About meVice president of the ISSA Spain chapter. www.issa-spain.orgVice president of the FIST Conferencesassociation. www.fistconference.orgAuthor of a number of articles: Google: vaceituno wikipediaDirector of the ISM3 Consortium The consortium promotes ISM3, an ISMS standard www.ism3.com 2
Yes…questionsUser Account vs UserCredential ID. Information about the user. Proof of: Ownership: Password vs Criptographic Key Personality: Human? Older than 18? A Woman? From Barcelona? 5
AuthenticationProofs of identity, personality andownership: What I know: Passwords What I have: Tokens What I am: Eyes, Fingerprints, etc What I like: What I can do: Maths in German anyone? What I think: (values) 6
AuthorizationPermission of access to resourcesCredential x Resources x Actions 7
The hidden sideAuthentication: Real Time Authenticationof Credentials vs Granting and Delivery ofCredentials to People. Proof of Identity, or Are you who you were? Proof of Personality.Authorization: Real Time Access Grant vsGranting Access Rights to Credentials. 8
SessionWork session between user andapplication Session between processes TCP Transmission session Frame transmission session su (nested session) Software agent session WAP2 session etc… 9
ELML MarkupEvery event can have an eventID.If the event is not logged by the agent of theevent, the logger can be identified using aloggerID.The agent of the event can be identified using asourceID.The agent of the event can stay in differentlocations, identified using a addressID.The credential used by the source to perform arequest can be identified using a credentialID.The resource (subject) of the event is identifiedusing a resourceID. 15
ELML MarkupThe request (access attempt) performed has aRequestType and a Result. The reason for theResult is stated in the ResultText.The payload contains the information necessaryto perform the request.dateTime is the date and time when the request isperformed.signature is the digital signature of the event usingthe credentialID.hash is the digital summary of the event. It isrecommended that the hash of the previous eventin the Record is used to calculate it. 16
ChallengeseDNIWeak Passwords / AuthenticationIdentification vs AnonimityPrivacy vs MarketingDRMPhysical AccessSSOPassword SynchronizationLogs StandarizationExpiryMinimum PrivilegeWork Role – Access Rights SynchronizationIdentifiying Systems -> Phising 19
Creative Commons Attribution-NoDerivs 2.0You are free:•to copy, distribute, display, and perform this workUnder the following conditions: Attribution. You must give the original author credit. No Derivative Works. You may not alter, transform, or build upon this work.For any reuse or distribution, you must make clear to others the license terms of this work.Any of these conditions can be waived if you get permission from the author.Your fair use and other rights are in no way affected by the above.This work is licensed under the Creative Commons Attribution-NoDerivs License. To view a copy ofthis license, visit http://creativecommons.org/licenses/by-nd/2.0/ or send a letter to CreativeCommons, 559 Nathan Abbott Way, Stanford, California 94305, USA. 23
@ with the sponsorship of: THANK YOU 24www.fistconference.org
A particular slide catching your eye?
Clipping is a handy way to collect important slides you want to go back to later.