1 / 151

ACCESS CONTROL

ACCESS CONTROL . The most fundamental element of information security is to ensure that only those who have a specific need for an asset, combined with specific authoritative permission, will be able to access that asset. CISSP Expectations.

yachi
Download Presentation

ACCESS CONTROL

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. ACCESS CONTROL • The most fundamental element of information security is to ensure that only those who have a specific need for an asset, combined with specific authoritative permission, will be able to access that asset.

  2. CISSP Expectations • Access control is the process of allowing only authorized users, programs or other computer systems to observe, modify, or otherwise take possession of the resources of a computer system. It is also a mechanism for limiting the use of some resources to authorized users.

  3. Key Access Control Concepts • Joining C-I-A • Confidentiality, integrity, availability • Determining a Default Stance • Defense in Depth • Access Control---A general process

  4. Access control encompasses all operation levels of an organization: • Facilities: • Support Systems: Power, heating, ventilation, HVAC) • Information Systems: • Personnel: All users should be subject to some form of access control to ensure the wrong people don’t interfere with the right people.

  5. AC enables management to: • Specify: • Which users can access a system • What resources those users can access • What operations those users can perform • Enforce accountability

  6. AC addresses the CIA triad • Confidentiality: Managing access is fundamental to preventing exposure of data by controlling who can see, use, modify, or destroy. • Integrity: Preventing unauthorized access promotes greater confidence in data and system integrity. • Availability: Restricting access reduces the likelihood of damage and loss of use.

  7. Default Stance • Allow-by-default • Deny-by-default

  8. Defense in Depth • The practice of applying multiple layers of security protection between an information resource and the potential attacker. P. 7

  9. AC: A General Process • Many different approaches, however there is a very general approach that is applicable to almost every situation. • 3 step process: • Defining resources • Determining users • Specify the user’s use of the resource

  10. Defining resources • What are we trying to protect? • How each resource may be accessed? • Bind a user, group or entity to a resource • Every resource is an asset that must be afforded protection. Don’t forget printers, faxes, etc.

  11. Determining users • Need a clear understanding of the needs of the user and the level of trust given to the person or entity • An identification process must exist that takes into consideration the validity of the access need in the light of business needs, organizational policy, legal requirements, information sensitivity and security risk.

  12. Specifying Use: • The AC process must specify the level of use for a given resource and the permitted user actions on that resource. Example P. 11

  13. Access Control Principles • Access Control Policy • Separation of duties • Least Privilege • Need to Know • Compartmentalization • Security Domain

  14. AC Policy • Specifies the guidelines for how users are identified and authenticated and the level of access granted to resources. • The absence of a policy will result in inconsistencies in provisioning, management, and administration of AC. • Provides the framework for definition of necessary procedures, guidelines, standards, and best practices.

  15. Separation of Duties • Objective: Prevent fraud and errors • Achieved by distributing the tasks & privileges for a specific process. • The person who requests the expenditure should not be allowed to approve the expenditure. • Another example P.12

  16. Determining Applicability of Separation of Duties (1) • 1st Action: Defining individual elements of a process • Determine element sensitivity • What elements of the process lend themselves to distribution. P.12

  17. Determining Applicability of Separation of Duties (Continued) • 2nd Action: Understand what elements within a function are prone to abuse, which ones are easily segmented without significantly disrupting operations, and what skills are available. • Determine: • Element identification, importance, and criticality • Operational considerations • User Skills & availability

  18. Determining Applicability of Separation of Duties Continued • Element identification, importance, and criticality • Elements within function known as milestone elements • If elements within function don’t offer clear point of segmentation, may need to incorporate a new milestone element as a validation & approval point within function

  19. Determining Applicability of Separation of Duties (Continued) • Operational considerations • Balancing the impact of the function and its role in the business. Ensure that the separation of duties doesn’t hinder the process and make it prone to circumvention. • Weigh the cost of implementation against the overall risk the process represents and whether the benefits of separation outweigh the time & effort costs.

  20. Determining Applicability of Separation of Duties (Continued) • User Skills & availability • Is there enough skilled personnel to perform the separation of duty elements.

  21. Least Privilege • Requires that a user or process be given no more access privilege than necessary to perform a job, task, or function.

  22. Need to Know • A companion to “least privilege”. • requires a person requesting information to establish the need to know such information in terms of the pertinent mission. • if information is given to people on a need-to-know basis, they are given only the details that they need at the time when they need it

  23. Security Domain • An area where common process and security controls are groups together • Example: All systems and users managing financial information might be separated into their own security domain • Based on trust between resources in systems that share a single security policy and single management structure. P.16

  24. Information Classification • Fundamental Information Classification questions • Benefits • Establishing a Information Classification Program • Labeling & Marking • Information Classification Assurance

  25. Purpose of Information Classification • Group an organizations information assets by levels of sensitivity and criticality. Once this is accomplished then the appropriate level of protection controls is assigned to each asset in accordance to its classification.

  26. Fundamental Information Classification questions • Where is the organization’s information? • How should the information be handled and protected? • Who should have access to it? • Who owns the information? • Who makes the decisions around these parameters?

  27. Benefits of Information Classification • Establishes information ownership. This increases the likelihood that it will be used in the proper context and access will be properly authorized. • Increases C-I-A by focusing the limited security funds on the resources requiring the highest level of protection and providing lesser controls for the information with less risk of loss.

  28. Benefits of Information Classification Continued • Increases knowledge and security awareness. • Allows for a greater understanding of the value of the information to be protected and provides a clearer direction for the handling of sensitive information. • Operational benefits, critical information can be identified to support COOP.

  29. Establishing a Information Classification Program • Page 18

  30. Labeling & Marking • Provides the ability to manage the information within the media with the appropriate controls.

  31. Information Classification Assurance • Periodically testing • Random desk checks

  32. Access Control Requirements • Reliability • Transparency • Integrity • Maintainability • Authentication • Auditability

  33. Access Control Categories • Directive • Deterrent • Preventive • Compensating • Detective • Corrective • Recovery

  34. Access Control Categories Continued • Directive • Controls designed to specify acceptable rules of behavior within an organization, sometimes called administrative controls. • Policies, procedures, standards, guidelines,

  35. Deterrent Controls • Designed to prevent specific actions by influencing choices of would-be intruders • Does not prevent or even record events • Signs • Guards, guard dogs • Razor wire

  36. Preventive Controls • Block or control specific events • Firewalls • Anti-virus software • Encryption • Key card systems • Fencing • Bollards • Crash guards

  37. Compensating Controls • Control that is introduced that compensates for the absence or failure of a control • “Compensating” refers to why it is implemented • Can be detective, preventive, deterrent, administrative • Examples • Daily monitoring of anti-virus console • Monthly review of administrative logins

  38. Detective Controls • Monitor and record specific types of events • Does not stop or directly influence events • Video surveillance • Audit logs • Event logs • Intrusion detection system

  39. Corrective Controls • Post-event controls to prevent recurrence • “Corrective” refers to when it is implemented • Can be preventive, detective, deterrent, administrative • Examples • Spam filter • Anti-virus on e-mail server • WPA Wi-Fi encryption

  40. Recovery Controls • Post-incident controls to recover systems • “Recovery” refers to when it is implemented • Can be detective, preventive, deterrent, administrative • Examples • System restoration • Database restoration

  41. Access Control Types • Access control categories classify different access control methods based upon where they fall within the Access Control Time Continuum. F. 1.7 P. 35

  42. Types of Controls • Administrative • Policy, procedures, standards • Technical • Authentication, encryption, firewalls, anti-virus • Physical • Key card entry, fencing, video surveillance

  43. Administrative Controls • Represent all actions, policies, processes, and management of the control system • Operational policies & procedures P.36 • Personnel security, evaluation, & clearances P.40 • Monitoring P.42 • User Access Management P.43 • Privilege Management (rights within your access) P.44

  44. Technical (Logical) Controls • Electronic, digital, & automated controls which enforce the organizations policies. • Network access • Remote access • Application access • Malware control • Encryption

  45. Physical Controls • Controls that protect the physical environment and people. • Locks • Guards • Fences • Cameras • Fire management, gates

  46. System Access Control Strategies • Identification, authentication, authorization • Access control services • Identity Management • Access control technologies

  47. System AC Strategies continued • Identification: The act of designating a known quantity. • Authentication: The process of verifying the identity of a user. • Authorization: Defining the specific resources of an authenticated user.

  48. Identification • User name • User ID • Personal Identification Number (PIN) • Identification badges

  49. Problems with ID Badges • Credential badges • Security doesn’t always check • Access badges • Not physically with a specific person, people can share

  50. User ID • User ID • PIN • MAC address • IP address • RFID (Small tag (like UPC code) • Privacy concerns • Email address

More Related