1. Enhanced Security: Prevents unauthorized access, reducing the risk of theft, vandalism, and
physical threats.
2. Protection of Assets: Safeguards sensitive information, valuable equipment, and other physical
assets.
3. Safety:Ensures the safety of employees and visitors by controlling who can enter the premises.
4. Compliance: Helps organizations comply with regulatory requirements for physical security,
such as those in healthcare, finance, and government sectors.

Physical access control is a critical component of a comprehensive security strategy, ensuring that
only authorized individuals can access certain areas and assets. It involves a combination of
identification, authentication, authorization, and monitoring techniques to protect physical spaces
and resources from unauthorized access and potential threats.
 Why is access control important?
The goal of access control is to minimize the security risk of
unauthorized access to physical and logical systems.

Access control is a fundamental component of security compliance
programs that ensures security technology and access control policies
are in place to protect confidential information, such as customer data.

Most organizations have infrastructure and procedures that limit
access to networks, computer systems, applications, files and sensitive
data, such as personally identifiable information and intellectual
property.
Challenges of access control

1.Dynamically managing distributed IT environments;IT systems nowadays often consist of
multiple cloud and on-premise networks. These systems can be geographically scattered
and include numerous devices, assets and virtual machines. Access is granted to all these
devices, and keeping track of them can be difficult.

2.Password fatigue;The concept of password fatigue refers to the challenge users experience
when they have to remember multiple passwords for different applications. This is a
significant issue for access control in security.Password fatigue can lead to users adopting
poor password practices, such as using weak passwords or reusing the same password
across multiple applications. This can significantly weaken an organization’s security
posture and make it easier for attackers to gain unauthorized access to sensitive
resources.
https://www.linkedin.com/in/dicksonemma/
LOGICAL ACCESS CONTROL
Logical access control is the means and procedures to protect access to information on PCs,
networks, and mobile phones.

A variety of credential types may be used, such as passwords, tokens, or biometrics, to
authenticate the user. These credentials may represent something the user knows (password),
something the user has (token), or a physical trait of the user (biometrics).

A logical access control system will implement a method to enroll and associate credentials
with the user, and then to request that one or more of the user’s credentials be authenticated
for access to the resource (application, network, device, or operating system). The logical
access control system may also log all access attempts for use in auditing who and when
someone accessed a specific resource.
Types of Logical Access control
MAC (Mandatory access control)
DAC (Discretionary Access control)
RBAC (Rule-Based Access control)
PBAC/ABAC (Policy/Attribute Based Access control)
R-BAC (Role-Based Access control)
ETC…
Mandatory Access Control

Mandatory access control (MAC) is a model of access control where the operating
system provides users with access based on data confidentiality and user
clearance levels. In this model, access is granted on a need-to-know basis: users
must prove their need for information before gaining access.

MAC is also called a non-discretionary access control model, which means that
control isn’t granted at the discretion of the user or file owner. The control
mechanisms of the MAC model enable organizations to implement zero-trust
principles. MAC is considered one of the most secure access control models.
Access rules in this model are manually defined by system administrators and
strictly enforced by the operating system or security kernel. Regular users can’t
alter security attributes even for data they’ve created.
What are the basic principles of MAC?

The utmost privacy and confidentiality of the organization’s
resources are paramount. No one has default privileges to
access or edit someone’s data.

Access provisioning is centrally administered.

Each individual and resource in the system has security labels
with their classification and category.
Advantages:-

Robust Security: MAC enforces strong security measures against unauthorized access,
protecting sensitive files and resources from cybercrime and unauthorized users.

Reduced Risk of Human Error: MAC is designed to be controlled by systems, not users or
resource owners. This ensures a reduced possibility of security failure or compromise.

Protection Against Insider Threats: MAC helps to mitigate the risk of breaches caused by
individuals who work within the organization. Adopting security labels and clearance levels
controlled by the system ensures that individuals don’t misuse their privileges.
Discretionary access control (DAC).
Simply DAC is identity-based access control which the owner of a resource
restricts access to the resource based on the identity of the users. Furthermore,
DAC mechanisms will be controlled by user identification such as username and
password. DAC is discretionary because the resource owners determines who can
access and what privileges they have.
Role-based access control (RBAC)

Role-based access control (RBAC). This is a widely used access
control mechanism that restricts access to computer resources based
on individuals or groups with defined business functions -- e.g.,
executive level, engineer level 1, etc. -- rather than the identities of
individual users.

The role-based security model relies on a complex structure of role
assignments, role authorizations and role permissions developed
using role engineering to regulate employee access to systems.
RBAC systems can be used to enforce MAC and DAC frameworks.
Policy-Based Access Control (PBAC also Known as ABAC)

Policy-Based Access Control, or PBAC, is an access control model that determines access

based on a set of policies that define allowable actions within a system. PBAC policies are often

complex, involving a combination of rules, roles, attributes, and environmental factors. This

model allows for fine-grained access control, enabling administrators to manage access based

on the specific needs of the organization and the context of the access request. While PBAC is

fairly similar to ABAC, it is easier to implement and requires less IT and development resources.
Identity and Access Management (IAM)
Identity and Access Management (IAM) security is an essential part of overall IT security that manages digital
identities and user access to data, systems, and resources within an organization. IAM security includes the
policies, programs, and technologies that reduce identity-related access risks within a business. IAM programs
enable organizations to mitigate risks, improve compliance, and increase efficiencies across the enterprise

What Are the Benefits of IAM Security?
IAM is a cybersecurity best practice and ensures greater control of user access. By identifying, authenticating, and
authorizing users, while prohibiting unauthorized ones, IAM security improves the efficiency and effectiveness of
access management throughout the business.

Enhance Security and Mitigate Risks
Increase Operational Efficiencies
Improve Compliance
How Identity and Access Management (IAM) Boosts Security
The core objective of an IAM platform is to assign one digital identity to each individual or a
device. From there, the solution maintains, modifies, and monitors access levels and privileges
through each user’s access life cycle.

The core responsibilities of an IAM system are to:

1. Verify and authenticate individuals based on their roles and contextual information such as
geography, time of day, or (trusted) networks.
2. Capture and record user login events.
3. Manage and grant visibility of the business’s user identity database.
4. Manage the assignment and removal of users’ access privileges.
5. Enable system administrators to manage and restrict user access while monitoring changes
in user privileges.
What is Identity and Access Management Composed Of?

Single Sign-On

Single sign-on (SSO) is a form of access control that enables users to authenticate with
multiple software applications or systems using just one login and one set of credentials.
The application or site that the user attempts to access relies on a trusted third party to
verify that the user is who they say they are, resulting in:

1. Enhanced user experience
2. Reduced password fatigue
3. Simplified password management
4. Minimized security risks for customers, partners, and vendors
5. Limited credential usage
6. Improved identity protection
Multi-Factor Authentication
Multi-factor authentication verifies a user's identity with requirements to
enter multiple credentials and provide various factors:

1. Something the user knows: a password
2. Something the user has: a token or code sent to the user via email
or SMS, to a hardware token generator, or to an authenticator
application installed on the user’s smartphone
3. Something specific to the user, such as biometric information
Privileged Access Management
Privileged access management protects businesses from both cyber
and insider attacks by assigning higher permission levels to accounts
with access to critical corporate resources and administrator-level
controls. These accounts are typically high-value targets for
cybercriminals and, as such, high risk for organizations.
Risk-Based Authentication

When a user attempts to log in to an application, a risk-based authentication solution
looks at contextual features such as their current device, IP address, location, or
network to assess the risk level.

Based on this, it will decide whether to allow the user access to the application,
prompt them to submit an additional authentication factor, or deny them access. This
helps businesses immediately identify potential security risks, gain deeper insight into
user context, and increase security with additional authentication factors.
Zero-Trust
A Zero-Trust approach moves businesses away from the traditional
idea of trusting everyone or everything that is connected to a network
or behind a firewall. This view is no longer acceptable, given the
adoption of the cloud and mobile devices extending the workplace
beyond the four walls of the office and enabling people to work from
anywhere. IAM is crucial in this approach, as it allows businesses to
constantly assess and verify the people accessing their res
Benefits of IAM systems:

The right access for the right people
With the ability to create and enforce centralized rules and access privileges, an IAM system
makes it easier to ensure that users have access to the resources they need without making it
possible for them to access sensitive information they don’t need. This is known as role-based
access control (RBAC). RBAC is a scalable way to restrict access to only the people who need that
access to perform their role. Roles can be assigned based on a fixed set of permissions or custom
settings.

Unhindered productivity
As important as security is, productivity and user experience are also important. As tempting as it
might be to implement a complicated security system to prevent breaches, having multiple
barriers to productivity like multiple logins and passwords is a frustrating user experience. IAM
tools like single sign-on (SSO) and unified user profiles make it possible to grant secure access to
employees across multiple channels like on-premises resources, cloud data, and third-party
applications without multiple logins.
Protection from data breaches

While no security system is infallible, using IAM technology significantly reduces your risk of
data breaches. IAM tools like MFA, passwordless authentication, and SSO give users the
ability to verify their identities using more than just a username and password, which can
be forgotten, shared, or hacked. Expanding user login options with an IAM solution reduces
that risk by adding an additional layer of security to the login process that can’t as easily be
hacked or shared.

Data encryption

One of the reasons IAM is so effective at elevating an organization’s security is that
many IAM systems offer encryption tools. These protect sensitive information when it’s
transmitted to or from the organization and features like Conditional Access enable IT
administrators to set conditions such as device, location, or real-time risk information
as conditions for access. This means the data is safe even in the event of a breach
because the data can only be decrypted under verified conditions.
Access Control Practices
common practices in access control that students should be familiar
with:

Authorized vrs unauthorized personnel

Need to know

Principle of least privilege

Segregation of duties

Two-person rule

Memorized secrets
Authorized and Unauthorized Personnel
The core function of access control is allowing access to a resource (or an object) to
only those subjects who are specifically authorized to access it.Authorized personnel
are those who are registered within a system and have permissions authorizing them
access to a specific resource. For that resource they are considered authorized
personnel.
In present-day cybersecurity-speak, the latest buzzword is “zero trust.”Zero trust
simply means access to a computing, network, or data resource will not be given to
any person or subject unless that access is explicitly authorized.
In other words, in a zero trust enterprise, access controls must be used everywhere.
Whether the user, or thing, making an access request is coming from across the
Internet or within the same network, the same level of authorization is required.
Need to Know

Need to know is the basic premise of access control. Access to a resource should only be granted to a
user who has a legitimate need to know, which means that the user requires access to the resource in
order to perform a business function.

In practice, when a user’s permissions are set up within an information system, the user’s access to
systems and/or data is established based on the user’s official duties.

For example, if as part of a user’s official duties they need to be able to edit employee personnel files,
then they have a need to know and should be allowed access to the files.

In practice, employees are often reminded to be on the lookout for proper implementation of need to
know in the workplace.Just because someone has been set up to access a resource, that doesn’t mean
they have been set up correctly. If an employee sees another employee access data and they believe
the employee does not have a need to know for that data, that access should be questioned and
reported according to the organization’s rules or policies.
Principle of Least Privilege

The principle of least privilege is the concept that a user should only have access to the resources
that they need in order to do their job but no more than that. For instance, if you are an administrator
for your company’s financial system, you should have administrative credentials for the financial
system but not for the manufacturing system. Similarly, if a mechanic needs keys to be able to unlock
the company’s tool closet, those keys should not also unlock the company’s safe where the money is
kept.

The idea is that by limiting the resources a user has access to, the risk of loss due to a compromise is
reduced.Organizations should apply the principle of least privilege whenever they grant users access
to systems, data, or resources. Access should be limited to the minimum resources that a user needs
in order to perform their job duties.
By applying least privilege, organizations can reap several benefits. By limiting a user’s access, the
risk of a compromise due to a potential vulnerability in one system can be limited to just that
system. Therefore, the organization’s exposure to threats is limited. Another benefit of least
privilege is that it limits the organization’s exposure to insider threats or

employee errors. If an employee has access to resources that they don’t need access to, it
increases the risk the employee could, accidently or on purpose, misuse that access to compromise
the confidentiality, integrity, or availability of resources that they never should have had access to
in the first place.
Segregation of Duties
Also known as separation of duties, segregation of duties is an internal control that
organizations use to prevent fraud or the likelihood of errors.The concept is that
duties are assigned such that one employee does not have enough privileges that
they could misuse the system or cause an error on their own. For example, if one
employee is responsible for both writing checks and signing them, there is the
potential for fraud or abuse.However,if employee is responsible for writing checks
and another employee is responsible for signing checks, there is much less likelihood
of fraud or abuse.
Organizations use segregation of duties when they define job roles throughout the
enterprise. Some organizations have policies that required segregation of duties for
incompatible job functions or job functions that have the potential for fraud,
mistakes, or abuse.
Two-Person Rule
Similar in concept to segregation of duties is the two-person rule, which requires certain functions to
be performed by two authorized users or employees working in tandem. By requiring two people to
be present, the potential for fraud, errors, or abuse is reduced. The U.S. government uses the two-
person rule for nuclear weapons controls and other critical military systems operation functions.
Industry widely uses the two-person rule for any function that requires such an added security
measure.

One example of the two-person rule is storage areas that have two locks that require two different
people to open in order to access. In fact, in response to the security breaches committed by criminal
and former U.S. government contractor Edward Snowden, the National Security Agency

(NSA) implemented a two-person rule for access to their server rooms.
Memorized Secrets
Memorized secrets are “something you know” such as passwords, PINs, or lock combinations used to
authenticate a user to a system or a physical device. Passwords are sequences of numbers, letters, or
characters entered into a computing device. Lock combinations can also be numbers, letters, or
characters typed or physically manipulated into a locking device or mechanism. In either case, the
memorized secret is numbers, letters known only to the user; therefore, the correct entry of the
password or combination verifies that the authorized user is the person who is requesting access.

The use of secrets requires good practices in the following areas to avoid compromises or security
issues:

Strength Memorized secrets such as passwords should not be easily guessed. This is usually
accomplished by a policy that requires them to have a minimum character length and contain some
combination of lowercase letters, uppercase letters, numbers, and symbols. The minimum character
length is usually 8 characters, but many organizations now use 16 characters as their minimum.
Combination locks usually have the type and length of characters incorporated into their design and
are therefore not configurable by the organization.
 Storage Passwords and lock combinations can be hard to remember and easy to forget. As a
result, there may be a temptation for the user to write them down or store them so they don’t have
to remember them. This isn’t a bad idea if it is done in a secure manner, but it is a bad idea if the
password or combination is stored unsecured.

Writing down passwords on a sticky note or storing them in an unencrypted file on a computer isn’t
a good idea because the sticky note or unencrypted file can be compromised. Secrets should only be
stored in a secure manner such as in a physical safe or a password manager. Password managers or
vaults are software programs that store passwords or other important information in encrypted files.

The passwords can only be accessed by a user with the proper credentials. Password vaults are a
great way to keep passwords or other secrets secure and available for use.

Policy Many organizations have password policies, which are written documents that employees
are required to follow that govern how passwords or other secrets are used within the organization.
Identification, Authentication, Authorization, and
Accountability

In order for a subject (or user) to access an object (or resource), they must first prove who they are.
Then, the access management system must be able recognize them and verify they have the proper
rights to carry out the action they are requesting.
Identification:

Identification is the act of the subject providing identifying information. In most
information systems this is accomplished by the user entering in a username, user
identifier (ID), or sometimes an account number. The identification usually does not
change; it’s like a person’s name, and it exists for the life of the subject.

Authentication :

It is the method by which systems verify that a user really is who they claim to be.
Identification and authentication are typically used in combination; together they are
called credentials. Authentication is considered the second part of the credential, which
is the verification step. This part of the credential is a secret: a password, PIN,
cryptographic key, or a secret provided by a token or biometric device. To work,
identification and authentication require a prior registration process to tell the system
who the user is and what their credentials are so the system recognizes that person
each time they log in or request access.
Authorization If the credentials (the username and the secret) match the
information stored in the access management system, the system authorizes that
the subject is who they claim to be, and access is granted. Authorization is the
bestowing of a set of permissions or a level of access to objects or resources within
a system.
Accountability is another important feature of the process because it provides a
record of the access transaction. Once a user is authenticated and granted access
to a resource, they can be held accountable for their actions. If the user of
credentials causes a data breach or misuses a computer system, the system not
only knows who they are but since their actions are tracked and recorded using
logs, the system has a record of what actions the user performed that led up to the
security breach.
Logs are used throughout any enterprise to record actions and events and provide
information to auditors and investigators. Logs are particularly useful in providing a
record of access control events.
Authentication Factors

There are three ways of authenticating a subject to a system. These methods are called authentication
factors, each of which is described next.

Type 1: Something You Know, Type 1 : verification or authentication factors require the user to know
something. The most common type is a memorized secret such as a password, which is a sequence of
characters known only to the user and the identity management software of the system the user is logging
into. Organizations define a password policy containing the rules governing the use of passwords within the
organization.

Type 2: Something You Have Type 2 verification or authentication factors require the user to have something
with them. Usually, these devices are handheld tokens or smart cards. A token is a device with a digital
display. The user presses a button on the token, and a number pops up on the display. The user then enters
the number into the system they are logging into. The number on the token changes periodically, but the
token and the system are always synchronized so the system knows what number the token should be
displaying. A smart card is a plastic credit card–like device that contains memory and sometimes a
microprocessor. The user inserts the smart card into a reader, and the smart card interacts with the access
management system to authenticate the user. Whether a token, smart card, or another kind of type 2
device is used, the data the device produces is used by the access management system to authenticate the
user.
Type 3: Something You Are Type 3 authentication factors use something the user is.
Passwords (type 1) can be forgotten, and tokens (type 2) can be misplaced, but it’s
hard to lose your finger.

Biometric devices, which read fingerprints, hand geometry, or features of the face
or iris, are appealing because the user doesn’t have to remember a password or
carry a token. Instead, the reader examines part of the user’s body to verify who
the user is.

Biometrics are becoming more reliable and more widespread in use. Nevertheless,
biometrics can be susceptible to errors. Biometrics can falsely reject a valid user or
falsely accept an unknown user. In situations where reliability is paramount and
false positives and false negatives are not acceptable, biometrics should only be
used in combination with other authentication factors.
Identity management is a broad term used to describe tools and technologies that organizations use
to manage access control. Identity management and access control can be managed using a
centralized, decentralized, or hybrid approach
IAM Lifecycle
Regardless of whether an organization uses centralized, decentralized, or some other method of
identity and access management, the operation follows a general lifecycle for the creation and
removal of accounts that define a user’s accesses
Provisioning : Provisioning is the creation and maintenance of user accounts as well as maintaining
the correct access rights for the user. For new employees, accounts are set up upon their hire with
their initial permissions defining access rights to each system and/or physical area based on their job
duties and need to know. Over time a user’s access requirements may change. As a result, their
accounts may require updating as needed. Management approval is required for both initial account
creation and account changes. In addition, care is taken to ensure that permissions and access levels
are the minimum required for the user’s job (using the principle of least privilege).

Review: Accounts are regularly reviewed and monitored to ensure that there is still a need for access
over time. This is particularly important for administrator accounts and other privileged accounts with
elevated access levels. When employees are transferred to new roles within the organization, their
accounts and permissions are reviewed to ensure the level of access is appropriate for their role.
Privilege creep is a term used to describe when a user gradually accrues more access rights over time
beyond what is required for their role. This can occur when accounts are not properly managed or
when provisioning procedures are not followed.
 Revocation After an employee has separated from the organization or when the employee no
longer has a need for an account or access to a system, their access(es) is/are revoked.
Organizations develop and follow strict procedures to ensure that when access to a resource is no
longer needed, it is turned off. A good practice is for organizations to regularly review accounts and
accesses to remove or disable accounts that are no longer needed.