access control
alokreddy
access_ppt15_l01.pptxAccess Control, Authentication, and Public Key Infrastructure
Lesson 1
Access Control Framework
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Page ‹#›
Access Control, Authentication, and PKI
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
1
Learning Objective
Define authorization and access to an information technology (IT) infrastructure based on an access control policy framework.
Page ‹#›
Access Control, Authentication, and PKI
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
2
Key Concepts
Access control policies, standards, procedures, and guidelines
U.S. federal and state compliance laws
Fundamental access control concepts
Identification, authentication, and authorization
Page ‹#›
Access Control, Authentication, and PKI
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
3
DISCOVER: CONCEPTS
Page ‹#›
Access Control, Authentication, and PKI
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
3/30/2015
4
Access Control
Enables an authorized person to control access to areas and resources in a given physical facility or computer-based information system
Page ‹#›
Access Control, Authentication, and PKI
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
3/30/2015
5
Primary Components of Access Control
Policies: Defined from laws, requirements, and industry guides
Subjects: People who need to access or are restricted from accessing
Objects: Resources or information that need protection
Page ‹#›
Access Control, Authentication, and PKI
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
3/30/2015
6
Compliance Laws and Industry Guides
Federal Laws
State Government Laws
Industry Guides
Page ‹#›
Access Control, Authentication, and PKI
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Federal Laws
The Health Insurance Portability and Accounting Act (HIPAA)
State Government Laws
Massachusetts 201 CMR 17.00
Industry Guides
Payment Card Industry Data Security Standard (PCI DSS)
3/30/2015
7
DISCOVER: PROCESS
Page ‹#›
Access Control, Authentication, and PKI
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
3/30/2015
8
Access control requires:
Identification
Authentication
Authorization
Access control process:
Subject: presents credentials to the system
Authentication: system verifies and validates that the credentials are authentic
Authorization: grants permission to allowed resources
Steps of Access Control Process
Page ‹#›
Access Control, Authentication, and PKI
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
3/30/2015
9
The Access Control Process
Page ‹#›
Access Control, Authentication, and PKI
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
3/30/2015
10
Authentication Elements
Authentication elements can be any of the following or a combination of the following elements:
Something you know: password/passphrase, PIN number
Something you are: biometrics, retina, fingerprint, facial
Something you have: tokens, dongles, device
PIN - 9723
PASSWORD - Drmb9^wX
Page ‹#›
Access Control, Authentication, and PKI
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
3/30/2015
11
User IAA Process
1
2
2.3
2.2
Identification—user presents credentials:
Account name and password (passphrase, tokens, and biometrics)
Authentication server operating system:
Receives and compares credentials with authorized credentials
If matched correctly, access granted otherwise denial notice sent to user
Authorization—mainframe application server or database:
Recognizes authorized credentials
Facilitates requests of authorized resources
Denies access to unauthorized resources
1
3
2
3
Page ‹#›
Access Control, Authentication, and PKI
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
3/30/2015
12
DISCOVER: ROLES
Page ‹#›
Access Control, Authentication, and PKI
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
3/30/2015
13
Roles in Access Control Process
End User
Manager/Supervisor
Security Administrator
IT Security Manager
Chief Security Officer
Network Administrator
IT Service Desk
Page ‹#›
Access Control, Authentication, and PKI
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
3/30/2015
14
Roles of User IAA
New Employee
Sees manager for network access
Presents account credentials to network
IT Service Desk
Creates user account and sets initial password
Network Server
Authenticates access credentials
Requires change of initial password
Enforces access authorization
Identification and Authorization
Manager approves access request and sends to IT service desk for account creation
Receives and delivers account & initial password to user
Page ‹#›
Access Control, Authentication, and PKI
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
3/30/2015
15
DISCOVER: CONTEXTS
Page ‹#›
Access Control, Authentication, and PKI
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
3/30/2015
16
When and Where is Access Control Needed?
People need access to certain objects within the same or different systems to perform their work
Sensitive data (human resources, payroll, mergers, acquisitions, and senior level personnel changes) needs protection
Page ‹#›
Access Control, Authentication, and PKI
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
3/30/2015
17
DISCOVER: RATIONALE
Page ‹#›
Access Control, Authentication, and PKI
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
3/30/2015
18
Importance of Access Control
Misuse/Adverse
affects
Absence of Access Control
Prying eyes
Inquisitive insiders
Hackers
Disgruntled employees
Important and sensitive information
Information protected
Access Control
Important and sensitive information
Prying eyes
Inquisitive insiders
Hackers
Disgruntled employees
Page ‹#›
Access Control, Authentication, and PKI
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
3/30/2015
19
~99% of tested applications have vulnerabilities
Importance of Access Control (Continued)
Vulnerabilities of Commercial and Open Source Software
Median number of vulnerabilities per app
Application Vulnerability Trends Report: 2013. Cenzic, Inc.
Page ‹#›
Access Control, Authentication, and PKI
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
3/30/2015
20
Importance of Access Control (Continued)
Application Vulnerability Trends Report: 2013. Cenzic, Inc.
Percentage of vulnerabilities
Page ‹#›
Access Control, Authentication, and PKI
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
3/30/2015
21
Summary
Access control policies, standards, procedures, and guidelines
U.S. federal and state compliance laws
Fundamental access control concepts
Identification, authentication, and authorization
Page ‹#›
Access Control, Authentication, and PKI
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
3/30/2015
22
Virtual Lab
Configuring an Active Directory Domain Controller
Page ‹#›
Access Control, Authentication, and PKI
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
If your educational institution included the Jones & Bartlett labs as part of the course curriculum, use this script to introduce the lab:
"In this lesson, you learned that access controls are the method by which users gain access to IT resources. You’ve learned that there are three key components of access control: identification of the user, network, process, or application requesting access, authentication (verifying the identity of the requester), and the authorization to access the resource.
In a Windows environment, Active Directory enables security administrators to share user and group definitions, and even directory services, by defining domains. Active Directory and Domain Name Services (DNS) are necessary components of a domain controller.
In the lab for this lesson, you will use the Microsoft Assessment and Planning (MAP) Toolkit to perform an inventory of the systems running on a network and audit a Microsoft Windows 2012 R2 server. Then you will use PowerShell to promote a Windows 2012 R2 to a domain controller."
3/30/2015
23
OPTIONAL SLIDE
Page ‹#›
Access Control, Authentication, and PKI
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
09/23/10
24
An Example of Access Rights in Action
Page ‹#›
Access Control, Authentication, and PKI
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
09/23/10
25
Defense:
Risk: Insecure Direct Object Reference
Use an automated tool for real-time attack.
Monitor parameter manipulation–hidden/static.
Establish baseline configuration.
Risk: Cross-Site Request Forgery
Use an automated tool for real-time attack.
Alert/respond to parameter manipulation.
Use known attack signatures.
Establish baseline/monitor resource changes.
Risk: Security Misconfiguration
Use an automated tool for real-time attack.
Inspect outbound responses.
Investigate application failures.
09/23/10
(c) ITT Educational Services, Inc.
25
