Upload
tobias-freeman
View
219
Download
1
Tags:
Embed Size (px)
Citation preview
Access Security IS3230
• Name: Williams Obinkyereh MSc. IT, Post Masters Software Engineering DSC (Doctor of Computer Science) Student.• Contacts: • Phone: 612-516-9712• Email: [email protected]
Introduction
• Class introduction• Introduction of Course Syllabus.– Course Summary– Lab Infrastructure (Mock)– Course Plan– Evaluation– Academic integrity
• Discussion and questions about syllabus.
Chapter 1
Access Control Framework
Goals
• Identify Access control components• Define stages of Access control• Define and understand authentication factors
10 Security Domain.• Common Body of Knowledge (CBK) defines 10 Security Domains1. Access Control 2. Telecommunications and Network Security3. Information Security Governance and Risk Management4. Software Development Security5. Cryptography6. Security Architecture and Design7. Operations Security8. Business Continuity and Disaster Recovery Planning9. Legal, Regulations, Investigations and Compliance10.Physical (Environmental) Security
Access Control
• To control access to information so that organizations can maintain the confidentiality, integrity, and availability of that information
• CIA
What is Access Control?
• Access is the ability of a subject to interact with an object. Or Interaction between or among entities.
• Give Examples.• Access controls are rules for allowing or
denying access. • Permissions or restriction between and
among entities.
Components of Access Control
• Policies-rules allowing access to resources• Subjects-entities requesting for access to a
resource. • Objects-Resource.• Using an ATM machine as example.• Access control Systems: Policies, Procedures,
Tools
Access Control Subject
• Authorized entity-Have approved credentials• Authorized entity-No proper credentials or
have no privilege.• Unknown entity-No credentials, Anonymous• Students give examples.
Information systems subjects (Technology subjects)
• Networks• Systems• Processes• Applications• Explain by discussing inter processs
Communication.
Access Control Objects
• Information- Any type of dataset• Technology- Application, Systems and
Network• Physical location• Note: Students discussion of Objects.
Access control process:
• Identification-the assignment of a unique user ID
• Authentication-Prove of identification• Authorization-Set of rights defined for
subjects and objects, Rules, Privileges• Accounting-tracking the actions of subjects
using objects. Example what an authorized or an authorized user do on the system.
Authentication Mechanism• Authentication is a prove of Identity.• How do you prove?• Use authentication Mechanisms. • Authentication factors;• Passwords• Token/Pin• Biometric• Share secret• CAPTCHA- Completely Automated Public Test to
tell Computers and Humans Apart
Authorization
• Set of rules defined for the subjects.• Permissions• Restrictions• Student discuss and give examples.
Access Control Classification
• Logical Access Control– Login into system– What you most likely doing
• Physical Access control– Environmental– Most of the time not responsibility of IT dept
Logical Access Control Criteria
• Who, What, When, Where, Why and How• Group Access controls– Grouping of individuals base on son criteria to
assign collective access.
• Advantages:– Simplifies the management of access control
rules.
Logical Access Control Objects
• Data element –Security restriction to data element
• Table: database table object• Database• Systems• Operating system• Network
Authentication Factors
• Three level of Authentication factors• Something you know• Something you have• Something you are.• Class discussion on Authentication Factors• What authentication factor will you use and
why.• Can we combine more two or more
authentication factors?
Lab #1
• Group Policy objects Assessment Work Sheet• Assess the impact control for Regulatory case
Study
Assignments
• Complete Chapter 1 Assessment-Page 14 question 1 to 14.
• Reading assignment: Read Chapters 1, 2 and 3 before the next class.