access control 4

alokreddy

access_ppt15_l04.pptx

Home >Information Systems homework help >access control 4

Access Control, Authentication, and Public Key Infrastructure

Lesson 4

Access Control Policies, Standards, Procedures, and Guidelines

www.jblearning.com

Page ‹#›

Access Control, Authentication, and PKI

www.jblearning.com

Learning Objective and Key Concepts

Learning Objective

Develop an access control policy framework consisting of best practices for policies, standards, procedures, and guidelines to mitigate unauthorized access.

Key Concepts

Regulatory laws concerning unauthorized access

Organization-wide authorization and access policy

Access control and data classification policies

Page ‹#›

Access Control, Authentication, and PKI

www.jblearning.com

DISCOVER: CONCEPTS

Page ‹#›

Access Control, Authentication, and PKI

www.jblearning.com

Access Control Policy Framework

Identifies the importance of protecting assets and leading practices to achieve protection

Beneficial for documenting management understanding and commitment to asset protection

Page ‹#›

Access Control, Authentication, and PKI

www.jblearning.com

Access Control Policies

Explicitly state responsibilities and accountabilities for achieving the framework principles

Establish and embed management’s commitment

Authorize the expenditure of resources

Inform those who need to know

Provide later documents for consultation to verify achievement of objectives

Page ‹#›

Access Control, Authentication, and PKI

www.jblearning.com

Protecting the Infrastructure through Policies and Procedures

Page ‹#›

Access Control, Authentication, and PKI

www.jblearning.com

Access Control Procedures and Guidelines

Procedures:

Tell how to do something

Step-by-step means to accomplish a task

Become “knowledge” transfer

Page ‹#›

Access Control, Authentication, and PKI

www.jblearning.com

Access Control Procedures and Guidelines (Continued)

Guidelines:

Are generally accepted practices

Not mandatory

Allow implementation

May achieve objective through alternate means

Flexibility

Page ‹#›

Access Control, Authentication, and PKI

www.jblearning.com

Password Management Controls

Log accesses and monitor activities

Validation programs

Enforce password changes at reasonable intervals

Expiry policy to lock accounts after a period of nonuse

Page ‹#›

Access Control, Authentication, and PKI

www.jblearning.com

Most common and easiest form of access

To be effective: Requires the use of a secure channel through the network to transmit the encrypted password

Not very secure

WHY USE THEM??

Something you know

User friendly – People get the concept (like an ATM pin #)

Two factor authentication

– Combine passwords with a (smart card) token

– ATM card and PIN –improved protection

Easy to manage

Supported across IT platforms

Password Management Controls (Continued)

Audit logs to review for successful and failed attempts

Password policy

Page ‹#›

Access Control, Authentication, and PKI

www.jblearning.com

Password Control Issues

Users:

Choose easy to guess passwords

Share passwords

Often forget passwords

Password vulnerable to hacker attacks

Page ‹#›

Access Control, Authentication, and PKI

www.jblearning.com

U.S. Compliance Laws for Organizations

Health Insurance Portability and Accountability Act (HIPAA)

Gramm-Leach-Bliley Act (GLBA)

Sarbanes-Oxley (SOX) Act

Page ‹#›

Access Control, Authentication, and PKI

www.jblearning.com

DISCOVER: PROCESS

Page ‹#›

Access Control, Authentication, and PKI

www.jblearning.com

Access Control Principles

Minimal privilege or exposure

Regular monitoring of access privileges

Need to know basis for allowing access

Physical, logical, and integrated access controls

Monitor logs and correlate events across systems

Page ‹#›

Access Control, Authentication, and PKI

www.jblearning.com

Layered Security and Defense-in-Depth Mechanisms

Need to Know

Physical

RBAC

MAC

Least

Privilege

Layered Security

Defense-in-Depth

Security

Firewalls

Intrusion Prevention System (IPS)/ Intrusion Detection System (IDS)

Operating System (OS)

Page ‹#›

Access Control, Authentication, and PKI

www.jblearning.com

Layered security arises from the desire to cover shortcoming of each network component by combining components into a single, comprehensive strategy – the whole of which is greater than the sum of its parts

Defense-in-Depth:

Takes advantage of threat and exploitation delay by using rapid notification and response when attacks and disasters are underway, and delaying their effects

Uses multiple layers of complementary technologies

ON THE PERIMETER:

Firewalls may constitute layer 1 & 2 or protection

Intrusion prevention/detection may be at layer 3

virus scanners and content filtering constitute layer 4

Each technology and each layer complements the protection provided by the other technologies and layers to protect against external attacks and in the internal network to protect against internal attacks

Summary

Access policy framework

Access control policies, procedures, and guidelines

Password management controls and issues

Layered security

Page ‹#›

Access Control, Authentication, and PKI