0
Conferencia FIST Mayo/Madrid 2008 @                      Sponsored by:Access Control Management          Vicente Aceituno,...
About meVice president of the ISSA Spain chapter.  www.issa-spain.orgVice president of the FIST Conferencesassociation.  w...
The other side                 3
Access ControlAuthenticationAuthorizationAuditingEnough?                                  4
Yes…questionsUser Account vs UserCredential  ID.  Information about the user.  Proof of:    Ownership: Password vs Criptog...
AuthenticationProofs of identity, personality andownership:  What I know: Passwords  What I have: Tokens  What I am: Eyes,...
AuthorizationPermission of access to resourcesCredential x Resources x Actions                                         7
The hidden sideAuthentication: Real Time Authenticationof Credentials vs Granting and Delivery ofCredentials to People.  P...
SessionWork session between user andapplication Session between processes TCP Transmission session Frame transmission sess...
Session – User AccountH              H                        10
Session - CertificateH                      H    H   X         Y                               11
Access Control Management                        12
Access Control Management  H      H                        13
AuditingLogsCheck ELML                    14
ELML MarkupEvery event can have an eventID.If the event is not logged by the agent of theevent, the logger can be identifi...
ELML MarkupThe request (access attempt) performed has aRequestType and a Result. The reason for theResult is stated in the...
ELML VocabularyComponent    Initiate   Finalize     Freeze      Unfreeze   Query   Change                                 ...
Multiple Credentials                   18
ChallengeseDNIWeak Passwords / AuthenticationIdentification vs AnonimityPrivacy vs MarketingDRMPhysical AccessSSOPassword ...
Access Controlhttp://identity20.com/media/OSCON2005/http://www.cerias.purdue.edu/weblogs/spaf/general/post-30/            ...
Access ControlIdentificationAuthenticationAccess GrantingAuthorizationAuditing                               21
Access Control           22
Creative Commons                                                        Attribution-NoDerivs 2.0You are free:•to copy, dis...
@               with the sponsorship of:    THANK YOU                                                    24www.fistconfere...
Upcoming SlideShare
Loading in...5
×

Access Control Management

97

Published on

Published in: Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
97
On Slideshare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
5
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

Transcript of "Access Control Management"

  1. 1. Conferencia FIST Mayo/Madrid 2008 @ Sponsored by:Access Control Management Vicente Aceituno, 2008
  2. 2. About meVice president of the ISSA Spain chapter. www.issa-spain.orgVice president of the FIST Conferencesassociation. www.fistconference.orgAuthor of a number of articles: Google: vaceituno wikipediaDirector of the ISM3 Consortium The consortium promotes ISM3, an ISMS standard www.ism3.com 2
  3. 3. The other side 3
  4. 4. Access ControlAuthenticationAuthorizationAuditingEnough? 4
  5. 5. Yes…questionsUser Account vs UserCredential ID. Information about the user. Proof of: Ownership: Password vs Criptographic Key Personality: Human? Older than 18? A Woman? From Barcelona? 5
  6. 6. AuthenticationProofs of identity, personality andownership: What I know: Passwords What I have: Tokens What I am: Eyes, Fingerprints, etc What I like: What I can do: Maths in German anyone? What I think: (values) 6
  7. 7. AuthorizationPermission of access to resourcesCredential x Resources x Actions 7
  8. 8. The hidden sideAuthentication: Real Time Authenticationof Credentials vs Granting and Delivery ofCredentials to People. Proof of Identity, or Are you who you were? Proof of Personality.Authorization: Real Time Access Grant vsGranting Access Rights to Credentials. 8
  9. 9. SessionWork session between user andapplication Session between processes TCP Transmission session Frame transmission session su (nested session) Software agent session WAP2 session etc… 9
  10. 10. Session – User AccountH H 10
  11. 11. Session - CertificateH H H X Y 11
  12. 12. Access Control Management 12
  13. 13. Access Control Management H H 13
  14. 14. AuditingLogsCheck ELML 14
  15. 15. ELML MarkupEvery event can have an eventID.If the event is not logged by the agent of theevent, the logger can be identified using aloggerID.The agent of the event can be identified using asourceID.The agent of the event can stay in differentlocations, identified using a addressID.The credential used by the source to perform arequest can be identified using a credentialID.The resource (subject) of the event is identifiedusing a resourceID. 15
  16. 16. ELML MarkupThe request (access attempt) performed has aRequestType and a Result. The reason for theResult is stated in the ResultText.The payload contains the information necessaryto perform the request.dateTime is the date and time when the request isperformed.signature is the digital signature of the event usingthe credentialID.hash is the digital summary of the event. It isrecommended that the hash of the previous eventin the Record is used to calculate it. 16
  17. 17. ELML VocabularyComponent Initiate Finalize Freeze Unfreeze Query Change State StateCredential create delete block unblock read writeSession login logout suspend resume read writeMessage send listen retain forward read writeRepository create delete block unblock read writeInterface connect disconnect interrupt continue read writeChannel open close hold release read writeService start stop pause resume read write 17
  18. 18. Multiple Credentials 18
  19. 19. ChallengeseDNIWeak Passwords / AuthenticationIdentification vs AnonimityPrivacy vs MarketingDRMPhysical AccessSSOPassword SynchronizationLogs StandarizationExpiryMinimum PrivilegeWork Role – Access Rights SynchronizationIdentifiying Systems -> Phising 19
  20. 20. Access Controlhttp://identity20.com/media/OSCON2005/http://www.cerias.purdue.edu/weblogs/spaf/general/post-30/ 20
  21. 21. Access ControlIdentificationAuthenticationAccess GrantingAuthorizationAuditing 21
  22. 22. Access Control 22
  23. 23. Creative Commons Attribution-NoDerivs 2.0You are free:•to copy, distribute, display, and perform this workUnder the following conditions: Attribution. You must give the original author credit. No Derivative Works. You may not alter, transform, or build upon this work.For any reuse or distribution, you must make clear to others the license terms of this work.Any of these conditions can be waived if you get permission from the author.Your fair use and other rights are in no way affected by the above.This work is licensed under the Creative Commons Attribution-NoDerivs License. To view a copy ofthis license, visit http://creativecommons.org/licenses/by-nd/2.0/ or send a letter to CreativeCommons, 559 Nathan Abbott Way, Stanford, California 94305, USA. 23
  24. 24. @ with the sponsorship of: THANK YOU 24www.fistconference.org
  1. A particular slide catching your eye?

    Clipping is a handy way to collect important slides you want to go back to later.

×