Access Security IS3230

• Name: Williams Obinkyereh MSc. IT, Post Masters Software Engineering DSC (Doctor of Computer Science) Student.• Contacts: • Phone: 612-516-9712• Email: obinkytt@yahoo.co.uk

Introduction

• Class introduction• Introduction of Course Syllabus.– Course Summary– Lab Infrastructure (Mock)– Course Plan– Evaluation– Academic integrity

• Discussion and questions about syllabus.

Chapter 1

Access Control Framework

Goals

• Identify Access control components• Define stages of Access control• Define and understand authentication factors

10 Security Domain.• Common Body of Knowledge (CBK) defines 10 Security Domains1. Access Control 2. Telecommunications and Network Security3. Information Security Governance and Risk Management4. Software Development Security5. Cryptography6. Security Architecture and Design7. Operations Security8. Business Continuity and Disaster Recovery Planning9. Legal, Regulations, Investigations and Compliance10.Physical (Environmental) Security

Access Control

• To control access to information so that organizations can maintain the confidentiality, integrity, and availability of that information

• CIA

What is Access Control?

• Access is the ability of a subject to interact with an object. Or Interaction between or among entities.

• Give Examples.• Access controls are rules for allowing or

denying access. • Permissions or restriction between and

among entities.

Components of Access Control

• Policies-rules allowing access to resources• Subjects-entities requesting for access to a

resource. • Objects-Resource.• Using an ATM machine as example.• Access control Systems: Policies, Procedures,

Tools

Access Control Subject

• Authorized entity-Have approved credentials• Authorized entity-No proper credentials or

have no privilege.• Unknown entity-No credentials, Anonymous• Students give examples.

Information systems subjects (Technology subjects)

• Networks• Systems• Processes• Applications• Explain by discussing inter processs

Communication.

Access Control Objects

• Information- Any type of dataset• Technology- Application, Systems and

Network• Physical location• Note: Students discussion of Objects.

Access control process:

• Identification-the assignment of a unique user ID

• Authentication-Prove of identification• Authorization-Set of rights defined for

subjects and objects, Rules, Privileges• Accounting-tracking the actions of subjects

using objects. Example what an authorized or an authorized user do on the system.

Authentication Mechanism• Authentication is a prove of Identity.• How do you prove?• Use authentication Mechanisms. • Authentication factors;• Passwords• Token/Pin• Biometric• Share secret• CAPTCHA- Completely Automated Public Test to

tell Computers and Humans Apart

Authorization

• Set of rules defined for the subjects.• Permissions• Restrictions• Student discuss and give examples.

Access Control Classification

• Logical Access Control– Login into system– What you most likely doing

• Physical Access control– Environmental– Most of the time not responsibility of IT dept

Logical Access Control Criteria

• Who, What, When, Where, Why and How• Group Access controls– Grouping of individuals base on son criteria to

assign collective access.

• Advantages:– Simplifies the management of access control

rules.

Logical Access Control Objects

• Data element –Security restriction to data element

• Table: database table object• Database• Systems• Operating system• Network

Authentication Factors

• Three level of Authentication factors• Something you know• Something you have• Something you are.• Class discussion on Authentication Factors• What authentication factor will you use and

why.• Can we combine more two or more

authentication factors?

Lab #1

• Group Policy objects Assessment Work Sheet• Assess the impact control for Regulatory case

Study

Assignments

• Complete Chapter 1 Assessment-Page 14 question 1 to 14.

• Reading assignment: Read Chapters 1, 2 and 3 before the next class.