access control 4

profilealokreddy
access_ppt15_l04.pptx

Access Control, Authentication, and Public Key Infrastructure

Lesson 4

Access Control Policies, Standards, Procedures, and Guidelines

© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company

www.jblearning.com

All rights reserved.

Page ‹#›

Access Control, Authentication, and PKI

© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company

www.jblearning.com

All rights reserved.

1

Learning Objective and Key Concepts

Learning Objective

Develop an access control policy framework consisting of best practices for policies, standards, procedures, and guidelines to mitigate unauthorized access.

Key Concepts

Regulatory laws concerning unauthorized access

Organization-wide authorization and access policy

Access control and data classification policies

Page ‹#›

Access Control, Authentication, and PKI

© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company

www.jblearning.com

All rights reserved.

2

DISCOVER: CONCEPTS

Page ‹#›

Access Control, Authentication, and PKI

© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company

www.jblearning.com

All rights reserved.

Access Control Policy Framework

Identifies the importance of protecting assets and leading practices to achieve protection

Beneficial for documenting management understanding and commitment to asset protection

Page ‹#›

Access Control, Authentication, and PKI

© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company

www.jblearning.com

All rights reserved.

Access Control Policies

Explicitly state responsibilities and accountabilities for achieving the framework principles

Establish and embed management’s commitment

Authorize the expenditure of resources

Inform those who need to know

Provide later documents for consultation to verify achievement of objectives

Page ‹#›

Access Control, Authentication, and PKI

© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company

www.jblearning.com

All rights reserved.

Protecting the Infrastructure through Policies and Procedures

Page ‹#›

Access Control, Authentication, and PKI

© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company

www.jblearning.com

All rights reserved.

Access Control Procedures and Guidelines

Procedures:

Tell how to do something

Step-by-step means to accomplish a task

Become “knowledge” transfer

Page ‹#›

Access Control, Authentication, and PKI

© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company

www.jblearning.com

All rights reserved.

Access Control Procedures and Guidelines (Continued)

Guidelines:

Are generally accepted practices

Not mandatory

Allow implementation

May achieve objective through alternate means

Flexibility

Page ‹#›

Access Control, Authentication, and PKI

© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company

www.jblearning.com

All rights reserved.

Password Management Controls

Log accesses and monitor activities

Validation programs

Enforce password changes at reasonable intervals

Expiry policy to lock accounts after a period of nonuse

Page ‹#›

Access Control, Authentication, and PKI

© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company

www.jblearning.com

All rights reserved.

Most common and easiest form of access

To be effective: Requires the use of a secure channel through the network to transmit the encrypted password

Not very secure

WHY USE THEM??

Something you know

User friendly – People get the concept (like an ATM pin #)

Two factor authentication

– Combine passwords with a (smart card) token

– ATM card and PIN –improved protection

Easy to manage

Supported across IT platforms

9

Password Management Controls (Continued)

Audit logs to review for successful and failed attempts

Password policy

Privacy policy

Page ‹#›

Access Control, Authentication, and PKI

© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company

www.jblearning.com

All rights reserved.

10

Password Control Issues

Users:

Choose easy to guess passwords

Share passwords

Often forget passwords

Password vulnerable to hacker attacks

Page ‹#›

Access Control, Authentication, and PKI

© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company

www.jblearning.com

All rights reserved.

11

U.S. Compliance Laws for Organizations

Health Insurance Portability and Accountability Act (HIPAA)

Gramm-Leach-Bliley Act (GLBA)

Sarbanes-Oxley (SOX) Act

Page ‹#›

Access Control, Authentication, and PKI

© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company

www.jblearning.com

All rights reserved.

12

DISCOVER: PROCESS

Page ‹#›

Access Control, Authentication, and PKI

© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company

www.jblearning.com

All rights reserved.

Access Control Principles

Minimal privilege or exposure

Regular monitoring of access privileges

Need to know basis for allowing access

Physical, logical, and integrated access controls

Monitor logs and correlate events across systems

Page ‹#›

Access Control, Authentication, and PKI

© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company

www.jblearning.com

All rights reserved.

14

Layered Security and Defense-in-Depth Mechanisms

Need to Know

Physical

RBAC

MAC

Least

Privilege

Layered Security

Defense-in-Depth

Security

Firewalls

Intrusion Prevention System (IPS)/ Intrusion Detection System (IDS)

Operating System (OS)

Page ‹#›

Access Control, Authentication, and PKI

© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company

www.jblearning.com

All rights reserved.

Layered security arises from the desire to cover shortcoming of each network component by combining components into a single, comprehensive strategy – the whole of which is greater than the sum of its parts

Defense-in-Depth:

Takes advantage of threat and exploitation delay by using rapid notification and response when attacks and disasters are underway, and delaying their effects

Uses multiple layers of complementary technologies

ON THE PERIMETER:

Firewalls may constitute layer 1 & 2 or protection

Intrusion prevention/detection may be at layer 3

virus scanners and content filtering constitute layer 4

Each technology and each layer complements the protection provided by the other technologies and layers to protect against external attacks and in the internal network to protect against internal attacks

15

Summary

Access policy framework

Access control policies, procedures, and guidelines

Password management controls and issues

Layered security

Page ‹#›

Access Control, Authentication, and PKI

© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company

www.jblearning.com

All rights reserved.