Protecting Information Assets - Week 10 - Identity Management and Access Control. MIS 5206 Protecting Information Assets

Similar documents
CNIT 125: Information Security Professional (CISSP Preparation) Ch 6. Identity and Access Management

CompTIA Security+ (Exam SY0-401) Course 01 Security Fundamentals

Post-Class Quiz: Access Control Domain

Radius, LDAP, Radius used in Authenticating Users

Identity, Authentication and Authorization. John Slankas

COPYRIGHTED MATERIAL. Chapter. Accountability and Access Control THE CISSP EXAM TOPICS COVERED IN THIS CHAPTER INCLUDE:

Indicate whether the statement is true or false.

Security+ Guide to Network Security Fundamentals, Third Edition. Chapter 7 Access Control Fundamentals

CSN11111 Network Security

Jérôme Kerviel. Dang Thanh Binh

Week 10 Part A MIS 5214

Discretionary Access Control (DAC)

Radius, LDAP, Radius, Kerberos used in Authenticating Users

Chapter 9: Database Security: An Introduction. Nguyen Thi Ai Thao

Authentication Technology Alternatives. Mark G. McGovern Chief Technologist Smart Cards, Crypto, Stego, PKI Lockheed Martin

Authentication. Chapter 2

Access Control. Discretionary Access Control

Sumy State University Department of Computer Science

Authentication Objectives People Authentication I

Authentication Methods

CS530 Authentication

Chapter 4 Protection in General-Purpose Operating Systems

INCREASE APPLICATION SECURITY FOR PCI DSS VERSION 3.1 SUCCESS AKAMAI SOLUTIONS BRIEF INCREASE APPLICATION SECURITY FOR PCI DSS VERSION 3.

The Four A s of Access A practical guide to auditing an access process.

IBM Security Identity Manager Version Planning Topics IBM

CS 356 Lecture 7 Access Control. Spring 2013

In this unit we are continuing our discussion of IT security measures.

Internetwork Expert s CCNA Security Bootcamp. Securing Cisco Routers. Router Security Challenges

Operating systems and security - Overview

Operating systems and security - Overview

What is Authentication? All requests for resources have to be monitored. Every request must be authenticated and authorized to use the resource.

Access Control Models

Discretionary Access Control (DAC)

FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. Chapter 10 Authenticating Users

IT Exam Training online / Bootcamp

Network Security and Cryptography. 2 September Marking Scheme

Intruders, Human Identification and Authentication, Web Authentication

BOR3307: Intro to Cybersecurity

Operating Systems. Engr. Abdul-Rahman Mahmood MS, PMP, MCP, QMR(ISO9001:2000) alphapeeler.sf.net/pubkeys/pkey.htm

Network Security and Cryptography. December Sample Exam Marking Scheme

MU2a Authentication, Authorization & Accounting Questions and Answers with Explainations

Securing IEDs against Cyber Threats in Critical Substation Automation and Industrial Control Systems

Network Access Flows APPENDIXB

Chapter 3: User Authentication

The Common Controls Framework BY ADOBE

(2½ hours) Total Marks: 75

Authentication, Authorization, and Accounting

Access Control Mechanisms

SDR Guide to Complete the SDR

Chapter 2: Access Control and Site Security. Access Control. Access Control. ACIS 5584 E-Commerce Security Dr. France Belanger.

AUTHENTICATION IN THE AGE OF ELECTRONIC TRANSACTIONS

Protect Your Application with Secure Coding Practices. Barrie Dempster & Jason Foy JAM306 February 6, 2013

Understanding ACS 5.4 Configuration

Discretionary Vs. Mandatory

Access Control. Access Control: enacting a security policy. COMP 435 Fall 2017 Prof. Cynthia Sturton. Access Control: enacting a security policy

Test Conditions. Closed book, closed notes, no calculator, no laptop just brains 75 minutes. Steven M. Bellovin October 19,

CompTIA JK CompTIA Academic/E2C Security+ Certification. Download Full Version :

UNIT - IV Cryptographic Hash Function 31.1

Unit-VI. User Authentication Mechanisms.

CIS 4360 Secure Computer Systems Biometrics (Something You Are)

Identification and Authentication

ITU-T SG 17 Q10/17. Trust Elevation Frameworks

CPSC 481/681 SPRING 2006 QUIZ #1 7 MAR 2006 NAME:

CSE 565 Computer Security Fall 2018

CompTIA SY CompTIA Security+

CSCE 548 Building Secure Software Biometrics (Something You Are) Professor Lisa Luo Spring 2018


Last time. User Authentication. Security Policies and Models. Beyond passwords Biometrics

Access Controls. CISSP Guide to Security Essentials Chapter 2

Operating Systems Security Access Control

PASS4TEST. IT Certification Guaranteed, The Easy Way! We offer free update service for one year

90% 191 Security Best Practices. Blades. 52 Regulatory Requirements. Compliance Report PCI DSS 2.0. related to this regulation

Integrated Access Management Solutions. Access Televentures

General Access Control Model for DAC

Control Device Administration Using TACACS+

HOST Authentication Overview ECE 525

Network Security Essentials

Datasäkerhet/Data security EDA625 Lect5

Data Structure Mapping

Data Structure Mapping

Data Structure Mapping

Security Models Trusted Zones SPRING 2018: GANG WANG

Identity & Access Management

Cloud Storage Pluggable Access Control David Slik NetApp, Inc.

Security in the Privileged Remote Access Appliance

ArcGIS Enterprise Security: An Introduction. Randall Williams Esri PSIRT

NIST Revision 2: Guide to Industrial Control Systems (ICS) Security

Unix, History

TECHNICAL AND ORGANIZATIONAL DATA SECURITY MEASURES

Table of Contents Chapter 1: Migrating NIMS to OMS... 3 Index... 17

Summary. Final Week. CNT-4403: 21.April

TSIN02 - Internetworking

Ekran System v.6.0 Privileged User Accounts and Sessions (PASM)

IT Service Delivery And Support Week Four - OS. IT Auditing and Cyber Security Fall 2016 Instructor: Liang Yao

UT HEALTH SAN ANTONIO HANDBOOK OF OPERATING PROCEDURES

CIS 6930/4930 Computer and Network Security. Topic 6. Authentication

CS System Security Mid-Semester Review

Combating Common Web App Authentication Threats

TABLE OF CONTENTS. Lakehead University Password Maintenance Standard Operating Procedure

EBOOK 4 TIPS FOR STRENGTHENING THE SECURITY OF YOUR VPN ACCESS

Transcription:

Protecting Information Assets - Week 10 - Identity Management and Access Control

MIS5206 Week 10 Identity Management and Access Control Presentation Schedule Test Taking Tip Quiz

Identity Management and Access Control Business owners and managers are constantly identifying areas of security risk and taking steps to mitigate that risk In an IT environment, risk takes the form of access

What do we mean by Access Control Access is the ability to create a flow of information between user and system Access Controls are security features that control how users and systems communicate and interact with one another

Access Control Principles Three main security principles apply to access control: Confidentiality Integrity Availability

What s the difference between Identification, Authentication and Authorization? Identification, Authentication and Authorization are distinct functions Identification: Authentication: Authorization: Who you say you are Confirmation that you are who you say you are What access and use privileges you are allowed based on who you are

Identification Method of establishing the subject s (user, program, process) identity Use of user name or other public information Know identification component requirements

Authentication Method of proving the identity Something a person is, has, or does Biometrics, passwords, passphrase, token, Common Access Card (CAC), or other private information

Authentication Biometrics Verifies an identity by analyzing a unique person attribute or behavior Most expensive way to prove identity, also has difficulties with user acceptance Many different types of biometric systems

Authentication Most common biometric systems: Fingerprint Palm Scan Hand Geometry Iris Scan Signature Dynamics Keyboard Dynamics Voice Print Facial Scan Hand Topography

Authentication Biometric systems can be hard to compare Type I Error: False rejection rate Type II Error: False acceptance rate This is an important error to avoid

Authentication Passwords User name + password most common identification, authentication scheme Weak security mechanism, must implement strong password protections

Authentication Techniques to attack passwords Electronic monitoring Access the password file Brute Force Attacks Dictionary Attacks Social Engineering

Authentication Passphrase Is a sequence of characters that is longer than a password Takes the place of a password Can be more secure than a password because it is more complex

Authentication Token Devices Synchronous Time Based Counter Synchronization Asynchronous Session token

Authentication Hashing & Encryption Encryption/Decryption := 2 way function Hash := 1 way function Hash or encrypting a password to ensure that passwords are not sent nor stored in clear text (means extra security)

Authentication Cryptographic Keys Use of private keys or digital signatures to prove identity Private Key Digital Signature Beware digital signature vs. digitized signature.

Authorization Determines that the proven identity has some set of characteristics associated with it that gives it the right to access the requested resources

Authorization Access Criteria can be based on: Roles Groups E.g. User, Group, World Transaction Types, e.g. File system example: Read, Write, Execute (r, w, x) Application example: Create, Read, Update, Delete (CRUD) Data model Relational DBMS example: Table(s), row(s), column(s) Location E.g. where in network accessing resource from Time

Authorization Authorization Concepts Authorization Creep Default to Zero Principle of Need to Know Access Control Lists (ACLs a homonym to look for)

Authorization Complexity leads to problems in controlling access: Different levels of users with different levels of access Resources may be classified differently Diverse identity data Corporate environments keep changing

Authorization Advantages of centralized administration and single sign on: User provisioning Password synchronization and reset Self service Centralized auditing and reporting Integrated workflow (increase in productivity) Regulatory compliance

Authorization Single Sign On Capabilities Allow user credentials to be entered one time and the user is then able to access all resources in primary and secondary network domains SSO technologies include: Kerberos Sesame Security Domains Directory Services

Access Control Models 1. Discretionary 2. Mandatory 3. Role-based

Discretionary Access Control (DAC) A system that uses discretionary access control allows the owner of the resource to specify which subjects can access which resources Access control is at the discretion of the owner When using DAC method, the owner decides who has access to the resource - decisions are made directly for each user Access Control Lists (ACL) and File system permissions are used to control access The permissions identify the actions the subject can perform on the object E.g. DAC method in NTFS permissions on Windows operating systems On NTFS file system each file and folder has an owner The owner can use ACL and decide which users or group of users have access to the file or folder Many operating systems use DAC method to limit access to resources.

Unix/Linux file permissions

Unix/Linux file permissions

Unix/Linux file permissions

UNIX/Linux file permissions

Access Control Models 1. Discretionary 2. Mandatory 3. Role-based

Mandatory Access Control (MAC) Access control is based on a security labeling system Users have security clearances and resources have security labels that contain data classifications This model is used in environments where information classification and confidentiality is very important (e.g., the military) With MAC method the data owner can t decide which individuals have access to the data The data owner can only decide what level of clearance is required to see the data and who has which level of clearance This model is not based on identity it is based on policy or matching of labels

Mandatory Access Control (MAC) MAC is a static access control method Resources are classified using labels Clearance labels are assigned to users who need to work with resources E.g. One dataset may have top secret or level 1 label Another dataset may have a secret or level 2 label Another dataset may have unclassified level 3 level Data can only be accessed by people with certain clearance level Users lacking sufficient clearance cannot access that data Back to the example Users with clearance level 2, can access data labeled with secret and unclassified, but can not access information labeled top-secret Users with clearance level 1 can access all data

Access Control Models 1. Discretionary 2. Mandatory 3. Role-based

Role Based Access Control Models Role Based Access Control (RBAC) uses a centrally administered set of controls to determine how subjects and objects interact Access is determined by the role within the organization Not determined for individual users The role can be a job position, group membership, or security access level A hybrid between MAC and DAC Users are members of some role Their role gives them access to certain resources in the organization Is the best system for an organization that has high turnover Easy to grant and revoke access by adding/removing the user s ID to/from the role (similar to group)

Other Access Control Models Rule-based access control Rules created to deny or allow access to resources E.g. Access implemented in network routers via access control list rules which determine which IPs or port numbers are allowed through the router There are no user accounts, group membership or security labels. Similar to MAC, because access is either allowed or denied with no regard to identity Constrained user interfaces Access control matrix Context dependent access control Content dependent access control

Access Control Techniques Types of Centralized Access Control RADIUS - Remote Authentication Dial In User Service (uses UDP) TACACS -Terminal access controller access control system Cisco proprietary protocol Diameter - name is a pun on the RADIUS protocol (uses TCP or SCTP)

Presentation Schedule November 10 th : Teams 1 & 2 November 17 th : Teams 3 & 4 December 1 st : Teams 5 & 6

Test Taking Tip Look at the facts and ask yourself, so what? The issue that jumps out is likely to be the issue that the correct response addresses. Non-relevant answers can be eliminated more readily. Especially useful in questions that ask for the Best answer. 39

Quiz 40

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback