SlideShare a Scribd company logo

Access Control Fundamentals

Setiya Nugroho
Setiya Nugroho

Access Control Fundamentals

Technology
1 of 27
Download to read offline
Access Control Fundamental Assoc. Prof. Ts. Dr. Madihah Mohd Saudi Faculty of Science & Technology, USIM
CONTENTS • Introduction • Access Control Challenges • Access Control Principles • Access Control Practices • Security Principles • Identification Authentication & Authorization • Access Control Categories • Access Control Types • Access Control Threats • Access Control Technologies- Single Sign-On • Access Control Models • Access Control Techniques • Access Control Administration • Access Control Monitoring(IDS/IPS) • Access Control Assurance
Introduction • Access controls : • security features that control how users & systems communicate & interact with other systems & resources. • Access : flow of information between a subject & a resource. • A subject : an active entity that requests access to a resource or the data within a resource. (E.g.: user, program, process, etc.) • A resource : an entity that contains the information.(E.g.: Computer, Database, File, Program, Printer, etc.) • Access controls give the organization the ability to control, restrict, monitor, & protect resource availability, integrity, & confidentiality
Access Control Challenges Credentials, personal data, contact information, work-related data, digital certificates, cognitive passwords, etc. Diverse identity data must be kept on different types of users The corporate environment is continually changing Resources have different classification levels Various types of users need different levels of access Business environment needs, resource access needs, employee roles, actual employees, etc. Internal users, contractors, outsiders, partners, etc. Confidential, internal use only, private, public, etc.
Access Control Principles States that if nothing has been specifically configured for an individual or the groups, he/she belongs to, the user should not be able to access that resource i.e.Default no access Separating any conflicting areas of responsibility so as to reduce opportunities for unauthorized or unintentional modification or misuse of organizational assets &/or information. It is based on the concept that individuals should be given access only to the information that they absolutely require in order to perform their job duties. Separation of Duties Need to know Principle of Least Privilege 1 2 3
Access Control Practices Disable unneeded system features, services, & ports. Deny access to systems by undefined users or anonymous accounts. Suspend inactive accounts after 30 to 60 days. Enforce the need-to-know & least-privilege practices. Enforce strict access criteria. Remove obsolete user accounts as soon as the user leaves the company. Suspend or delay access capability after a specific number of unsuccessful logon attempts. Limit & monitor the usage of administrator & other powerful accounts. 1 8 7 6 5 2 3 4
9 Replace default password settings on accounts. 10 Limit & monitor global access rules. 13 Remove redundant user IDs, accounts, & role-based accounts from resource access lists. 12 Remove redundant resource rules from accounts & group memberships. 11 Ensure that logon IDs are nondescriptive of job function. 14 Enforce password rotation. 15 Enforce password requirements (length, contents, lifetime, distribution, storage, & transmission). 16 Audit system & user events & actions & review reports periodically. 17 Protect audit logs.
Security Principles Fundamental Principles (CIA) Identification Authentication Authorization Non Repudiation
Identification Authentication & Authorization Identification describes a method of ensuring that a subject is the entity it claims to be. (E.g.: A username or an account no.) Authentication is the method of proving the subject's identity, (e.g., Password, Passphrase, PIN.) Authorization is the method of controlling the access of objects by the subject. (E.g.: A user cannot delete a particular file after logging into the system.) Note: There must be a three-step process of Identification, Authentication, & Authorization in order for a subject to access an object
Identification Component Requirements When issuing identification values to users or subjects, ensure that: 1. Each value should be unique, for user accountability; 2. A standard naming scheme should be followed; 3. The values should be non-descriptive of the user's position or task; 4. The values should not be shared between the users.
Authentication Factors 01 Something a person knows (Passwords, PIN) 02 Something a person has (Access Card, key) 03 Something a person is (Biometrics) Note: For a strong authentication to be in process, it must include two out of the three authentication factors- also referred to as two-factor authentication.
Authentication Methods Biometrics Passwords Cognitive Passwords (mothers maidens name) One-Time Passwords Cryptographic Keys Passphrase Memory Cards (Swipe cards, ATM cards) Smart Card
Identity Management • Identity Management is a broad term that encompasses the use of different products to identify, authenticate, & authorize users through automated means. • The identity is established as: • a name (or number) is associated to the subject or object; & • the identity is re-established: a new or additional name (or number) is connected to the subject or object; • The identity is described as: • one or more attributes which are applicable to this particular subject or object may be assigned to the identity; & • the identity is newly described: one or more attributes which are applicable to this particular subject or object may be changed;
Access Control Categories Administrative Controls Physical Controls Technical or Logical Controls
Administrative Control Component Policy & Procedures Personnel Controls Supervisory Structure Security- Awareness Training Testing Examples of Administrative Controls ▪Security policy ▪Monitoring & supervising ▪Separation of duties ▪Job rotation ▪Information classification ▪Personnel procedures ▪Investigations ▪Testing ▪Security-awareness & training
Physical Control Component Network Segregation Perimeter Security Computer Controls Work Area Separation Data Backups Cabling Control Zone Examples of Physical Controls ▪Fences ▪Locks ▪Badge system ▪Security guard ▪Biometric system ▪Mantrap doors ▪Lighting ▪Motion detectors ▪Closed-circuit TVs ▪Alarms ▪Backups ▪Safe storage area of backups
Technical Control Component System Access Network Access Encryption & protocols Auditing Network Architecture Examples of Technical Controls ▪ACLs ▪Routers ▪Encryption ▪Audit logs ▪IDS ▪Antivirus software ▪Firewalls ▪Smart cards ▪Dial-up call-back systems ▪Alarms & alerts
Access Control Types Avoid undesirable events from occurring 1. Preventative 2. Detective Identify undesirable events that have occurred 3. Corrective Correct undesirable events that have occurred 4. Deterrent Discourage security violations 5. Recovery Restore resources & capabilities 6. Compensative Provide alternatives to other controls
Access Control Threats Denial of Service(DoS/DDoS) Buffer Overflows Malicious Software Password Crackers Spoofing/ Masquerading Emanations Shoulder Surfing Object Reuse Data Remanence Backdoor/ Trapdoor Dictionary Attacks Brute force Attacks Social Engineering
Access Control Technologies- Single Sign- On • Introduction • SSO is a technology that allows a user to enter credentials one time & be able to access all resources in primary & secondary network domains Advantages Reduces the amount of time users spend authenticating to resources. Enable the administrator to streamline user accounts & better control access rights Improves security by reducing the probability that users will write down their passwords Reduces the administrators time in managing the access permissions Limitations Every platform application & resource needs to accept the same type of credentials, in the same format, & interpret their meaning in the same way. Disadvantages Once an individual is in, he is in, thus giving a bigger scope to an attacker.
Access Control Models ▪ Framework that dictates how subjects access objects. ▪ Uses access control technologies & security mechanisms to enforce the rules & objectives of the model. Discretionary 1 ➢ Based on the discretion (wish) of the owner ➢ A system that uses DAC enables the owner of the resource to specify which subjects can access specific resources ➢ Examples: Unix, Linux, Windows access control is based on DAC Mandatory 2 ➢ This model is very structured & strict & is based on a security label (also known as sensitivity label) attached to all objects ➢ The subjects are given security clearance by classifying the subjects as secret, top-secret, confidential, etc.) & the objects are also classified similarly. ➢ Examples: SE Linux, by NSA, trusted Solaris Role-based 3 ➢ A RBAC is based on user roles & uses a centrally administered set of controls to determine how subjects & objects interact. ➢ The RBAC approach simplifies the access control administration ➢ It is a best system for a company that has high employee turnover. ➢ Note: The RBAC can be generally used in combination with MAC & DAC systems Model Access Control Owner Sec Policy enforced by DAC Data Owners Access-control list MAC Operating Systems Security Labels RBAC Administrator Roles/ Functional Position
Access Control Techniques 01 Rule-Based Access Control 02 Constrained User Interface 03 Access Control Matrix 04 Content Dependent Access Control 05 Context- Dependent Access Control
Rule-Based Access Control Constrained User Interface Access Control Matrix Content Dependent Access Control Context-Dependent Access Control • Uses specific rules that indicate what can & cannot happen between a subject & an object. • E.g.: Routers & firewall use rules to filter incoming & outgoing packets • Constrained user interfaces restrict user’s access ability by not allowing them to request certain functions or information, or to have access to specific system resources. • 3 major types of restricted interfaces: Menus & Shells, Database Views, Physically Constrained Interfaces • An access control matrix is a table of subjects & objects indicating what actions individual subjects can take upon individual objects. • Access to the objects is based on the content within the object. • Example: Database Views, E-mail filtering etc. • The access decisions are based on the context of a collection of information rather than on the sensitivity of the data. • Example: A firewall makes a context- based access decisions when they collect state information on a packet before allowing it into the network
Access Control Administration Centralized Access Control Here one entity (dept or an individual) is responsible for overseeing access to all corporate resources. This type of administration provides a consistent and uniform method of controlling the users' access rights. Example: RADIUS, TACACS, and Diameter Decentralized Access Control Gives control of access to the people closer to the resources There is a possibility of certain controls to overlap, in which case actions may not be properly proscribed or restricted. This type of administration does not provide methods for consistent control, as a centralized method would.
Access Control Monitoring(IDS/IPS) Method of keeping track of who attempts to access specific network resources. Intrusion Detection System (IDS) Process of detecting unauthorized use of, or attack upon, a computer, network, or telecommunication infrastructure. Designed to aid in mitigating the damage that can be caused by hacking or breaking into sensitive computer and network systems. Intrusion Prevention System Examines network traffic flows to detect & prevent vulnerability exploits. IPS is a preventative & proactive technology, whereas an IDS is a detective & after-the-fact technology.
Access Control Assurance Accountability is the method of tracking and logging the subject’s actions on the objects. Auditing is an activity where the users/subjects' actions on the objects are monitored in order to verify that the sensitivity policies are enforced & can be used as an investigation tool. Advantages of Auditing ❖ To track unauthorized activities performed by individuals. ❖ Detect intrusion. ❖ Reconstruct events & system conditions. ❖ Provide legal resource material & produce problem reports.
Access Control Fundamentals

Recommended

Access Controls
Access ControlsAccess Controls
Access Controlsprimeteacher32
 
Ch07 Access Control Fundamentals
Ch07 Access Control FundamentalsCh07 Access Control Fundamentals
Ch07 Access Control FundamentalsInformation Technology
 
Information Security Principles - Access Control
Information Security Principles - Access ControlInformation Security Principles - Access Control
Information Security Principles - Access Controlidingolay
 
Access Control Presentation
Access Control PresentationAccess Control Presentation
Access Control PresentationWajahat Rajab
 
2. access control
2. access control2. access control
2. access control7wounders
 
8 Access Control
8 Access Control8 Access Control
8 Access ControlAlfred Ouyang
 
Access Control: Principles and Practice
Access Control: Principles and PracticeAccess Control: Principles and Practice
Access Control: Principles and PracticeNabeel Yoosuf
 
An overview of access control
An overview of access controlAn overview of access control
An overview of access controlElimity
 

Recommended

Access Controls
Access ControlsAccess Controls
Access Controlsprimeteacher32
 
Ch07 Access Control Fundamentals
Ch07 Access Control FundamentalsCh07 Access Control Fundamentals
Ch07 Access Control FundamentalsInformation Technology
 
Information Security Principles - Access Control
Information Security Principles - Access ControlInformation Security Principles - Access Control
Information Security Principles - Access Controlidingolay
 
Access Control Presentation
Access Control PresentationAccess Control Presentation
Access Control PresentationWajahat Rajab
 
2. access control
2. access control2. access control
2. access control7wounders
 
8 Access Control
8 Access Control8 Access Control
8 Access ControlAlfred Ouyang
 
Access Control: Principles and Practice
Access Control: Principles and PracticeAccess Control: Principles and Practice
Access Control: Principles and PracticeNabeel Yoosuf
 
An overview of access control
An overview of access controlAn overview of access control
An overview of access controlElimity
 
Intro To Access Controls
Intro To Access ControlsIntro To Access Controls
Intro To Access ControlsHari Pudipeddi
 
Isys20261 lecture 12
Isys20261 lecture 12Isys20261 lecture 12
Isys20261 lecture 12Wiliam Ferraciolli
 
55994241 cissp-cram
55994241 cissp-cram55994241 cissp-cram
55994241 cissp-crambsnl007
 
Data security authorization and access control
Data security authorization and access controlData security authorization and access control
Data security authorization and access controlLeo Mark Villar
 
Chapter 5 - Identity Management
Chapter 5 - Identity ManagementChapter 5 - Identity Management
Chapter 5 - Identity ManagementKarthikeyan Dhayalan
 
Mandatory access control for information security
Mandatory access control for information securityMandatory access control for information security
Mandatory access control for information securityAjit Dadresa
 
Access_Control_Systems_and_methodology
Access_Control_Systems_and_methodologyAccess_Control_Systems_and_methodology
Access_Control_Systems_and_methodologyArti Ambokar
 
8. operations security
8. operations security8. operations security
8. operations security7wounders
 
Security and Integrity
Security and IntegritySecurity and Integrity
Security and Integritylubna19
 
access-control-week-2
access-control-week-2access-control-week-2
access-control-week-2jemtallon
 
Access control Week 1
Access control Week 1Access control Week 1
Access control Week 1jemtallon
 
Chapter 1 Personal security
Chapter 1 Personal securityChapter 1 Personal security
Chapter 1 Personal securityKarthikeyan Dhayalan
 
Operations Security Presentation
Operations Security PresentationOperations Security Presentation
Operations Security PresentationWajahat Rajab
 
Database security
Database securityDatabase security
Database securityArpana shree
 
Os8
Os8Os8
Os8gopal10scs185
 
01 database security ent-db
01 database security ent-db01 database security ent-db
01 database security ent-dbuncleRhyme
 
security and privacy in dbms and in sql database
security and privacy in dbms and in sql databasesecurity and privacy in dbms and in sql database
security and privacy in dbms and in sql databasegourav kottawar
 
The 5 Layers of Security Testing by Alan Koch
The 5 Layers of Security Testing by Alan KochThe 5 Layers of Security Testing by Alan Koch
The 5 Layers of Security Testing by Alan KochQA or the Highway
 
Access Control System, BMS
Access Control System, BMSAccess Control System, BMS
Access Control System, BMSMohammad Azam Khan
 
Biometric Access Control Systems
Biometric Access Control SystemsBiometric Access Control Systems
Biometric Access Control SystemsSafe-Systems Inc.
 
Chapter 7
Chapter 7Chapter 7
Chapter 7Seth Nurul
 
Security & Risk Mgmt_WK1.pptx
Security & Risk Mgmt_WK1.pptxSecurity & Risk Mgmt_WK1.pptx
Security & Risk Mgmt_WK1.pptxdotco
 

More Related Content

What's hot

Intro To Access Controls
Intro To Access ControlsIntro To Access Controls
Intro To Access ControlsHari Pudipeddi
 
55994241 cissp-cram
55994241 cissp-cram55994241 cissp-cram
55994241 cissp-crambsnl007
 
Data security authorization and access control
Data security authorization and access controlData security authorization and access control
Data security authorization and access controlLeo Mark Villar
 
Mandatory access control for information security
Mandatory access control for information securityMandatory access control for information security
Mandatory access control for information securityAjit Dadresa
 
Access_Control_Systems_and_methodology
Access_Control_Systems_and_methodologyAccess_Control_Systems_and_methodology
Access_Control_Systems_and_methodologyArti Ambokar
 
8. operations security
8. operations security8. operations security
8. operations security7wounders
 
Security and Integrity
Security and IntegritySecurity and Integrity
Security and Integritylubna19
 
access-control-week-2
access-control-week-2access-control-week-2
access-control-week-2jemtallon
 
Access control Week 1
Access control Week 1Access control Week 1
Access control Week 1jemtallon
 
Operations Security Presentation
Operations Security PresentationOperations Security Presentation
Operations Security PresentationWajahat Rajab
 
01 database security ent-db
01 database security ent-db01 database security ent-db
01 database security ent-dbuncleRhyme
 
security and privacy in dbms and in sql database
security and privacy in dbms and in sql databasesecurity and privacy in dbms and in sql database
security and privacy in dbms and in sql databasegourav kottawar
 
The 5 Layers of Security Testing by Alan Koch
The 5 Layers of Security Testing by Alan KochThe 5 Layers of Security Testing by Alan Koch
The 5 Layers of Security Testing by Alan KochQA or the Highway
 
Biometric Access Control Systems
Biometric Access Control SystemsBiometric Access Control Systems
Biometric Access Control SystemsSafe-Systems Inc.
 

What's hot (20)

Intro To Access Controls
Intro To Access ControlsIntro To Access Controls
Intro To Access Controls
 
Isys20261 lecture 12
Isys20261 lecture 12Isys20261 lecture 12
Isys20261 lecture 12
 
55994241 cissp-cram
55994241 cissp-cram55994241 cissp-cram
55994241 cissp-cram
 
Data security authorization and access control
Data security authorization and access controlData security authorization and access control
Data security authorization and access control
 
Chapter 5 - Identity Management
Chapter 5 - Identity ManagementChapter 5 - Identity Management
Chapter 5 - Identity Management
 
Mandatory access control for information security
Mandatory access control for information securityMandatory access control for information security
Mandatory access control for information security
 
Access_Control_Systems_and_methodology
Access_Control_Systems_and_methodologyAccess_Control_Systems_and_methodology
Access_Control_Systems_and_methodology
 
8. operations security
8. operations security8. operations security
8. operations security
 
Security and Integrity
Security and IntegritySecurity and Integrity
Security and Integrity
 
access-control-week-2
access-control-week-2access-control-week-2
access-control-week-2
 
Access control Week 1
Access control Week 1Access control Week 1
Access control Week 1
 
Chapter 1 Personal security
Chapter 1 Personal securityChapter 1 Personal security
Chapter 1 Personal security
 
Operations Security Presentation
Operations Security PresentationOperations Security Presentation
Operations Security Presentation
 
Database security
Database securityDatabase security
Database security
 
Os8
Os8Os8
Os8
 
01 database security ent-db
01 database security ent-db01 database security ent-db
01 database security ent-db
 
security and privacy in dbms and in sql database
security and privacy in dbms and in sql databasesecurity and privacy in dbms and in sql database
security and privacy in dbms and in sql database
 
The 5 Layers of Security Testing by Alan Koch
The 5 Layers of Security Testing by Alan KochThe 5 Layers of Security Testing by Alan Koch
The 5 Layers of Security Testing by Alan Koch
 
Access Control System, BMS
Access Control System, BMSAccess Control System, BMS
Access Control System, BMS
 
Biometric Access Control Systems
Biometric Access Control SystemsBiometric Access Control Systems
Biometric Access Control Systems
 

Similar to Access Control Fundamentals

Security & Risk Mgmt_WK1.pptx
Security & Risk Mgmt_WK1.pptxSecurity & Risk Mgmt_WK1.pptx
Security & Risk Mgmt_WK1.pptxdotco
 
Security & Risk Mgmt_WK1.pptx
Security & Risk Mgmt_WK1.pptxSecurity & Risk Mgmt_WK1.pptx
Security & Risk Mgmt_WK1.pptxTechnocracy2
 
crisc_wk_5.pptx
crisc_wk_5.pptxcrisc_wk_5.pptx
crisc_wk_5.pptxdotco
 
Database managementsystemes_Unit-7.pptxe
Database managementsystemes_Unit-7.pptxeDatabase managementsystemes_Unit-7.pptxe
Database managementsystemes_Unit-7.pptxechnrketan
 
Comprehensive Analysis of Contemporary Information Security Challenges
Comprehensive Analysis of Contemporary Information Security ChallengesComprehensive Analysis of Contemporary Information Security Challenges
Comprehensive Analysis of Contemporary Information Security Challengessidraasif9090
 
Unit-4-User-Authentication.pptx
Unit-4-User-Authentication.pptxUnit-4-User-Authentication.pptx
Unit-4-User-Authentication.pptxPuskar Bhandari
 
The 5 Layers of Security Testing by Alan Koch
The 5 Layers of Security Testing by Alan KochThe 5 Layers of Security Testing by Alan Koch
The 5 Layers of Security Testing by Alan KochQA or the Highway
 
Identity and Security in the Cloud
Identity and Security in the CloudIdentity and Security in the Cloud
Identity and Security in the CloudRichard Diver
 
Human rehfghhfhhsources SECURITY DATA.pptx
Human rehfghhfhhsources SECURITY DATA.pptxHuman rehfghhfhhsources SECURITY DATA.pptx
Human rehfghhfhhsources SECURITY DATA.pptxdrluminajulier
 
Annual OktCyberfest 2019
Annual OktCyberfest 2019Annual OktCyberfest 2019
Annual OktCyberfest 2019Fahad Al-Hasan
 
Types_of_Access_Controlsggggggggggggggggg
Types_of_Access_ControlsgggggggggggggggggTypes_of_Access_Controlsggggggggggggggggg
Types_of_Access_ControlsgggggggggggggggggSaurabh846965
 
Presentation2 (2)
Presentation2 (2)Presentation2 (2)
Presentation2 (2)ITNet
 

Similar to Access Control Fundamentals (20)

Chapter 7
Chapter 7Chapter 7
Chapter 7
 
Security & Risk Mgmt_WK1.pptx
Security & Risk Mgmt_WK1.pptxSecurity & Risk Mgmt_WK1.pptx
Security & Risk Mgmt_WK1.pptx
 
Security & Risk Mgmt_WK1.pptx
Security & Risk Mgmt_WK1.pptxSecurity & Risk Mgmt_WK1.pptx
Security & Risk Mgmt_WK1.pptx
 
4_5949547032388570388.ppt
4_5949547032388570388.ppt4_5949547032388570388.ppt
4_5949547032388570388.ppt
 
crisc_wk_5.pptx
crisc_wk_5.pptxcrisc_wk_5.pptx
crisc_wk_5.pptx
 
Cyber Security # Lec 5
Cyber Security # Lec 5Cyber Security # Lec 5
Cyber Security # Lec 5
 
security in is.pptx
security in is.pptxsecurity in is.pptx
security in is.pptx
 
Database managementsystemes_Unit-7.pptxe
Database managementsystemes_Unit-7.pptxeDatabase managementsystemes_Unit-7.pptxe
Database managementsystemes_Unit-7.pptxe
 
Comprehensive Analysis of Contemporary Information Security Challenges
Comprehensive Analysis of Contemporary Information Security ChallengesComprehensive Analysis of Contemporary Information Security Challenges
Comprehensive Analysis of Contemporary Information Security Challenges
 
Unit-4-User-Authentication.pptx
Unit-4-User-Authentication.pptxUnit-4-User-Authentication.pptx
Unit-4-User-Authentication.pptx
 
Co p
Co pCo p
Co p
 
The 5 Layers of Security Testing by Alan Koch
The 5 Layers of Security Testing by Alan KochThe 5 Layers of Security Testing by Alan Koch
The 5 Layers of Security Testing by Alan Koch
 
Identity and Security in the Cloud
Identity and Security in the CloudIdentity and Security in the Cloud
Identity and Security in the Cloud
 
Co p
Co pCo p
Co p
 
Human rehfghhfhhsources SECURITY DATA.pptx
Human rehfghhfhhsources SECURITY DATA.pptxHuman rehfghhfhhsources SECURITY DATA.pptx
Human rehfghhfhhsources SECURITY DATA.pptx
 
Information Security
Information SecurityInformation Security
Information Security
 
Annual OktCyberfest 2019
Annual OktCyberfest 2019Annual OktCyberfest 2019
Annual OktCyberfest 2019
 
Types_of_Access_Controlsggggggggggggggggg
Types_of_Access_ControlsgggggggggggggggggTypes_of_Access_Controlsggggggggggggggggg
Types_of_Access_Controlsggggggggggggggggg
 
Module 6.pptx
Module 6.pptxModule 6.pptx
Module 6.pptx
 
Presentation2 (2)
Presentation2 (2)Presentation2 (2)
Presentation2 (2)
 

More from Setiya Nugroho

Modul 02 CRUD CI 3.pdf
Modul 02 CRUD CI 3.pdfModul 02 CRUD CI 3.pdf
Modul 02 CRUD CI 3.pdfSetiya Nugroho
 
Modul 02 CRUD CI 3.pdf
Modul 02 CRUD CI 3.pdfModul 02 CRUD CI 3.pdf
Modul 02 CRUD CI 3.pdfSetiya Nugroho
 
Web-based culinary tourism recommendation system
Web-based culinary tourism recommendation systemWeb-based culinary tourism recommendation system
Web-based culinary tourism recommendation systemSetiya Nugroho
 
Network Automation.pdf
Network Automation.pdfNetwork Automation.pdf
Network Automation.pdfSetiya Nugroho
 
RPS 2022-Pemrograman Web 2.pdf
RPS 2022-Pemrograman Web 2.pdfRPS 2022-Pemrograman Web 2.pdf
RPS 2022-Pemrograman Web 2.pdfSetiya Nugroho
 
3. Basic Pentesting 1 Walkthrough.pdf
3. Basic Pentesting 1 Walkthrough.pdf3. Basic Pentesting 1 Walkthrough.pdf
3. Basic Pentesting 1 Walkthrough.pdfSetiya Nugroho
 
Basic Cryptography.pdf
Basic Cryptography.pdfBasic Cryptography.pdf
Basic Cryptography.pdfSetiya Nugroho
 
case study1 web defacement answer.pdf
case study1 web defacement answer.pdfcase study1 web defacement answer.pdf
case study1 web defacement answer.pdfSetiya Nugroho
 
WEEK5 Mobile Device Security 31032022.pdf
WEEK5 Mobile Device Security 31032022.pdfWEEK5 Mobile Device Security 31032022.pdf
WEEK5 Mobile Device Security 31032022.pdfSetiya Nugroho
 
Modul 05 Framework CodeIgniter.pdf
Modul 05 Framework CodeIgniter.pdfModul 05 Framework CodeIgniter.pdf
Modul 05 Framework CodeIgniter.pdfSetiya Nugroho
 
Modul 4 Web Programming HTML Form & Hyperlink.pdf
Modul 4 Web Programming HTML Form & Hyperlink.pdfModul 4 Web Programming HTML Form & Hyperlink.pdf
Modul 4 Web Programming HTML Form & Hyperlink.pdfSetiya Nugroho
 

More from Setiya Nugroho (14)

Modul 02 CRUD CI 3.pdf
Modul 02 CRUD CI 3.pdfModul 02 CRUD CI 3.pdf
Modul 02 CRUD CI 3.pdf
 
Modul 02 CRUD CI 3.pdf
Modul 02 CRUD CI 3.pdfModul 02 CRUD CI 3.pdf
Modul 02 CRUD CI 3.pdf
 
Web-based culinary tourism recommendation system
Web-based culinary tourism recommendation systemWeb-based culinary tourism recommendation system
Web-based culinary tourism recommendation system
 
Network Automation.pdf
Network Automation.pdfNetwork Automation.pdf
Network Automation.pdf
 
RPS 2022-Pemrograman Web 2.pdf
RPS 2022-Pemrograman Web 2.pdfRPS 2022-Pemrograman Web 2.pdf
RPS 2022-Pemrograman Web 2.pdf
 
10. Data Security.pdf
10. Data Security.pdf10. Data Security.pdf
10. Data Security.pdf
 
3. Basic Pentesting 1 Walkthrough.pdf
3. Basic Pentesting 1 Walkthrough.pdf3. Basic Pentesting 1 Walkthrough.pdf
3. Basic Pentesting 1 Walkthrough.pdf
 
Basic Cryptography.pdf
Basic Cryptography.pdfBasic Cryptography.pdf
Basic Cryptography.pdf
 
Web Programming Form
Web Programming FormWeb Programming Form
Web Programming Form
 
case study1 web defacement answer.pdf
case study1 web defacement answer.pdfcase study1 web defacement answer.pdf
case study1 web defacement answer.pdf
 
WEEK5 Mobile Device Security 31032022.pdf
WEEK5 Mobile Device Security 31032022.pdfWEEK5 Mobile Device Security 31032022.pdf
WEEK5 Mobile Device Security 31032022.pdf
 
Modul 05 Framework CodeIgniter.pdf
Modul 05 Framework CodeIgniter.pdfModul 05 Framework CodeIgniter.pdf
Modul 05 Framework CodeIgniter.pdf
 
Malware
MalwareMalware
Malware
 
Modul 4 Web Programming HTML Form & Hyperlink.pdf
Modul 4 Web Programming HTML Form & Hyperlink.pdfModul 4 Web Programming HTML Form & Hyperlink.pdf
Modul 4 Web Programming HTML Form & Hyperlink.pdf
 

Recently uploaded

Gen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfGen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfAddepto
 
Install Stable Diffusion in windows machine
Install Stable Diffusion in windows machineInstall Stable Diffusion in windows machine
Install Stable Diffusion in windows machinePadma Pradeep
 
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks..."LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...Fwdays
 
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 3652toLead Limited
 
Commit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyCommit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyAlfredo García Lavilla
 
Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Scott Keck-Warren
 
SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024Lorenzo Miniero
 
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)Wonjun Hwang
 
Understanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitectureUnderstanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitecturePixlogix Infotech
 
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...shyamraj55
 
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr LapshynFwdays
 
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Patryk Bandurski
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsMark Billinghurst
 
Vertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering TipsVertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering TipsMiki Katsuragi
 
Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubUnleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubKalema Edgar
 
DevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsDevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsSergiu Bodiu
 
AI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsAI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsMemoori
 
Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Mattias Andersson
 
APIForce Zurich 5 April Automation LPDG
APIForce Zurich 5 April Automation LPDGAPIForce Zurich 5 April Automation LPDG
APIForce Zurich 5 April Automation LPDGMarianaLemus7
 

Recently uploaded (20)

DMCC Future of Trade Web3 - Special Edition
DMCC Future of Trade Web3 - Special EditionDMCC Future of Trade Web3 - Special Edition
DMCC Future of Trade Web3 - Special Edition
 
Gen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfGen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdf
 
Install Stable Diffusion in windows machine
Install Stable Diffusion in windows machineInstall Stable Diffusion in windows machine
Install Stable Diffusion in windows machine
 
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks..."LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
 
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
 
Commit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyCommit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easy
 
Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024
 
SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024
 
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
 
Understanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitectureUnderstanding the Laravel MVC Architecture
Understanding the Laravel MVC Architecture
 
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
 
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
 
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR Systems
 
Vertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering TipsVertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering Tips
 
Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubUnleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding Club
 
DevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsDevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platforms
 
AI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsAI as an Interface for Commercial Buildings
AI as an Interface for Commercial Buildings
 
Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?
 
APIForce Zurich 5 April Automation LPDG
APIForce Zurich 5 April Automation LPDGAPIForce Zurich 5 April Automation LPDG
APIForce Zurich 5 April Automation LPDG
 

Access Control Fundamentals

  • 1. Access Control Fundamental Assoc. Prof. Ts. Dr. Madihah Mohd Saudi Faculty of Science & Technology, USIM
  • 2. CONTENTS • Introduction • Access Control Challenges • Access Control Principles • Access Control Practices • Security Principles • Identification Authentication & Authorization • Access Control Categories • Access Control Types • Access Control Threats • Access Control Technologies- Single Sign-On • Access Control Models • Access Control Techniques • Access Control Administration • Access Control Monitoring(IDS/IPS) • Access Control Assurance
  • 3. Introduction • Access controls : • security features that control how users & systems communicate & interact with other systems & resources. • Access : flow of information between a subject & a resource. • A subject : an active entity that requests access to a resource or the data within a resource. (E.g.: user, program, process, etc.) • A resource : an entity that contains the information.(E.g.: Computer, Database, File, Program, Printer, etc.) • Access controls give the organization the ability to control, restrict, monitor, & protect resource availability, integrity, & confidentiality
  • 4. Access Control Challenges Credentials, personal data, contact information, work-related data, digital certificates, cognitive passwords, etc. Diverse identity data must be kept on different types of users The corporate environment is continually changing Resources have different classification levels Various types of users need different levels of access Business environment needs, resource access needs, employee roles, actual employees, etc. Internal users, contractors, outsiders, partners, etc. Confidential, internal use only, private, public, etc.
  • 5. Access Control Principles States that if nothing has been specifically configured for an individual or the groups, he/she belongs to, the user should not be able to access that resource i.e.Default no access Separating any conflicting areas of responsibility so as to reduce opportunities for unauthorized or unintentional modification or misuse of organizational assets &/or information. It is based on the concept that individuals should be given access only to the information that they absolutely require in order to perform their job duties. Separation of Duties Need to know Principle of Least Privilege 1 2 3
  • 6. Access Control Practices Disable unneeded system features, services, & ports. Deny access to systems by undefined users or anonymous accounts. Suspend inactive accounts after 30 to 60 days. Enforce the need-to-know & least-privilege practices. Enforce strict access criteria. Remove obsolete user accounts as soon as the user leaves the company. Suspend or delay access capability after a specific number of unsuccessful logon attempts. Limit & monitor the usage of administrator & other powerful accounts. 1 8 7 6 5 2 3 4
  • 7. 9 Replace default password settings on accounts. 10 Limit & monitor global access rules. 13 Remove redundant user IDs, accounts, & role-based accounts from resource access lists. 12 Remove redundant resource rules from accounts & group memberships. 11 Ensure that logon IDs are nondescriptive of job function. 14 Enforce password rotation. 15 Enforce password requirements (length, contents, lifetime, distribution, storage, & transmission). 16 Audit system & user events & actions & review reports periodically. 17 Protect audit logs.
  • 8. Security Principles Fundamental Principles (CIA) Identification Authentication Authorization Non Repudiation
  • 9. Identification Authentication & Authorization Identification describes a method of ensuring that a subject is the entity it claims to be. (E.g.: A username or an account no.) Authentication is the method of proving the subject's identity, (e.g., Password, Passphrase, PIN.) Authorization is the method of controlling the access of objects by the subject. (E.g.: A user cannot delete a particular file after logging into the system.) Note: There must be a three-step process of Identification, Authentication, & Authorization in order for a subject to access an object
  • 10. Identification Component Requirements When issuing identification values to users or subjects, ensure that: 1. Each value should be unique, for user accountability; 2. A standard naming scheme should be followed; 3. The values should be non-descriptive of the user's position or task; 4. The values should not be shared between the users.
  • 11. Authentication Factors 01 Something a person knows (Passwords, PIN) 02 Something a person has (Access Card, key) 03 Something a person is (Biometrics) Note: For a strong authentication to be in process, it must include two out of the three authentication factors- also referred to as two-factor authentication.
  • 12. Authentication Methods Biometrics Passwords Cognitive Passwords (mothers maidens name) One-Time Passwords Cryptographic Keys Passphrase Memory Cards (Swipe cards, ATM cards) Smart Card
  • 13. Identity Management • Identity Management is a broad term that encompasses the use of different products to identify, authenticate, & authorize users through automated means. • The identity is established as: • a name (or number) is associated to the subject or object; & • the identity is re-established: a new or additional name (or number) is connected to the subject or object; • The identity is described as: • one or more attributes which are applicable to this particular subject or object may be assigned to the identity; & • the identity is newly described: one or more attributes which are applicable to this particular subject or object may be changed;
  • 15. Administrative Control Component Policy & Procedures Personnel Controls Supervisory Structure Security- Awareness Training Testing Examples of Administrative Controls ▪Security policy ▪Monitoring & supervising ▪Separation of duties ▪Job rotation ▪Information classification ▪Personnel procedures ▪Investigations ▪Testing ▪Security-awareness & training
  • 16. Physical Control Component Network Segregation Perimeter Security Computer Controls Work Area Separation Data Backups Cabling Control Zone Examples of Physical Controls ▪Fences ▪Locks ▪Badge system ▪Security guard ▪Biometric system ▪Mantrap doors ▪Lighting ▪Motion detectors ▪Closed-circuit TVs ▪Alarms ▪Backups ▪Safe storage area of backups
  • 17. Technical Control Component System Access Network Access Encryption & protocols Auditing Network Architecture Examples of Technical Controls ▪ACLs ▪Routers ▪Encryption ▪Audit logs ▪IDS ▪Antivirus software ▪Firewalls ▪Smart cards ▪Dial-up call-back systems ▪Alarms & alerts
  • 18. Access Control Types Avoid undesirable events from occurring 1. Preventative 2. Detective Identify undesirable events that have occurred 3. Corrective Correct undesirable events that have occurred 4. Deterrent Discourage security violations 5. Recovery Restore resources & capabilities 6. Compensative Provide alternatives to other controls
  • 19. Access Control Threats Denial of Service(DoS/DDoS) Buffer Overflows Malicious Software Password Crackers Spoofing/ Masquerading Emanations Shoulder Surfing Object Reuse Data Remanence Backdoor/ Trapdoor Dictionary Attacks Brute force Attacks Social Engineering
  • 20. Access Control Technologies- Single Sign- On • Introduction • SSO is a technology that allows a user to enter credentials one time & be able to access all resources in primary & secondary network domains Advantages Reduces the amount of time users spend authenticating to resources. Enable the administrator to streamline user accounts & better control access rights Improves security by reducing the probability that users will write down their passwords Reduces the administrators time in managing the access permissions Limitations Every platform application & resource needs to accept the same type of credentials, in the same format, & interpret their meaning in the same way. Disadvantages Once an individual is in, he is in, thus giving a bigger scope to an attacker.
  • 21. Access Control Models ▪ Framework that dictates how subjects access objects. ▪ Uses access control technologies & security mechanisms to enforce the rules & objectives of the model. Discretionary 1 ➢ Based on the discretion (wish) of the owner ➢ A system that uses DAC enables the owner of the resource to specify which subjects can access specific resources ➢ Examples: Unix, Linux, Windows access control is based on DAC Mandatory 2 ➢ This model is very structured & strict & is based on a security label (also known as sensitivity label) attached to all objects ➢ The subjects are given security clearance by classifying the subjects as secret, top-secret, confidential, etc.) & the objects are also classified similarly. ➢ Examples: SE Linux, by NSA, trusted Solaris Role-based 3 ➢ A RBAC is based on user roles & uses a centrally administered set of controls to determine how subjects & objects interact. ➢ The RBAC approach simplifies the access control administration ➢ It is a best system for a company that has high employee turnover. ➢ Note: The RBAC can be generally used in combination with MAC & DAC systems Model Access Control Owner Sec Policy enforced by DAC Data Owners Access-control list MAC Operating Systems Security Labels RBAC Administrator Roles/ Functional Position
  • 22. Access Control Techniques 01 Rule-Based Access Control 02 Constrained User Interface 03 Access Control Matrix 04 Content Dependent Access Control 05 Context- Dependent Access Control
  • 23. Rule-Based Access Control Constrained User Interface Access Control Matrix Content Dependent Access Control Context-Dependent Access Control • Uses specific rules that indicate what can & cannot happen between a subject & an object. • E.g.: Routers & firewall use rules to filter incoming & outgoing packets • Constrained user interfaces restrict user’s access ability by not allowing them to request certain functions or information, or to have access to specific system resources. • 3 major types of restricted interfaces: Menus & Shells, Database Views, Physically Constrained Interfaces • An access control matrix is a table of subjects & objects indicating what actions individual subjects can take upon individual objects. • Access to the objects is based on the content within the object. • Example: Database Views, E-mail filtering etc. • The access decisions are based on the context of a collection of information rather than on the sensitivity of the data. • Example: A firewall makes a context- based access decisions when they collect state information on a packet before allowing it into the network
  • 24. Access Control Administration Centralized Access Control Here one entity (dept or an individual) is responsible for overseeing access to all corporate resources. This type of administration provides a consistent and uniform method of controlling the users' access rights. Example: RADIUS, TACACS, and Diameter Decentralized Access Control Gives control of access to the people closer to the resources There is a possibility of certain controls to overlap, in which case actions may not be properly proscribed or restricted. This type of administration does not provide methods for consistent control, as a centralized method would.
  • 25. Access Control Monitoring(IDS/IPS) Method of keeping track of who attempts to access specific network resources. Intrusion Detection System (IDS) Process of detecting unauthorized use of, or attack upon, a computer, network, or telecommunication infrastructure. Designed to aid in mitigating the damage that can be caused by hacking or breaking into sensitive computer and network systems. Intrusion Prevention System Examines network traffic flows to detect & prevent vulnerability exploits. IPS is a preventative & proactive technology, whereas an IDS is a detective & after-the-fact technology.
  • 26. Access Control Assurance Accountability is the method of tracking and logging the subject’s actions on the objects. Auditing is an activity where the users/subjects' actions on the objects are monitored in order to verify that the sensitivity policies are enforced & can be used as an investigation tool. Advantages of Auditing ❖ To track unauthorized activities performed by individuals. ❖ Detect intrusion. ❖ Reconstruct events & system conditions. ❖ Provide legal resource material & produce problem reports.