Chapter 6 Mapping Business Challenges to Access Control Types PDF

Summary

This document is Chapter 6 of a book on information systems security and assurance. It maps business challenges to access control types, covering topics such as learning objectives, key concepts, access controls and business continuity, disaster recovery.

Full Transcript

CHAPTER 6 Mapping Business Challenges to Access Control Types Copyright © 2021 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com. Learning Objectives and Key Concepts Learning Objectives Key Concepts...

CHAPTER 6 Mapping Business Challenges to Access Control Types Copyright © 2021 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com. Learning Objectives and Key Concepts Learning Objectives Key Concepts Copyright © 2021 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com  Design appropriate authentication  Access controls in relation to solutions throughout an IT business challenges infrastructure.  Access control strategies to solve  Implement appropriate access business challenges controls and identity management  Access control system design techniques within IT infrastructures. principles Access Controls to Meet Business Needs Goals of access control systems Copyright © 2021 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com Keep people out Organize who has access to a particular resource Meet a business need Business Continuity and Disaster Recovery Business continuity and disaster recovery Copyright © 2021 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com Keeps organizations operating efficiently and their essential functions continuing in the event of a natural or manmade disaster Business continuity plans Controls designed to mitigate risks to an extent that they do not disrupt critical business functions Disaster recovery plans Kick in when business continuity plans fail Attempt to get the business up and running again as quickly as possible Business Continuity Creating a Business Continuity Plan Copyright © 2021 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com  Brainstorm “what-if” scenarios  Some disasters cannot be prevented (earthquakes, natural disasters) whether you plan for them or not  Other disasters can be prevented or minimized through planning and strong access controls Disaster Recovery Access controls are crucial in aftermath of disasters Copyright © 2021 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com Disaster recovery includes procedures in place to restore essential business as quickly as possible and reassure customers the situation is under control Possible Concerns Solutions  Access to key personnel  Alternate facilities  Servers offline  Backup systems to offsite servers  Customer-facing websites down  Inform employees  Damaged buildings or equipment  Mechanism to authorize first responders to access crucial information  Lack of power  Training in disaster recover procedures Customer Access to Data (1 of 3) Copyright © 2021 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com Key Specifications: Allow customers to create and update their own account information Allow customers to create orders Deny access to any information not directly associated with that customer Customer Access to Data (2 of 3)  Need to know and least privilege  Only those with a legitimate need have access to sensitive information Copyright © 2021 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com  Technological access controls  Strong password policies  Intrusion detection systems and firewalls  Physical security  Lock key facilities at all times  Escort visitors to and from destinations Customer Access to Data (3 of 3)  Administrative policies  Policies should be in place to handle lost or stolen ID badges, acceptable use of Copyright © 2021 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com computers and other resources, and other potential security risks  Employee training  Employees should be trained to recognize social engineering tactics*  Employees should be periodically retrained in security policies and best practices *”Social engineering attacks manipulate people into sharing information that they shouldn't share, downloading software that they shouldn't download, visiting websites they shouldn't visit, sending money to criminals or making other mistakes that compromise their personal or organizational security.” Risk and Mitigation (1 of 3) Copyright © 2021 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com Risk avoidance methods Risk avoidance Risk acceptance Risk transference Risk mitigation Risk and Mitigation (2 of 3) Copyright © 2021 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com Choosing to Accepting the Shifts the Combines Risk avoidance Risk acceptance Risk transference Risk mitigation avoid an risk and doing potential attempts to activity that what you negative minimize the carries some need to do consequence probability elements of anyway of a risk from and risk one consequences organization of a risk to another Risk and Mitigation (3 of 3) Differences to A vulnerability is any weakness in a system that can be keep in mind Copyright © 2021 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com exploited A threat is a potential attack on a system Risk occurs when a particular threat will exploit a vulnerability Copyright © 2021 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com Confidentiality Availability Integrity Threats and Threat Mitigation Vulnerabilities and Vulnerability Management Operating system Copyright © 2021 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com Vulnerable to viruses, malware, unauthorized access, overflow attacks Keep operating systems up to date Applications Introduce vulnerability through design flaws or bugs Managed through testing and patching Users Vulnerable to social engineering and insecure passwords Controlled by training and policy mandates Solving Business Challenges with Access Control Strategies Creating a comprehensive access control strategy: Copyright © 2021 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com 1. Define your subjects and objects  Common subjects – Users, applications, and network devices 2. Categorize them into groups and roles  Groups allow you to generalize access privileges needed by several subjects  Roles allow you to separate a subject’s function from its identity 3. Determine who needs access to what 4. Determine whether any external subjects will have access to internal systems and data Employees with Access to Systems and Data (1 of 3) Who Needs Access should only be granted to users with a legitimate need Access to Copyright © 2021 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com to access the data or resource Which Resources? Modify access privileges if a users need changes in the future Do not assign privileges based on user’s status within the organization (focus on position) Employees with Access to Systems and Data (2 of 3) Copyright © 2021 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com Creating groups and roles Focus on roles and job functions rather than individuals when deciding a user’s need to access resources Groups and roles also simplify the task of administering permissions Employees can be easily removed from groups as they transfer to other departments or leave the company Employees with Access to Systems and Data (3 of 3) External Access to Systems and Data Copyright © 2021 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com  Determine if external subjects will have access to internal systems or data  Common external subjects include  Third-party vendors and application service providers (ASPs)  External contractors  Employees with remote access  Access should be limited to the lowest level of privilege needed to perform necessary tasks Administrative Strategies Copyright © 2021 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com How will new accounts How will accounts be be created and new removed and access access levels be levels be lowered? granted? Technical Strategies  Discretionary access control (DAC)  Rights are assigned by the resource owner Copyright © 2021 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com  Mandatory access control (MAC)  Rights are assigned by a central authority  Role-based access control (RBAC)  Rights assigned based on user’s role rather than identity  Automated account review  Accounts should be reviewed periodically to ensure access and privileges are still required  Automated expiration of temporary access  Temporary access rights should be downgraded or removed promptly Separation of Privileges Separation of privileges Copyright © 2021 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com Ensures that if attacker compromises one account, they will be denied access because it is protected by two separate conditions Both conditions must be met for access to be granted Aspects of separation of privileges Compartmentalization: Practice of keeping sensitive functions separate from non-sensitive ones Dual conditions: Implemented through two-stage authentication methods Least Privilege Copyright © 2021 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com Least privilege A subject should be given the minimum level of rights necessary to perform its legitimate functions Least user access (LUA) Requires that users commonly log onto workstations under limited user accounts Administrative accounts should be reserved for administrators, and then used only when performing administrative tasks Risks Associated with Users Having Administrative Rights Copyright © 2021 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com Servers Workstations On a workstation, major risks to Administrators logged into a allowing users to log into privileged account create an administrator account for routine opportunity for administrative tasks are malware and session to be hijacked misconfigurations Common Roles Administrator Copyright © 2021 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com Creates user accounts and assign privileges Installs software and devices Performs low-level system maintenance tasks User Views the status of services, drivers, processes and so on Runs programs Views log files Adds, modifies, and deletes data and files owned by that user Guest Limited version of user account enabled to run only on specific programs and to review specific data Input/Output Controls Copyright © 2021 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com Controls how users interact with data Output Controls and devices that introduce new data in a system Concerned with the output of data, either to a screen, printer, or another device Input Controls Access Control System Design Principles Copyright © 2021 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com Economy of Least common mechanism mechanism Separation of The security principle of least common Least privilege The principle of economy of mechanisms disallows the sharing of privileges mechanism states that security mechanisms that are common to more mechanisms should be as simple as than one user or process if the users or possible. processes are at different levels of privilege Complete Least Open design mediation Default deny astonishment Complete mediation means that every An Application Control scenario meaning “Open Design” guarantees a transparent a component of a system should behave access to every object should be the prohibition of any application that and open process for planning and in a way that most users will expect it to authorized. Access should be checked, was not specifically mentioned on designing the software. behave, and therefore not astonish or for example, not only when a file is administrator-prepared allowlists. surprise users. opened, but also on each subsequent read or write to that file. Case Studies and Examples (1 of 3) Private Sector Case Study Copyright © 2021 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com  Case study follows Cloud Collaboration on the launch of a Software-as-a-Service (SaaS) office suite  SaaS solutions:  Offers access to applications for a subscription fee (lowers costs)  Application and data are secure and portable  Privacy is a challenge FIGURE 6-1 Portability of SaaS. Case Studies and Examples (2 of 3) Public Sector Case Study Copyright © 2021 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com  Case study follows the US military as they work to implement wireless mesh networks, a new method to improve communications  Wireless mesh networks are based on a distributed mesh topology with each node in the network connected to multiple nodes FIGURE 6-2 Mesh network topology. Case Studies and Examples (3 of 3) Critical Infrastructure Case Study Copyright © 2021 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com  Power plants are part of critical infrastructure for local, state, and national economies and required a need for deep and multilayered access controls due to concerns over physical safety  Case study examines how a plant in the upper Midwest uses ID badges that includes images of the user and an RFID with the user’s access rights to manage access controls. Summary  Access controls in relation to business challenges Copyright © 2021 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com  Access control strategies to solve business challenges  Access control system design principles

Use Quizgecko on...
Browser
Browser