Discuss both advantages and disadvantages of remote authentication protocols.
Access Control, Authentication, and Public Key Infrastructure
Lesson 11
Access Control System Implementations
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Page ‹#›
Access Control, Authentication, and PKI
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
1
Learning Objective
Utilize policies, standards, guidelines, and procedures to implement and maintain access control.
Page ‹#›
Access Control, Authentication, and PKI
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
2
Key Concepts
Guidelines and procedures based on standards and policies
Multilayer access controls
Access controls for internal and external employees
Controls for access to Web portals
Page ‹#›
Access Control, Authentication, and PKI
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
3
Transform Policy Definitions into Implementation Tasks
Page ‹#›
Access Control, Authentication, and PKI
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Policy
Standard
Guideline
Procedure
Follow Standards Where Applicable
IEEE
National Institute of Standards and Technology (NIST)
Federal Information Security Management Act (FISMA)
ISO
Internet Engineering Task Force (IETF)
PCI Security Standards Council
Center for Internet Security (CIS)
Page ‹#›
Access Control, Authentication, and PKI
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Identity Management and Access Control
A way to identify all associates within an organization
Reviewing identities and ensuring they are categorized correctly will limit mistakes
Every organization has its own standards for acceptable identity depending on the risk
Page ‹#›
Access Control, Authentication, and PKI
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
User Behavior, Application, and Network Analysis
By understanding normal behavior, you are able to detect activities that are unusual
User behavior and application analysis provides the data needed to ensure systems are available
Network analysis provides details on both users and applications as well as network traffic
Page ‹#›
Access Control, Authentication, and PKI
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Size and Distribution of Staff and Assets
Creating a complete inventory of IT assets is one of the first steps in implementing access controls
The access control system should be based on the risk against the data and network access
Have the tools available so administrator can manage any size staff and assets
Page ‹#›
Access Control, Authentication, and PKI
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Multilayer Access Control
Page ‹#›
Access Control, Authentication, and PKI
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
User Access Control Profiles
Systems Access
Applications Access
File and Folder Access
Data Access
Categories of Software Restriction Policies
Page ‹#›
Access Control, Authentication, and PKI
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Enforcement Properties
Page ‹#›
Access Control, Authentication, and PKI
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Designated File Types Properties
Page ‹#›
Access Control, Authentication, and PKI
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Trusted Publisher Properties
Page ‹#›
Access Control, Authentication, and PKI
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
File System Access Control
Page ‹#›
Access Control, Authentication, and PKI
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Access Controls for Employees, Remote Employees, Customers, and Business Partners
Page ‹#›
Access Control, Authentication, and PKI
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Virtual private network (VPN)
Intranets
Extranets
Secure e-commerce sites with encryption
Access Controls for Employees, Remote Employees, Customers, and Business Partners (Cont.)
Page ‹#›
Access Control, Authentication, and PKI
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Secure online banking access control implementations
Logon/password access
Identification imaging and authorization
VPN Communications
Page ‹#›
Access Control, Authentication, and PKI
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Example of a Certificate
Page ‹#›
Access Control, Authentication, and PKI
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Best Practices for Access Control Implementations
Understand the roles within the organizations
Understand the data that resides on the network
Establish a baseline
Monitor activities on a continuous basis
Create guidelines and policies that are easy to understand and implement
Manage user accounts appropriately
Manage remote access capabilities
Provide strong security
Page ‹#›
Access Control, Authentication, and PKI
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Summary
Guidelines and procedures based on standards and policies
Multilayer access controls
Access controls for internal and external employees
Controls for access to Web portals
Page ‹#›
Access Control, Authentication, and PKI
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.