Upload
reese-ridgely
View
214
Download
0
Tags:
Embed Size (px)
Citation preview
© 2013 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.comAll rights reserved.
Fundamentals of Information Systems Security
Chapter 5
Access Controls
Page 2Fundamentals of Information Systems Security © 2013 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.comAll rights reserved.
Learning Objective
Explain the role of access controls in implementing security policy.
Page 3Fundamentals of Information Systems Security © 2013 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.comAll rights reserved.
Key Concepts Authorization policies that apply access control to
systems, application, and data The role of identification in granting access to
information systems The role of authentication in granting access to
information systems Authentication factor types and the need for two-
or three-factor authentication The pros and cons of the formal models used for
access controls
Page 4Introduction to Information Systems Security © 2013 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.comAll rights reserved.
DISCOVER: CONCEPTS
Page 5Fundamentals of Information Systems Security © 2013 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.comAll rights reserved.
Defining Access ControlThe process of protecting a resource so
that it is used only by those allowed to do so
Prevents unauthorized use
Page 6Fundamentals of Information Systems Security © 2013 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.comAll rights reserved.
Four Parts of Access ControlAccess Control
ComponentDescription
Authorization Who is approved for access and what can they use?
Identification How are they identified?
Authentication Can their identities be verified?
Accountability How are actions traced to an individual to ensure that the person who makes data or system changes can be identified?
Page 7Fundamentals of Information Systems Security © 2013 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.comAll rights reserved.
Access Control BasicsAccess control provides a set of resources
available to the authenticated identity.Access controls can be logical or physical.Before authorization can occur, the identity
of the account attempting to access a resource must be determined.
Page 8Fundamentals of Information Systems Security © 2013 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.comAll rights reserved.
Access Control Basics (Continued) Identification presents credentials.Authentication associates those credentials
with a security principal.Accountability traces an action to a person
or process to know who made the changes to the system or data.
Page 9Fundamentals of Information Systems Security © 2013 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.comAll rights reserved.
Asynchronous Token Challenge-Response
Page 10Fundamentals of Information Systems Security © 2013 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.comAll rights reserved.
Rule-Based Access Control
Page 11Fundamentals of Information Systems Security © 2013 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.comAll rights reserved.
An Access Control List (ACL)
Page 12Fundamentals of Information Systems Security © 2013 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.comAll rights reserved.
Role-Based Access Control
Page 13Fundamentals of Information Systems Security © 2013 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.comAll rights reserved.
Content-Dependent Access Control
Page 14Fundamentals of Information Systems Security © 2013 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.comAll rights reserved.
Policy Definition and Policy Enforcement Phases Policy definition phase decides who has
access and what systems or resources they can use.• It is tied to the authorization phase.
Policy enforcement phase grants or rejects requests for access based on the authorizations defined in the first phase.• It is tied to identification, authentication,
and accountability phases.
Page 15Introduction to Information Systems Security © 2013 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.comAll rights reserved.
DISCOVER: ROLES
Page 16Fundamentals of Information Systems Security © 2013 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.comAll rights reserved.
Who Sets or Defines These Controls?
Mandatory access
Discretionary access
Non-discretionary
access
Role-based access
Page 17Introduction to Information Systems Security © 2013 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.comAll rights reserved.
DISCOVER: PROCESS
Page 18Fundamentals of Information Systems Security © 2013 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.comAll rights reserved.
Scenario 1Select access control methods for the
Department of Defense (DoD) network.
Page 19Fundamentals of Information Systems Security © 2013 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.comAll rights reserved.
SolutionUse a combination of biometric,
token-based, and password-form access methods.
Use more complex forms of authentication, such as time-of-day restrictions and hardware encryption devices.
Each account attempting to make a transaction must be properly identified.
Page 20Fundamentals of Information Systems Security © 2013 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.comAll rights reserved.
Scenario 2Select access control methods for an
organization that does the majority of its business through public kiosks.
Page 21Fundamentals of Information Systems Security © 2013 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.comAll rights reserved.
SolutionAuthentication can be as simple as an
automatic anonymous guest logon shared by all visitors.
Page 22Fundamentals of Information Systems Security © 2013 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.comAll rights reserved.
Scenario 3Select access control methods for an
organization that does the majority of its business through Web-based servers.
Page 23Fundamentals of Information Systems Security © 2013 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.comAll rights reserved.
SolutionRole-based accessSingle sign-on Remote Authentication Dial In User Service
(RADIUS)Strong passwords
Page 24Fundamentals of Information Systems Security © 2013 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.comAll rights reserved.
Logical Access Control FeaturesLogical Controls Solution?
Biometrics
Tokens
Passwords
Single sign-on
Page 25Fundamentals of Information Systems Security © 2013 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.comAll rights reserved.
Logical Access Control SolutionsLogical Controls Solutions
Biometrics • Static: Fingerprints, iris granularity, retina blood vessels, facial features, and hand geometry
• Dynamic: Voice inflections, keyboard strokes, and signature motions
Tokens • Synchronous or asynchronous• Smart cards and memory cards
Passwords • Stringent password controls for users• Account lockout policies• Auditing logon events
Single sign-on • Kerberos process • Secure European System for Applications in a
Multi-Vendor Environment (SESAME)
Page 26Fundamentals of Information Systems Security © 2013 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.comAll rights reserved.
Summary Access control is the process of protecting a
resource so that it is used only by those allowed to do so.
Access controls can be logical or physical. Access control includes identification,
authentication, authorization, and accountability.
The four parts of access control can be categorized into policy definition phase and policy enforcement phase.