Protecting Information Assets - Week 10 - Identity Management and Access Control
MIS5206 Week 10 Identity Management and Access Control Presentation Schedule Test Taking Tip Quiz
Identity Management and Access Control Business owners and managers are constantly identifying areas of security risk and taking steps to mitigate that risk In an IT environment, risk takes the form of access
What do we mean by Access Control Access is the ability to create a flow of information between user and system Access Controls are security features that control how users and systems communicate and interact with one another
Access Control Principles Three main security principles apply to access control: Confidentiality Integrity Availability
What s the difference between Identification, Authentication and Authorization? Identification, Authentication and Authorization are distinct functions Identification: Authentication: Authorization: Who you say you are Confirmation that you are who you say you are What access and use privileges you are allowed based on who you are
Identification Method of establishing the subject s (user, program, process) identity Use of user name or other public information Know identification component requirements
Authentication Method of proving the identity Something a person is, has, or does Biometrics, passwords, passphrase, token, Common Access Card (CAC), or other private information
Authentication Biometrics Verifies an identity by analyzing a unique person attribute or behavior Most expensive way to prove identity, also has difficulties with user acceptance Many different types of biometric systems
Authentication Most common biometric systems: Fingerprint Palm Scan Hand Geometry Iris Scan Signature Dynamics Keyboard Dynamics Voice Print Facial Scan Hand Topography
Authentication Biometric systems can be hard to compare Type I Error: False rejection rate Type II Error: False acceptance rate This is an important error to avoid
Authentication Passwords User name + password most common identification, authentication scheme Weak security mechanism, must implement strong password protections
Authentication Techniques to attack passwords Electronic monitoring Access the password file Brute Force Attacks Dictionary Attacks Social Engineering
Authentication Passphrase Is a sequence of characters that is longer than a password Takes the place of a password Can be more secure than a password because it is more complex
Authentication Token Devices Synchronous Time Based Counter Synchronization Asynchronous Session token
Authentication Hashing & Encryption Encryption/Decryption := 2 way function Hash := 1 way function Hash or encrypting a password to ensure that passwords are not sent nor stored in clear text (means extra security)
Authentication Cryptographic Keys Use of private keys or digital signatures to prove identity Private Key Digital Signature Beware digital signature vs. digitized signature.
Authorization Determines that the proven identity has some set of characteristics associated with it that gives it the right to access the requested resources
Authorization Access Criteria can be based on: Roles Groups E.g. User, Group, World Transaction Types, e.g. File system example: Read, Write, Execute (r, w, x) Application example: Create, Read, Update, Delete (CRUD) Data model Relational DBMS example: Table(s), row(s), column(s) Location E.g. where in network accessing resource from Time
Authorization Authorization Concepts Authorization Creep Default to Zero Principle of Need to Know Access Control Lists (ACLs a homonym to look for)
Authorization Complexity leads to problems in controlling access: Different levels of users with different levels of access Resources may be classified differently Diverse identity data Corporate environments keep changing
Authorization Advantages of centralized administration and single sign on: User provisioning Password synchronization and reset Self service Centralized auditing and reporting Integrated workflow (increase in productivity) Regulatory compliance
Authorization Single Sign On Capabilities Allow user credentials to be entered one time and the user is then able to access all resources in primary and secondary network domains SSO technologies include: Kerberos Sesame Security Domains Directory Services
Access Control Models 1. Discretionary 2. Mandatory 3. Role-based
Discretionary Access Control (DAC) A system that uses discretionary access control allows the owner of the resource to specify which subjects can access which resources Access control is at the discretion of the owner When using DAC method, the owner decides who has access to the resource - decisions are made directly for each user Access Control Lists (ACL) and File system permissions are used to control access The permissions identify the actions the subject can perform on the object E.g. DAC method in NTFS permissions on Windows operating systems On NTFS file system each file and folder has an owner The owner can use ACL and decide which users or group of users have access to the file or folder Many operating systems use DAC method to limit access to resources.
Unix/Linux file permissions
Unix/Linux file permissions
Unix/Linux file permissions
UNIX/Linux file permissions
Access Control Models 1. Discretionary 2. Mandatory 3. Role-based
Mandatory Access Control (MAC) Access control is based on a security labeling system Users have security clearances and resources have security labels that contain data classifications This model is used in environments where information classification and confidentiality is very important (e.g., the military) With MAC method the data owner can t decide which individuals have access to the data The data owner can only decide what level of clearance is required to see the data and who has which level of clearance This model is not based on identity it is based on policy or matching of labels
Mandatory Access Control (MAC) MAC is a static access control method Resources are classified using labels Clearance labels are assigned to users who need to work with resources E.g. One dataset may have top secret or level 1 label Another dataset may have a secret or level 2 label Another dataset may have unclassified level 3 level Data can only be accessed by people with certain clearance level Users lacking sufficient clearance cannot access that data Back to the example Users with clearance level 2, can access data labeled with secret and unclassified, but can not access information labeled top-secret Users with clearance level 1 can access all data
Access Control Models 1. Discretionary 2. Mandatory 3. Role-based
Role Based Access Control Models Role Based Access Control (RBAC) uses a centrally administered set of controls to determine how subjects and objects interact Access is determined by the role within the organization Not determined for individual users The role can be a job position, group membership, or security access level A hybrid between MAC and DAC Users are members of some role Their role gives them access to certain resources in the organization Is the best system for an organization that has high turnover Easy to grant and revoke access by adding/removing the user s ID to/from the role (similar to group)
Other Access Control Models Rule-based access control Rules created to deny or allow access to resources E.g. Access implemented in network routers via access control list rules which determine which IPs or port numbers are allowed through the router There are no user accounts, group membership or security labels. Similar to MAC, because access is either allowed or denied with no regard to identity Constrained user interfaces Access control matrix Context dependent access control Content dependent access control
Access Control Techniques Types of Centralized Access Control RADIUS - Remote Authentication Dial In User Service (uses UDP) TACACS -Terminal access controller access control system Cisco proprietary protocol Diameter - name is a pun on the RADIUS protocol (uses TCP or SCTP)
Presentation Schedule November 10 th : Teams 1 & 2 November 17 th : Teams 3 & 4 December 1 st : Teams 5 & 6
Test Taking Tip Look at the facts and ask yourself, so what? The issue that jumps out is likely to be the issue that the correct response addresses. Non-relevant answers can be eliminated more readily. Especially useful in questions that ask for the Best answer. 39
Quiz 40