Authothication types
RaghavaKrishna
ECS6700Wk5PP.pptxFundamentals of Information Systems Security
Lesson 5
Access Controls
© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Page ‹#›
Fundamentals of Information Systems Security
© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
1
Learning Objective(s)
Explain the role of access controls in an IT infrastructure.
Page ‹#›
Fundamentals of Information Systems Security
© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Page ‹#›
Fundamentals of Information Systems Security
© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Key Concepts
Access control concepts and technologies
Formal models of access control
How identity is managed by access control
Developing and maintaining system access controls
Page ‹#›
Fundamentals of Information Systems Security
© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Page ‹#›
Fundamentals of Information Systems Security
© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Defining Access Control
The process of protecting a resource so that it is used only by those allowed to
Prevents unauthorized use
Mitigations put into place to protect a resource from a threat
Page ‹#›
Fundamentals of Information Systems Security
© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Page ‹#›
Fundamentals of Information Systems Security
© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Access controls are methods used to restrict and allow access to certain items, such as automobiles, homes, and computers, even cell phones. Your first experience with access control might have been when you locked a sibling out of your room or used a combination lock to secure your valuables at the gym. When you purchased your first car, the keys fit only your car, so only you could unlock and start your car.
Just as the lock and key systems on your house or car are access controls, so are the personal identification numbers (PIN numbers) on your bank or credit cards.
9/3/2019
(c) ITT Educational Services, Inc.
4
Four Parts of Access Control
| Access Control Component | Description |
| Identification | Who is asking to access the asset? |
| Authentication | Can their identities be verified? |
| Authorization | What, exactly, can the requestor access? And what can they do? |
| Accountability | How are actions traced to an individual to ensure the person who makes data or system changes can be identified? |
Page ‹#›
Fundamentals of Information Systems Security
© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Page ‹#›
Fundamentals of Information Systems Security
© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
For businesses, access controls are used to manage what employees can and can’t do. Access controls specify who users (people or computer processes) are, what users can do, which resources they can reach, and what operations they can perform. Access control systems use several technologies, including passwords, hardware tokens, biometrics, and certificates. Access can be granted to physical assets, such as buildings or rooms.
9/3/2019
(c) ITT Educational Services, Inc.
5
Policy Definition and Policy Enforcement Phases
Policy definition phase—Who has access and what systems or resources they can use
Tied to the authorization phase
Policy enforcement phase—Grants or rejects requests for access based on the authorizations defined in the first phase
Tied to identification, authentication, and accountability phases
Page ‹#›
Fundamentals of Information Systems Security
© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Page ‹#›
Fundamentals of Information Systems Security
© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
The four parts of access control can be categorized into two parts: policy definition phase and policy enforcement phase.
Two Types of Access Controls
Page ‹#›
Fundamentals of Information Systems Security
© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Page ‹#›
Fundamentals of Information Systems Security
© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Physical
Controls entry into buildings, parking lots, and protected areas
Logical
Controls access to a computer system or network
Physical Access Control
Smart cards are an example
Programmed with ID number
Used at parking lots, elevators, office doors
Shared office buildings may require an additional after hours card
Cards control access to physical resources
Page ‹#›
Fundamentals of Information Systems Security
© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Page ‹#›
Fundamentals of Information Systems Security
© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Logical Access Control
Deciding which users can get into a system
Monitoring what each user does on that system
Restraining or influencing a user’s behavior on that system
Page ‹#›
Fundamentals of Information Systems Security
© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Page ‹#›
Fundamentals of Information Systems Security
© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
The Security Kernel
Enforces access control for computer systems
Central point of access control
Implements the reference monitor concept
Page ‹#›
Fundamentals of Information Systems Security
© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Page ‹#›
Fundamentals of Information Systems Security
© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Enforcing Access Control
Page ‹#›
Fundamentals of Information Systems Security
© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Page ‹#›
Fundamentals of Information Systems Security
© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
The subject requests access to an object. The security kernel intercepts the request.
The security kernel refers to its rules base, also known as the security kernel database. It uses these rules to determine access rights. Access rights are set according to the policies an organization has defined.
The kernel allows or denies access based on the defined access rules. All access requests handled by the system are logged for later tracking and analysis.
9/3/2019
(c) ITT Educational Services, Inc.
11
Access Control Policies
Four central components of access control:
Page ‹#›
Fundamentals of Information Systems Security
© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Page ‹#›
Fundamentals of Information Systems Security
© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Users: People who use the system or processes that perform some service for other people or processes. A more general term for users is subjects.
Resources: Protected objects in the system. Resources can be accessed only by authorized subjects. Resources can be used only in authorized ways.
Actions: Activities that authorized users can perform on resources.
Relationships: Optional conditions that exist between users and resources. Relationships are permissions granted to an authorized user, such as read , write , execute.
9/3/2019
(c) ITT Educational Services, Inc.
12
Users
Actions
Resources
People who use the system or processes (subjects)
Protected objects in the system
Relationships
Activities that authorized users can perform on resources
Optional conditions that exist between users and resources
Logical Access Control Solutions
| Logical Controls | Solutions |
| Biometrics | Static: Fingerprints, iris granularity, retina blood vessels, facial features, and hand geometry Dynamic: Voice inflections, keyboard strokes, and signature motions |
| Tokens | Synchronous or asynchronous Smart cards and memory cards |
| Passwords | Stringent password controls for users Account lockout policies Auditing logon events |
| Single sign-on | Kerberos process Secure European System for Applications in a Multi-Vendor Environment (SESAME) |
Page ‹#›
Fundamentals of Information Systems Security
© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Page ‹#›
Fundamentals of Information Systems Security
© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
9/3/2019
(c) ITT Educational Services, Inc.
13
Authorization Policies
Page ‹#›
Fundamentals of Information Systems Security
© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Page ‹#›
Fundamentals of Information Systems Security
© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
9/3/2019
14
Authorization
User-assigned privileges
Group membership policy
Authority-level policy
Methods and Guidelines for Identification
Page ‹#›
Fundamentals of Information Systems Security
© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Page ‹#›
Fundamentals of Information Systems Security
© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Methods
Username
Smart card
Biometrics
Guidelines
Actions
Accounting
Authentication Types
Page ‹#›
Fundamentals of Information Systems Security
© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Page ‹#›
Fundamentals of Information Systems Security
© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Knowledge: A password, passphrase, or personal identification number (PIN).
Ownership: A smart card, key, badge, or token.
Characteristics: Some attribute that is unique to you, such as your fingerprints, retina, or signature. Since the characteristics involved are often physical, this type of authentication is sometimes defined as something you are.
Location: Your physical location when you attempt to access a resource.
Action: The way you type on a keyboard.
9/3/2019
(c) ITT Educational Services, Inc.
16
Knowledge
Ownership
Characteristics
Location
Action
Something unique to you
Somewhere you are
Something you do/how you do it
Something you have
Something you know
Authentication by Knowledge
Password
Weak passwords easily cracked by brute-force or dictionary attack
Password best practices
Passphrase
Stronger than a password
Account lockout policies
Audit logon events
Page ‹#›
Fundamentals of Information Systems Security
© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Page ‹#›
Fundamentals of Information Systems Security
© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Authentication by Ownership
Synchronous token—Calculates a number at both the authentication server and the device
Time-based synchronization system
Event-based synchronization system
Continuous authentication
Asynchronous token
USB token
Smart card
Memory cards (magnetic stripe)
Page ‹#›
Fundamentals of Information Systems Security
© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Page ‹#›
Fundamentals of Information Systems Security
© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
9/3/2019
18
Asynchronous Token Challenge-Response
Page ‹#›
Fundamentals of Information Systems Security
© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Page ‹#›
Fundamentals of Information Systems Security
© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
9/3/2019
(c) ITT Educational Services, Inc.
19
Authentication by Characteristics/Biometrics
Page ‹#›
Fundamentals of Information Systems Security
© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Page ‹#›
Fundamentals of Information Systems Security
© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Static (physiological) measures
What you are
Dynamic (behavioral) measures
What you do
Concerns Surrounding Biometrics
Page ‹#›
Fundamentals of Information Systems Security
© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Page ‹#›
Fundamentals of Information Systems Security
© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Accuracy
Acceptability
Reaction time
Types of Biometrics
Page ‹#›
Fundamentals of Information Systems Security
© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Page ‹#›
Fundamentals of Information Systems Security
© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Privacy Issues: Biometric technologies don’t just involve collecting data about a person.
Biometrics collects information intrinsic to people. Every person must submit to an examination,
and that examination must be digitally recorded and stored. Unauthorized access to
this data could lead to misuse.
9/3/2019
(c) ITT Educational Services, Inc.
22
Fingerprint
Palm print
Hand geometry
Retina scan
Iris scan
Facial recognition
Voice pattern
Keystroke dynamics
Signature dynamics
Authentication by Location and Action
Location
Strong indicator of authenticity
Additional information to suggest granting or denying access to a resource
Action
Stores the patterns or nuances of how you do something
Record typing patterns
Page ‹#›
Fundamentals of Information Systems Security
© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Page ‹#›
Fundamentals of Information Systems Security
© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Single Sign-On (SSO)
Sign on to a computer or network once
Identification and authorization credentials allow user to access all computers and systems where authorized
Reduces human error
Difficult to put in place
Page ‹#›
Fundamentals of Information Systems Security
© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Page ‹#›
Fundamentals of Information Systems Security
© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
SSO Processes
Page ‹#›
Fundamentals of Information Systems Security
© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Page ‹#›
Fundamentals of Information Systems Security
© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
9/3/2019
(c) ITT Educational Services, Inc.
25
Kerberos
Secure European System for Applications in a Multi-Vendor Environment (SESAME)
Lightweight Directory Access Protocol (LDAP)
Policies and Procedures for Accountability
Page ‹#›
Fundamentals of Information Systems Security
© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Page ‹#›
Fundamentals of Information Systems Security
© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Log files
Monitoring and reviews
Data retention
Media disposal
Compliance requirements
Formal Models of Access Control
Page ‹#›
Fundamentals of Information Systems Security
© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Page ‹#›
Fundamentals of Information Systems Security
© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
9/3/2019
27
Discretionary access control (DAC)
Mandatory access control (MAC)
Nondiscretionary access control
Rule-based access control
Discretionary Access Control
Operating systems-based DAC policy considerations
Access control method
New user registration
Periodic review
Application-based DAC
Permission levels
Page ‹#›
Fundamentals of Information Systems Security
© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Page ‹#›
Fundamentals of Information Systems Security
© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Mandatory Access Control
Determine the level of restriction by how sensitive the resource is (classification label)
System and owner make the decision to allow access
Temporal isolation/time-of-day restrictions
MAC is stronger than DAC
Page ‹#›
Fundamentals of Information Systems Security
© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Page ‹#›
Fundamentals of Information Systems Security
© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Nondiscretionary Access Control
Access rules are closely managed by security administrator, not system owner or ordinary users
Sensitive files are write-protected for integrity and readable only by authorized users
More secure than discretionary access control
Ensures that system security is enforced and tamperproof
Page ‹#›
Fundamentals of Information Systems Security
© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Page ‹#›
Fundamentals of Information Systems Security
© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Rule-Based Access Control
Page ‹#›
Fundamentals of Information Systems Security
© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Page ‹#›
Fundamentals of Information Systems Security
© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Access Control Lists
Page ‹#›
Fundamentals of Information Systems Security
© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Page ‹#›
Fundamentals of Information Systems Security
© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Linux and OS X
Permissions
Read, write, execute
Applied to
File owners, groups, global users
Access Control Lists (cont.)
Page ‹#›
Fundamentals of Information Systems Security
© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Page ‹#›
Fundamentals of Information Systems Security
© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Windows
Share permissions
Full, change, read, deny
Security permissions
Full, modify, list folder contents, read-execute, read, write, special, deny
An Access Control List
Page ‹#›
Fundamentals of Information Systems Security
© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Page ‹#›
Fundamentals of Information Systems Security
© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Role-Based Access Control
Page ‹#›
Fundamentals of Information Systems Security
© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Page ‹#›
Fundamentals of Information Systems Security
© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Content-Dependent Access Control
Page ‹#›
Fundamentals of Information Systems Security
© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Page ‹#›
Fundamentals of Information Systems Security
© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Constrained User Interface
Page ‹#›
Fundamentals of Information Systems Security
© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Page ‹#›
Fundamentals of Information Systems Security
© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Methods of constraining users
Menus
Database views
Physically constrained user interfaces
Encryption
Other Access Control Models
Page ‹#›
Fundamentals of Information Systems Security
© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Page ‹#›
Fundamentals of Information Systems Security
© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Bell-LaPadula model
Biba integrity model
Clark and Wilson integrity model
Brewer and Nash integrity model
Brewer and Nash Integrity Model
Page ‹#›
Fundamentals of Information Systems Security
© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Page ‹#›
Fundamentals of Information Systems Security
© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Effects of Breaches in Access Control
Page ‹#›
Fundamentals of Information Systems Security
© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Page ‹#›
Fundamentals of Information Systems Security
© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Disclosure of private information
Corruption of data
Loss of business intelligence
Danger to facilities, staff, and systems
Damage to equipment
Failure of systems and business processes
Threats to Access Controls
Gaining physical access
Eavesdropping by observation
Bypassing security
Exploiting hardware and software
Reusing or discarding media
Electronic eavesdropping
Intercepting communication
Accessing networks
Exploiting applications
Page ‹#›
Fundamentals of Information Systems Security
© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Page ‹#›
Fundamentals of Information Systems Security
© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Effects of Access Control Violations
Page ‹#›
Fundamentals of Information Systems Security
© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Page ‹#›
Fundamentals of Information Systems Security
© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
In 2003, California passed a mandatory disclosure law that affects all companies that do business in California or with that state’s residents.
The law protects its residents from disclosure of their personally identifiable information (PII). PII is often the information that bad guys use to steal identities.
9/3/2019
(c) ITT Educational Services, Inc.
42
Loss of customer confidence
Loss of business opportunities
New regulations imposed on the organization
Bad publicity
More oversight
Financial penalties
Credential and Permissions Management
Systems that provide the ability to collect, manage, and use the information associated with access control
Microsoft offers Group Policy and Group Policy Objects (GPOs) to help administrators manage access controls
Page ‹#›
Fundamentals of Information Systems Security
© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Page ‹#›
Fundamentals of Information Systems Security
© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Centralized and Decentralized Access Control
Centralized authentication, authorization, and accounting (AAA) servers
RADIUS: Most popular; two configuration files
TACACS+: Internet Engineering Task Force (IETF) standard; one configuration file
DIAMETER: Base protocol and extensions
SAML: Open standard based on XML for exchanging both authentication and authorization data
Page ‹#›
Fundamentals of Information Systems Security
© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Page ‹#›
Fundamentals of Information Systems Security
© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Decentralized Access Control
Access control is in the hands of the people closest to the system users
Password Authentication Protocol (PAP)
Challenge-Handshake Authentication Protocol (CHAP)
Mobile device authentication, Initiative for Open Authentication (OATH)
HMAC-based one-time password (HOTP)
Time-based one-time password (TOTP)
Page ‹#›
Fundamentals of Information Systems Security
© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Page ‹#›
Fundamentals of Information Systems Security
© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Privacy
Communicate expectations for privacy in acceptable use policies (AUPs) and logon banners
Monitoring in the workplace includes:
Opening mail or email
Using automated software to check email
Checking phone logs or recording phone calls
Checking logs of web sites visited
Getting information from credit-reference agencies
Collecting information through point-of-sale (PoS) terminals
Recording activities on closed-circuit television (CCTV)
Page ‹#›
Fundamentals of Information Systems Security
© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Page ‹#›
Fundamentals of Information Systems Security
© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Cloud Computing
| Category | Description |
| Private | All components are managed for a single organization. May be managed by the organization or by a third-party provider. |
| Community | Components are shared by several organizations and managed by one of the participating organizations or by a third party. |
| Public | Available for public use and managed by third-party providers. |
| Hybrid | Contains components of more than one type of cloud, including private, community, and public clouds. |
Page ‹#›
Fundamentals of Information Systems Security
© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Page ‹#›
Fundamentals of Information Systems Security
© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Cloud computing is the practice of using computing services that are delivered over a network. The computing services may be located within the organization's network or provided by servers that belong to some other network. There are several cloud models to meet the needs of a diverse user environment. Cloud services generally fall into one of the categories shown in the table.
9/3/2019
(c) ITT Educational Services, Inc.
47
Advantages/Disadvantages of Cloud Computing
No need to maintain a data center
No need to maintain a disaster recovery site
Outsourced responsibility for performance and connectivity
On-demand provisioning
More difficult to keep private data secure
Greater danger of private data leakage
Demand for constant network access
Client needs to trust the outside vendor
Advantages
Disadvantages
Page ‹#›
Fundamentals of Information Systems Security
© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Page ‹#›
Fundamentals of Information Systems Security
© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
There are several advantages to using cloud services over traditional in-house software. Most of the advantages include some cost savings.
Summary
Access control concepts and technologies
Formal models of access control
How identity is managed by access control
Developing and maintaining system access controls
Page ‹#›
Fundamentals of Information Systems Security
© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Page ‹#›
Fundamentals of Information Systems Security
© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
