Protecting Information Assets - Week 10 - Identity Management and Access Control. MIS 5206 Protecting Information Assets

Size: px

Start display at page:

Download "Protecting Information Assets - Week 10 - Identity Management and Access Control. MIS 5206 Protecting Information Assets"

Darleen George
6 years ago
Views:

1 Protecting Information Assets - Week 10 - Identity Management and Access Control

2 MIS5206 Week 10 Identity Management and Access Control Presentation Schedule Test Taking Tip Quiz

3 Identity Management and Access Control Business owners and managers are constantly identifying areas of security risk and taking steps to mitigate that risk In an IT environment, risk takes the form of access

4 What do we mean by Access Control Access is the ability to create a flow of information between user and system Access Controls are security features that control how users and systems communicate and interact with one another

5 Access Control Principles Three main security principles apply to access control: Confidentiality Integrity Availability

6 What s the difference between Identification, Authentication and Authorization? Identification, Authentication and Authorization are distinct functions Identification: Authentication: Authorization: Who you say you are Confirmation that you are who you say you are What access and use privileges you are allowed based on who you are

7 Identification Method of establishing the subject s (user, program, process) identity Use of user name or other public information Know identification component requirements

8 Authentication Method of proving the identity Something a person is, has, or does Biometrics, passwords, passphrase, token, Common Access Card (CAC), or other private information

9 Authentication Biometrics Verifies an identity by analyzing a unique person attribute or behavior Most expensive way to prove identity, also has difficulties with user acceptance Many different types of biometric systems

10 Authentication Most common biometric systems: Fingerprint Palm Scan Hand Geometry Iris Scan Signature Dynamics Keyboard Dynamics Voice Print Facial Scan Hand Topography

11 Authentication Biometric systems can be hard to compare Type I Error: False rejection rate Type II Error: False acceptance rate This is an important error to avoid

12 Authentication Passwords User name + password most common identification, authentication scheme Weak security mechanism, must implement strong password protections

13 Authentication Techniques to attack passwords Electronic monitoring Access the password file Brute Force Attacks Dictionary Attacks Social Engineering

14 Authentication Passphrase Is a sequence of characters that is longer than a password Takes the place of a password Can be more secure than a password because it is more complex

15 Authentication Token Devices Synchronous Time Based Counter Synchronization Asynchronous Session token

16 Authentication Hashing & Encryption Encryption/Decryption := 2 way function Hash := 1 way function Hash or encrypting a password to ensure that passwords are not sent nor stored in clear text (means extra security)

17 Authentication Cryptographic Keys Use of private keys or digital signatures to prove identity Private Key Digital Signature Beware digital signature vs. digitized signature.

18 Authorization Determines that the proven identity has some set of characteristics associated with it that gives it the right to access the requested resources

19 Authorization Access Criteria can be based on: Roles Groups E.g. User, Group, World Transaction Types, e.g. File system example: Read, Write, Execute (r, w, x) Application example: Create, Read, Update, Delete (CRUD) Data model Relational DBMS example: Table(s), row(s), column(s) Location E.g. where in network accessing resource from Time

20 Authorization Authorization Concepts Authorization Creep Default to Zero Principle of Need to Know Access Control Lists (ACLs a homonym to look for)

21 Authorization Complexity leads to problems in controlling access: Different levels of users with different levels of access Resources may be classified differently Diverse identity data Corporate environments keep changing

22 Authorization Advantages of centralized administration and single sign on: User provisioning Password synchronization and reset Self service Centralized auditing and reporting Integrated workflow (increase in productivity) Regulatory compliance

23 Authorization Single Sign On Capabilities Allow user credentials to be entered one time and the user is then able to access all resources in primary and secondary network domains SSO technologies include: Kerberos Sesame Security Domains Directory Services

24 Access Control Models 1. Discretionary 2. Mandatory 3. Role-based

25 Discretionary Access Control (DAC) A system that uses discretionary access control allows the owner of the resource to specify which subjects can access which resources Access control is at the discretion of the owner When using DAC method, the owner decides who has access to the resource - decisions are made directly for each user Access Control Lists (ACL) and File system permissions are used to control access The permissions identify the actions the subject can perform on the object E.g. DAC method in NTFS permissions on Windows operating systems On NTFS file system each file and folder has an owner The owner can use ACL and decide which users or group of users have access to the file or folder Many operating systems use DAC method to limit access to resources.

26 Unix/Linux file permissions

27 Unix/Linux file permissions

28 Unix/Linux file permissions

29 UNIX/Linux file permissions

31 Access Control Models 1. Discretionary 2. Mandatory 3. Role-based

32 Mandatory Access Control (MAC) Access control is based on a security labeling system Users have security clearances and resources have security labels that contain data classifications This model is used in environments where information classification and confidentiality is very important (e.g., the military) With MAC method the data owner can t decide which individuals have access to the data The data owner can only decide what level of clearance is required to see the data and who has which level of clearance This model is not based on identity it is based on policy or matching of labels

33 Mandatory Access Control (MAC) MAC is a static access control method Resources are classified using labels Clearance labels are assigned to users who need to work with resources E.g. One dataset may have top secret or level 1 label Another dataset may have a secret or level 2 label Another dataset may have unclassified level 3 level Data can only be accessed by people with certain clearance level Users lacking sufficient clearance cannot access that data Back to the example Users with clearance level 2, can access data labeled with secret and unclassified, but can not access information labeled top-secret Users with clearance level 1 can access all data

34 Access Control Models 1. Discretionary 2. Mandatory 3. Role-based

35 Role Based Access Control Models Role Based Access Control (RBAC) uses a centrally administered set of controls to determine how subjects and objects interact Access is determined by the role within the organization Not determined for individual users The role can be a job position, group membership, or security access level A hybrid between MAC and DAC Users are members of some role Their role gives them access to certain resources in the organization Is the best system for an organization that has high turnover Easy to grant and revoke access by adding/removing the user s ID to/from the role (similar to group)

36 Other Access Control Models Rule-based access control Rules created to deny or allow access to resources E.g. Access implemented in network routers via access control list rules which determine which IPs or port numbers are allowed through the router There are no user accounts, group membership or security labels. Similar to MAC, because access is either allowed or denied with no regard to identity Constrained user interfaces Access control matrix Context dependent access control Content dependent access control

37 Access Control Techniques Types of Centralized Access Control RADIUS - Remote Authentication Dial In User Service (uses UDP) TACACS -Terminal access controller access control system Cisco proprietary protocol Diameter - name is a pun on the RADIUS protocol (uses TCP or SCTP)

38 Presentation Schedule November 10 th : Teams 1 & 2 November 17 th : Teams 3 & 4 December 1 st : Teams 5 & 6

39 Test Taking Tip Look at the facts and ask yourself, so what? The issue that jumps out is likely to be the issue that the correct response addresses. Non-relevant answers can be eliminated more readily. Especially useful in questions that ask for the Best answer. 39

40 Quiz 40

CNIT 125: Information Security Professional (CISSP Preparation) Ch 6. Identity and Access Management

CNIT 125: Information Security Professional (CISSP Preparation) Ch 6. Identity and Access Management Authentication Methods Authentication Methods Type 1: Something you know Easiest and weakest method