IT Assessment

Part3iipdf.pdf

Home >Information Systems homework help >IT Assessment

Kelvin asked, “Laverne, what does the consultant’s report say?”

Laverne said, “Well, there is a little confusion about that. The consultant is from Costly & Fire- house, one of the big consulting firms. She proposed two alternative designs, one that seems like an adequate, if modest design and another that might be a little more than we need. The written report indicates we have to make the decision about which way to go, but when we talked, she really built up the expensive plan and kind of put down the more economical plan.”

Miller looked sour.

Kelvin said, “Sounds like we need to make a decision, and soon. Get a conference room reserved for tomorrow, ask the consultant if she can come in for a few hours first thing, and let everyone on the architecture team know we will meet from 8 to 11 on this matter. Now, here is how I think we should prepare for the meeting.”

L E A R N I N G O B J E C T I V E S

Upon completion of this material, you should be able to: • Discuss the role of access control in information systems, and identify and discuss the four

fundamental functions of access control systems • Define authentication and explain the three commonly used authentication factors • Describe firewall technologies and the various categories of firewalls • Discuss the various approaches to firewall implementation • Identify the various approaches to control remote and dial-up access by authenticating and

authorizing users • Describe virtual private networks (VPNs) and discuss the technology that enables them

Introduction Technical controls are essential to a well-planned information security program, particularly to enforce policy for the many IT functions that are not under direct human control. Network and computer systems make millions of decisions every second, and they operate in ways and at speeds that people cannot control in real time. Technical control solutions, when properly implemented, can improve an organization’s ability to balance the often conflicting objectives of making infor- mation readily and widely available and of preserving the information’s confidentiality and integ- rity. This chapter, along with Chapters 7 and 8, describes the function of many common technical controls and explains how they fit into the physical design of an information security program. Students who want to acquire expertise on the configuration and maintenance of technology- based control systems will require additional education and usually specialized training.

Access Control

Key Terms

access control The selective method by which systems specify who may use a particular resource and how they may use it.

326 Chapter 6

access control list (ACL) Specifications of authorization that govern the rights and privileges of users to a particular information asset. ACLs include user access lists, matrices, and capabilities tables. attribute A characteristic of a subject (user or system) that can be used to restrict access to an object. Also known as a subject attribute. attribute-based access control (ABAC) An access control approach whereby the organization specifies the use of objects based on some attribute of the user or system. capabilities table In a lattice-based access control, the row of attributes associated with a particular subject (such as a user). discretionary access controls (DACs) Access controls that are implemented at the discretion or option of the data user. lattice-based access control (LBAC) A variation on the MAC form of access control, which assigns users a matrix of authorizations for particular areas of access, incorporating the information assets of subjects such as users and objects. mandatory access control (MAC) A required, structured data classification scheme that rates each collection of information as well as each user. These ratings are often referred to as sensitivity or classification levels. nondiscretionary access controls (NDACs) Access controls that are implemented by a central authority. role-based access control (RBAC) An example of a nondiscretionary control where privileges are tied to the role a user performs in an organization, and are inherited when a user is assigned to that role. Roles are considered more persistent than tasks. RBAC is an example of an LDAC. subject attribute See attribute. task-based access control (TBAC) An example of a nondiscretionary control where privileges are tied to a task a user performs in an organization and are inherited when a user is assigned to that task. Tasks are considered more temporary than roles. TBAC is an example of an LDAC.

Access control is the method by which systems determine whether and how to admit a user into a trusted area of the organization—that is, information systems, restricted areas such as computer rooms, and the entire physical location. Access control is achieved through a combi- nation of policies, programs, and technologies. To understand access controls, you must first understand they are focused on the permissions or privileges that a subject (user or system) has on an object (resource), including if, when, and from where a subject may access an object and especially how the subject may use that object.

In the early days of access controls during the 1960s and 1970s, the government defined only mandatory access controls (MACs) and discretionary access controls. These definitions were later codified in the Trusted Computer System Evaluation Criteria (TCSEC) documents from the U.S. Department of Defense (DoD). As the definitions and applications evolved, MAC became further refined as a specific type of lattice-based, nondiscretionary access control, as described in the following sections.

In general, access controls can be discretionary or nondiscretionary (see Figure 6-1).

Discretionary access controls (DACs) provide the ability to share resources in a peer-to-peer configuration that allows users to control and possibly provide access to information or resources at their disposal. The users can allow general, unrestricted access, or they can allow specific people or groups of people to access these resources. For example, a user might have a hard drive that contains information to be shared with office coworkers. This user can elect to allow access to specific coworkers by providing access by name in the share control function.

Access Control 327