Introduction to Access Control
Week6 Part1-IS
RevisionSu2013
Access Control
Access control is fundamental to Information security. Access control supports the three
security tenets of Confidentiality, Integrity and Accessibility of information assets. There
are two broad categories of access control we are going to discuss: Computer system
access control and physical access control.
Computer system access control covers the mechanisms that are used to control access to
information assets stored on computer systems. Physical access control covers
mechanisms that control access to rooms, buildings and other containers that are used to
physically store information assets.
Computer System Access Control
Now that we have differentiated between physical and computer access control we will
use the term access control to refer to the respective area we are discussing, which in this
section is computer system access.
Access control is fundamental to computer security. In some very trusted environments
where there is “no fear” of malicious destruction of information the following example
may be a workable model. For example, you have a home PC. Everyone in your house
shares the use of one account. This is effectively allowing everyone the same access to all
the files, programs, services available to that account. While this may work on a trust
level there is still the risk of accidental information lost. Perhaps one party worked for
hours writing a paper or doing their homework and another party comes along and
inadvertently creates a file of the same name, or they accidentally delete the file.
In some work environments there are shared accounts that are used to log orders, check
out customers, create customer accounts and perform other operations. With multiple
people accessing one account there is no firm record of what individual did what. You
may be able to loosely correlate who was working at a given time, but if there is an
absolute requirement to align who did what there is no way to do that with shared
accounts. Shared accounts allow users to repudiate their actions.
If there is no control over who has access to information assets the potential for
information free-for-all exists. Anyone can access anything. Anyone can read, modify,
and delete information owned by anyone else. Access control protects against malicious
and accidental information lost.
Some form of access control is required in information systems. In most systems there
are several levels of access control which supports the principle of defense in depth.
Access Control
Access control is fundamental to a secure information processing infrastructure. Access
control concepts are implemented redundantly throughout an information infrastructure.
This is consistent with the principle of security in depth. Access control mechanisms are
implemented in the operating system, applications, route.
Introduction to Access Control Week6 Part1-IS Revis.docx
1. Introduction to Access Control
Week6 Part1-IS
RevisionSu2013
Access Control
Access control is fundamental to Information security. Access
control supports the three
security tenets of Confidentiality, Integrity and Accessibility of
information assets. There
are two broad categories of access control we are going to
discuss: Computer system
access control and physical access control.
Computer system access control covers the mechanisms that are
used to control access to
information assets stored on computer systems. Physical access
control covers
mechanisms that control access to rooms, buildings and other
containers that are used to
physically store information assets.
2. Computer System Access Control
Now that we have differentiated between physical and computer
access control we will
use the term access control to refer to the respective area we are
discussing, which in this
section is computer system access.
Access control is fundamental to computer security. In some
very trusted environments
where there is “no fear” of malicious destruction of information
the following example
may be a workable model. For example, you have a home PC.
Everyone in your house
shares the use of one account. This is effectively allowing
everyone the same access to all
the files, programs, services available to that account. While
this may work on a trust
level there is still the risk of accidental information lost.
Perhaps one party worked for
hours writing a paper or doing their homework and another
party comes along and
inadvertently creates a file of the same name, or they
accidentally delete the file.
3. In some work environments there are shared accounts that are
used to log orders, check
out customers, create customer accounts and perform other
operations. With multiple
people accessing one account there is no firm record of what
individual did what. You
may be able to loosely correlate who was working at a given
time, but if there is an
absolute requirement to align who did what there is no way to
do that with shared
accounts. Shared accounts allow users to repudiate their
actions.
If there is no control over who has access to information assets
the potential for
information free-for-all exists. Anyone can access anything.
Anyone can read, modify,
and delete information owned by anyone else. Access control
protects against malicious
and accidental information lost.
Some form of access control is required in information systems.
In most systems there
are several levels of access control which supports the principle
4. of defense in depth.
Access Control
Access control is fundamental to a secure information
processing infrastructure. Access
control concepts are implemented redundantly throughout an
information infrastructure.
This is consistent with the principle of security in depth. Access
control mechanisms are
implemented in the operating system, applications, routers,
firewalls, databases and
storage systems to name a few of the places.
There are four major parts to an access control system:
1. Authentication: determining that a user is who they say they
are.
2. Authorization: granting access to a resource based on the
authenticated identity of
a user.
3. Auditing: recording any access to a protected resource to
provide a history of
access to it.
4. Policies and Procedures: documentation of all access control
5. policies and
procedures.
Users and Processes
When we discuss access control or other mechanisms that occur
within the operation of a
computer system we tend to talk about users. “A user has access
to…”, “the user
deleted…”, “the user logged into …”.
In some cases the term user is appropriate, but in many cases
the access that is being
controlled is a process that is performing some operation on
behalf of a user. A user is a
person in the flesh, a breathing person like you or me. A
process is a computer program
that is in an operating state. It is loaded and executing in
memory performing some
operation on behalf of a user. The concept is easiest to describe
with an example.
A user logs into their system using their account identification
or credentials information.
In this example the information consists of a username and
6. password. The user is the
person that is associated with an account. In general terms the
following is happening:
a user name and password
determine if they are
valid (attempts to authenticate)
authenticated user
re not valid the log in is rejected and the
login procedure waits
for another request to start the process over again
It is worthwhile to understand the difference between a user and
a process. We don’t
want to complicate the language we use when we are relying on
an intuitive
understanding of what we mean by user. But in many cases it is
worthwhile and even
necessary to differentiate between the two.
7. Definitions:
Authentication – the action of verifying if the token(s)
presented by the
user for logging on the system are valid. For example, checking
if the user
name and password are valid is performing authentication. If
the user
tokens are validated the user is said to be authenticated to the
system.
Credentials – whatever tokens are used for authentication. For
example,
the user name and password are considered the user credentials.
Wireless and Remote Security
Week6 Part7IS
Revision Spring2015
8. Wireless Environment
It wasn’t that long ago that wireless access was primarily
constrained to the home. As
households started acquiring multiple computers they were no
longer used in just one
room. Computers were used throughout the house. As laptop
computers became the
dominate platform users not only moved throughout the house,
but outside to porches,
yards and out buildings. Running wires between the router and
each system was not
practical. Households started upgrading their home network
infrastructure from
hardwired routers to wireless routers.
The movement to laptop systems also accelerated at workplaces.
Employers started
deploying laptop systems for employees instead of desktop
systems when systems needed
replacing. The move to mobile computing was on.
Laptop systems enabled employees to become increasingly
mobile in their work lives. As
employees traveled between offices, client sites, home and
various other remote locations
9. they could remain connected to company servers as long as the
remote site had
connectivity to the companies’ intranet. Initially this
connectivity was provided by
having Ethernet cabling available for remote users to physically
plug their laptops into.
Eventually, companies started installing wireless hotspots that
could be automatically
detected by systems that had wireless cards.
The proliferation of wireless connectivity and internet use
spread from the workplace to
general societal use. Average users demanded access to the
internet and company
intranets. Soon public places such as airports, libraries, train
stations, schools and coffee
shops installed wireless hotspots to allow people internet
access. Some towns and cities
are installing wireless hotspots to allow internet connectivity
for citizens.
In addition to wireless hotspots becoming omnipresent the use
of handheld devices is on
the rise. Handheld devices started with cell phones and moved
10. to higher functionality
devices such as the Blackberry and Palm smart phones which
allowed email access, and
various local applications. The handheld devices have continued
to evolve to higher
functioning devices which provide general internet services as
well as thousands of
applications. Examples of these are the Apple iphone and the
Motorola Droid which runs
the Google Android operating system. Of course these devices
still provide telephone
services!
These devices make use of various cellular network
technologies such as GSM (Global
System for Mobile Communications), CDMA (Code Division
Mobile Access) which
conform to 3G and 4G technologies for connectivity.
The ubiquity of internet access points is very convenient and
allows people to stay
connected for work, study and personal use from a variety of
locations and using a
11. variety of platforms. However, with this connectivity come
increased security concerns.
The threat vector increases as the range of vulnerabilities
associated with the various
platforms providing internet access increases.
Many of the security defenses for wireless or remote
connectivity require using the same
tools, mechanisms, policies and procedures used for systems
that are not remotely
connected. However, there are additional vulnerabilities and
defenses that need to be
considered for the wireless and remote environments.
Wireless Access
In this section we will discuss some of the attributes of wireless
access points and
wireless routers. As we discuss the attributes I will make
suggestions on how some
potential vulnerability can be made more difficult to exploit.
NOTE: fixing some of these simple vulnerabilities makes it
more difficult to
12. exploit your system. Some people would argue that these
changes add very little
increase in security. While they do not provide absolute security
they do make it
“slightly” more difficult for someone to attack your system.
This increase of
security at different places in the infrastructure supports the
concept of security in
depth.
Wireless access points (WAP) enable devices to connect to a
wireless network using Wi-
Fi (Wireless Fidelity) or related standards. Products that
conform to the IEEE 802.11 set
of standards for wireless local area networks (WLAN) are
considered Wi-Fi devices. Wi-
Fi is a trademark of the Wi-Fi alliance which is a trade
association that certifies the
compliance of devices that conform to the IEEE 802.11
standards.
A wireless access point (WAP) connects to a router. A wireless
router contains WAP
functionality in it. This subtle distinction is made to
differentiate between the
13. functionality of a router; which is to connect two or more
computer networks and
interchange data between them and a WAP which provides
wireless access to the router.
We will use the term wireless router to refer to the combined
functionality of the WAP
and router.
Web Based Management Interface
A wireless router contains a web based management interfaces.
Access to the router is
typically gained by using the IP address 192.168.0.1 or
192.168.1.1. Finding the default
username and password for a particular router is simple. They
are usually preconfigured
with easily guessed names such as “admin or password”. To
locate default usernames and
passwords for various routers you can check various web sites
such as:
http://www.routerpasswords.com/.
http://www.routerpasswords.com/
14. Often users do not change the default username and password to
the management
interface. The combination of the default values for the IP
address, username and
password make it very easy to attack your router. An attacker
that gains access to your
router through the management interface can learn your router
configuration information
and/or change it to suit their nefarious needs.
To make your router a “little more secure” you could change the
username and password.
To further complicate an attack you could also change the 3
rd
octet of the IP address of
the management interface to something other then a “1”. For
example, change it from
192.168.1.0 to 192.168.99.0. This will place your systems on a
different subnet.
Service Set Identifier (SSID)
The service set identifier (SSID) is the name of the wireless
network. By default, the
SSID is broadcast every 1/10 of a second or so by the wireless
15. router. This broadcasting
of the SSID is what a wireless device detects so it can connect
to the network.
Broadcasting of the SSID may also be referred to as the WAP
presenting a beacon.
This beacon can be detected by client devices at varying
distances depending on
atmospheric and geographic conditions. Typical distances are
75-100 feet indoors and up
to 300 feet outdoors. These sorts of distances allow SSID
beacons to be detected not only
legitimate users of your network but also by potential attackers
unless precautions are
taken.
The SSID is represented as a string of alpha-numeric characters
which is up to 32
characters in length. The standard allows for the 32 octets to be
any values and not just
readable characters. A client device can choose to manually or
automatically connect to a
device.
16. A wireless network can choose not to advertise the SSID. This
results in the network
being advertised as “unnamed”. If a client chooses to connect to
this network they must
know the SSID name.
Another defense could involve changing the SSID name to
something other then what the
manufacturer assigns to the device. Similar to locating router
passwords (discussed
above) on the internet default SSID names for some devices can
be easily found.
Changing the SSID name or not broadcasting the SSID name are
not foolproof
techniques. A determined cracker can figure out the SSID of the
network by using
sniffing tools that monitor users that successfully connect to the
network since the SSID
is transmitted in clear text.
Wireless Encryption
17. Many private wireless networks run encryption. The intent of
this is to secure
communications transmitted on the network. A wireless network
that runs encryption
requires that clients that want to connect to the network must
enter a passphrase or
encryption key to connect to the network. Some client systems
that frequently connect to
the same wireless network may have the encryption key
installed in the client so
connecting to the network can occur without having to enter the
encryption key.
A commonly used and ineffective wireless encryption algorithm
is Wired Equivalent
Privacy, known as WEP.
WEP is ineffective because the passphrases (e.g. encryption
keys) can be easily figured
out by hackers. WEP makes use of the stream cipher RC4 for
confidentiality and CRC-32
for integrity. 64, 128 and 256 bit keys are used with WEP
encryption. The full encryption
keys are generated by concatenating the bits of the key with a
24 bit initialization vector
18. (IV) yielding the n bit (64, 128, 256) WEP encryption key. The
IV is transmitted as clear
text. On a busy network the 24 bit IV will be repeated and can
be easily recovered
allowing the encryption keys to be discovered using brute force
techniques. Cracking a
WEP network can be done in less then a minute with commonly
available tools found on
the internet. Perform a google for “cracking WEP” and you will
be provided with links to
numerous cracking tools.
The WEP algorithm has been deprecated in favor of the Wi-Fi
Protected Access
algorithms known as WPA. There are a few variants of WPA
algorithms. We will
consider WPA-TKIP (Temporal Key Integrity Protocol) and
WPA-AES (Advanced
Encryption Standard) algorithms. WPA-TKIP uses the RC4
stream cipher (similar to
WEP) however it improves on the inherent weaknesses of WEP
by making use of the
following:
19. -mixing, combining a secret key with the IV to increase
cryptographic
strength.
-keying to use a different key for each packet.
rove on WEP transmitting the IV in
clear text.
protect against replay
attacks.
WPA-TKIP is a vast improvement over the confidentiality
weaknesses of the WEP
algorithm; WPA-TKIP provided compatibility with older
hardware that used WEP. An
improvement over WPA-TKIP is WPA-AES. New wireless
products are using the WPA-
AES algorithm which provides improved performance over
WPA-TKIP and makes use
of AES (Advanced Encryption Standard) a block cipher adopted
by the US government
as the replacement for DES (and 3DES).
The preferred choice is to use WPA-AES, however you need to
make sure all of your
hardware will support it. For older hardware you may be
20. relegated to using WPA-TKIP
until you can upgrade.
MAC Filtering
For a home or a small business access to the wireless network
can be restricted based on
the MAC (Media Access Code) addresses of the allowable
wireless devices. This
technique can work since the number of devices that connect to
the network is small and
does not change.
Every device with a network adapter has a unique identifier
which is called the MAC
address. By using the web based management interface of your
wireless router the MAC
addresses of these devices could be added into the configuration
tables of your wireless
router to accept connections with these MAC addresses and to
reject connections with
devices that have MAC addresses that are restricted.
21. War Driving
War driving is the act of driving or roaming around with a
laptop computer and hacking
tools searching for wireless access points. When an access point
is discovered the
attacker can use various cracking tools to eavesdrop on
information which compromises
the security of the system and the network.
Not advertising the SSID and implementing MAC filtering
makes your network a bit
more stealth, but not by much to a determined attacker. It does
not protect you from
eavesdroppers or war drivers intercepting packets from the air
waves and decoding them.
From this information an attacker could determine the SSID of
your network and
allowable MAC addresses. If discovered an attacker could
connect to your network by
using the SSID and spoofing a MAC address if MAC filtering
was enabled. If the
network is not secured with encryption the attacker has gained
access. Even with
encryption enabled with WEP, WPA or WPA2 the encryption
22. keys could be uncovered
by using cracking tools. Once the encryption keys are
discovered the attacker has gained
access.
Rogue Access Points
A rogue wireless access point is an access point set up by an
attacker to capture
usernames, passwords and other information. A rogue access
point could be used to stage
a variety of attacks such as the man in the middle (MITM)
attack when mutual
authentication between the two communication end points is not
implemented.
A rogue access point is implemented by connecting a router to a
secure network without
permission of the owner or administrator of the network. Any
client that connects to the
network via the rogue access point is compromised.
To defend against rogue access point’s network administrators
can use Wireless Intrusion
Detection Systems (WIDS) or Wireless Intrusion Prevention
23. Systems (WIPS) to monitor
the radio spectrum for rogue devices and attack tools.
Additionally, a WIDS or WIPS can
be used to look for problems with the network configuration,
create log files of activity,
block activity by suspicious devices and perform automatic
notification in the case of
various events.
Another defense against rogue access points in public places is
observation. For example;
if you are in a place that advertises it has a wireless hotspot you
should be aware of the
SSID of the hotspot. Also, if two or more networks are being
advertised perhaps one or
more of them are rogue hotspots. Also, don’t assume that you
can safely bypass
purchasing internet service by using your neighbor’s unsecured
network. You leave
yourself wide open to attack and compromise of your data by
doing this.
24. Comment:
Around 2011 I had an older Verizon router which was
configured to support
WEP. I called my ISP which is Verizon to discuss configuring
my wireless router
to enable further security. In particular I wanted to change
encryption from WEP
to WPA and I wanted to use a different subnet then the default
of 192.168.0.1.
The technician I spoke to “reminded me” that WPA encryption
is “supported” but
if there was a problem that required Verizon to perform
debugging they would set
my system back to using the default value for encryption which
is WEP.
With respect to changing the default subnet to something other
then the default
value of 192.168.0.1 it could be done, however it was not
supported. Again, if
there was a problem they would reset it to the default value
before they worked on
diagnosing any problems.
25. I explained to the Verizon representative that when problems
occur you want to
debug them in that environment. You don’t want to change the
environment
before you start debugging since you can be masking the
problem. Plus, the use of
WPA and a different subnet is not an obscure change. Rather
they are common
industry best practices. They understood this point, but that is
Verizon’s policy.
Debugging a problem in a changed environment runs the risk of
not fixing the
problem.
Since that time I have updated my router to one that supports
WPA2 as the default
protocol.
Remote Access
Remote access by users is accomplished with a variety of
devices including laptops,
smart phones, desktops and tablets. Wireless access is not only
26. enabled through wireless
routers and access points but devices that support 3G and 4G
protocols such as smart
phones. In order to secure smart phones, policies and
procedures need to be established
just as with laptops and desktop systems. Some of the security
policies and procedures
for smart phones will be similar to those for laptops and desktop
systems; however there
are some policies and procedures that are unique to particular
platforms.
Password Selection
Passwords, passphrases, encryption keys and other secrets need
to be protected from
discovery. These secrets in authentication terms are referred to
as “Something You
Know” (SYK). Secure passwords need to be constructed for
access to all systems.
Following are some items in the wireless domain that should be
constructed using secure
password guidelines.
27. tifier) that names the network
Interface
device
vice (laptop,
desktop, smartphone)
Items such as usernames, passwords and encryption keys or
passphrases should be
constructed using secure password guidelines. This was
discussed in the lecture on
authentication. Companies and organizations that care about
security will have a policy
for how passwords should be constructed. In addition to how
these secrets are constructed
there should be policies on how frequently they need to be
changed.
Items such as MAC ID and SSID can be changed, but you need
to consider the impact of
doing that. Changing the MAC ID is really not practical since
the MAC ID is associated
28. with the device. MAC IDs are changed by attackers spoofing a
MAC ID but is really not
practical for an organization to have users change their MAC
IDs.
Changing the SSID can be done but for the determined attacker
the SSID is readily
available since it is broadcast in the clear. If you change the
SSID anyone connecting to
your network will need to know the new SSID. Communicating
the new SSID is no more
of a problem then communicating new passwords or encryption
keys to users.
Security of Remote Devices
With remote devices critical information leaves corporate
servers and moves to various
remote devices. With this comes a risk of the remote device
being lost or stolen. To
ensure the Confidentiality, Integrity and Availability of this
information various
mechanisms that support encryption and authentication need to
be deployed such as:
Virtual Private Networks (VPNs), Secure Sockets Layer (SSL),
29. Transport Layer Security
(TLS), Kerberos, CHAP, RADIUS, Diameter to name a few.
These were discussed in the
lecture on authentication examples.
Many of these mechanisms should be considered for use for all
devices in the
infrastructure but they are worth amplifying their importance
when using remote devices.
Remote devices are generally more prone to being lost or stolen
then devices that are not
remote. Because of these vulnerabilities care needs to be taken
to ensure data is not
compromised. Some of the following functionality should be
considered for security
policy and procedures for all devices however, ensuring they
are followed for remote
devices is very important.
-factor authentication. In addition to
requiring password
authentication biometric and token authentication could also be
required.
30. removed or rendered
inaccessible in case the system is lost or stolen.
down after use and
not placed into hibernate or low power mode.
case a system is lost
or stolen and the disk is removed and placed in another system.
Removal storage media
(e.g. memory sticks, USB drives) provides another avenue for
data to become
remote. Removal storage devices also increase the attack vector
for infecting
systems with malware. Place a memory stick or USB drive into
a USB port and
the system could become infected with malware stored on the
device. Some
companies may find restricting the use of removal media to be
appropriate.
Bring Your Own Device (BYOD)
With the proliferation of personal devices such as smartphones
and tablets companies and
organizations are facing increasing pressures to adopt policies
31. that allow employees to
use their own devices to access organization assets. Many of the
security concerns
organizations have with the use of their own equipment to
access their network and data
are amplified with a BYOD environment. This is primarily
because the organization has
limited control with the securing and handling of the BYOD
device. On the other hand,
allowing users access to organization data allows employees to
be engaged in company
business virtually 365/24/7 since most users are tethered to
their mobile devices.
The challenge organizations face is to implement a policy and
procedures for how users
can access company data with their own devices; while keeping
organization assets safe
and secure. In other words organizations are concerned with
maintaining the CIA
(Confidentiality, Integrity and Availability) of their assets. You
should note that the
general concerns organizations have for BYOD are congruent
with the concerns
32. organizations have for their assets in a non-BYOD scenario.
There are numerous websites and articles that enumerate major
security concerns that
organizations have around BYOD policies. Following is a
representative list of concerns
that companies have.
lications or content with embedded
security exploits
The various policies and procedures an organization selects
should be based on the
requirements of the organization. This should always be the
case for selecting
functionality. You first define your requirements you then select
functionality that meets
the requirements.
33. Of course some company’s approach to BYOD will be not to
allow it. Their approach
may be to issue company owned devices for all business related.
In order to support
multiple devices there is additional cost. It is much easier to
manage one device that is
given to employees. However, the downside to this may be
employee productivity.
Employees may resist carrying two phones; their own and the
company phone.
I expect to see more and more company’s supporting a BYOD
policy.
Specific Areas of Concern for BYOD
A policy should require secure access to corporate assets by
requiring a VPN that uses
encryption. A VPN requires the user to possess credentials that
allow authentication to
the VPN and in turn access to the organizations assets. The VPN
should provide
encryption for any assets in transient between the two ends of
the VPN, which are the
organizations server and your mobile device.
34. The policy should consider the use of Mobile Device
Management Software. MDMS
provides for remote management of devices including the
uploading of applications, data
and configuration information to a variety of devices. A major
feature for MDM is the
need to support a variety of platforms and versions including
various versions of:
Android, Apple iOS, Blackberry, Window Phone. The range of
mobile devices includes;
smartphones; tablets, printers, POS (Point of sale) systems.
Some of the top BYOD security concerns that companies have
are:
with embedded
security exploits
35. You should note that the BYOD concerns are similar to the
concerns they have on
company issued devices.
Strategies and Issues
Keep in mind the company needs to protect the CIA of its
information. Since you are
agreeing to use your device for accessing company information
there will be rules for
usage that will be more stringent and structured than what you
are used to.
Following are some of the strategies and issues around some
controls to address the
security concerns.
Use of VPN
Expect your company to mandate the use of a VPN to connect to
any corporate website.
This could work by requiring access through a secure website
using credentials controlled
36. by the authentication policy of the company. Another way
would be to have a local
application pushed to your device that is used to initiate the
login, again using company
provided credentials.
It may be required that periodic authentication to the VPN is
done to ensure the user is
remaining cognizant they are connected. Also, in case the
device is lost after the VPN
link is established re-authentication could block access to
company access.
Periodic re-authentication to the device may also be required for
the same reason.
If access to company resources requires a VPN connection there
may be limitations as to
how the device can be used for other applications. For example,
certain websites may be
restricted for access as well as certain applications. How this is
monitored by the
company is another matter that requires consideration. Another
issue to consider is if
questionable material is passed on the company’s network while
37. a VPN connection is
established.
Authentication
Expect a company to require strong authentication for any
device being used on their
network. This means the use of 4 character pin’s is out and
complex passwords or picture
patterns are in. Also expect the company to check your
password complexity for approval
and require changing every so often. Many websites are moving
towards a two factor
authentication model. It is possible companies will require this.
This means when you log
into the company VPN a notification will be sent to your device
with a authentication
token requiring this to be entered to complete the login process.
Malware Protection
Running malware protection on your device will be required.
Signature updates may be
pushed out by the Mobile Device Management System if that is
mandated by the policy.
The MDMS may not allow you to turn off the malware
38. protection. This may also restrict
your ability to run certain applications.
Wipe strategies
When a device is lost or stolen the company may want to track
the device using GPS. If
the device is located a remote wipe of data as well as disabling
the device may be done.
This brings up the question of wiping not only company data
but user data. Should the
device be found not only will the company data have been
wiped but so will the personal
data.
GPS Tracking
Another issue with wipe strategies is GPS tracking. This may
bring up privacy concerns
for some users that the company may have access to GPS data.
When and under what
circumstances GPS data is monitored needs to be clearly
understood in the policy.
39. Encryption
The confidentiality of any company data will undoubtedly
require encryption. This may
impact employee use of personal data if encryption needs to be
implemented on an
application basis as opposed to a file basis.
Jail Break or Root Devices
Jail breaking is typically associated with Apple devices. It
refers to the bypassing of
controls the manufacture has put on the device. A device that
has been jail breaked can
permit the installation of software that is not distributed
through the app store. This
means software that is not vetted by the app store could be
installed. The potential for
installing software with malware is increased.
Apple does implement a process where developers submit
software for distribution
through the app store. If the app is approved for distribution it
is made available through
the app store. The vetting process is not perfect but it is
improving all the time. Software
40. that does not go through this vetting process has a much greater
chance of being infected
with malware.
A rooted device applies to Unix or Linux based devices. This is
typically associated with
Android based products. Rooted means that the owner of the
phone has root access to the
device. Root access allows unfettered access to all aspects of
the device. You don’t want
a BYOD device to have been rooted since a rooted device could
bypass numerous
controls placed on the device. Some malware seeks to obtain
root access so it has total
access to the device.
Applications
Organizations may restrict the applications that can be loaded
on a device. The concern is
that some applications may be considered a malware threat.
The downloading of any
applications may require vetting through company supplied
41. software.
Bluetooth Functionality
Most hand held devices support bluetooth technology. Blue
tooth expands the attack
vector and attack surface of your device. If your device is
discoverable other devices in
range can pair with you. This presents a security issue. Some
folks feel Bluetooth is
inherently insecure and it should not be used for anything you
care about. Expect to find
policy statements on allowable use of Bluetooth. Perhaps
Bluetooth has to be turned off
when connected to the company VPN. However, what if
corporate data has been copied
to the device is Bluetooth use restricted? This doesn’t sound
realistic as for hands free
driving Bluetooth is really required for any level of safety if the
call participant is driving.
This brings up another question. Is the device owner required to
communicate when in
transit? It is clear to me that any distraction while behind the
wheel has the potential of
42. grave results. Should something happen while the device owner
is using the device on
company business is the company libel, or is it shared
exposure?
Reimbursement
If you are using your device for work there may be a policy that
provides for
reimbursement of expenses. Keep in mind that getting
reimbursed may seem desirable,
but it ties your device closer to the company since you will be
required to follow
company policy.
Exit Strategy
When an employee leaves the company the policy may require a
wipe of the device is
done to remove any company information. This may require
backing up the employee’s
personal information, performing the wipe and restoring the
information.
Policy Violations
BYOD policies are evolving. There is an ebb and flow between
43. the companies rights to
investigate all data on a personnel device when a policy breach
occurs and the device
owners right to privacy. Consider the case where you have a
device that connects to a
company website. A breach is detected attributed to your
device. Can the company lock
your device down and search all the data on your phone,
including personal email and
social media accounts? Or is the device clearly partitioned
between company data and
personal data such that company can only do forensic analysis
on the company data?
Understanding the penalties for policy violations is important.
Penalties can range from
losing device privileges to termination.
Summary
Wireless and remote devices need to follow the same polices
and procedures for any
device in the infrastructure to ensure that security
44. vulnerabilities are minimized. There
are additional procedures for remote devices that also need to
be followed. As with all
security there is no one foolproof set of tactics.
The amount of controls for handheld devices further increases
the attack vector and
attack surface. The policies for BYOD in the workplace are
evolving. There is an ebb and
flow between security and privacy that both the owner of the
device and the company
need to be in agreement on. Expect these policies to continue to
evolve as the use of more
mobile devices occurs.
For wireless, remote and handheld devices the best approach is
to follow the principle of
security in depth.
45. Security Policy
Week6 Part6-IS
Revision Su2013
Security Policy
Security policy for access control is not unique to defining
policy in any other area.
Rather than discussing security policy specific to access control
we will broaden the
discussion to security policy in general. Some of this section is
a repeat of information we
covered in Week 1, however it merits repeating in the context of
the learning we have
done to date.
Security as a process includes four key elements: prevention,
detection, response and
46. recovery. To determine the investment that needs to be made in
these areas requires
doing an inventory of the assets of the organization and
determining the value of these
assets to the organization.
A risk assessment needs to be performed that determines the
threat level and vulnerability
to each of these assets. As part of the assessment the cost of
recovering an asset that is
attacked needs to be determined.
After a thorough assessment a determination can be made as to
how much should be
invested into protecting an asset and the type of protection that
should be implemented.
Aspects of policies have different target audiences. NIST
standard 800-12 defines 3
broad categories that policies should target.
http://csrc.nist.gov/publications/nistpubs/800-
12/handbook.pdf
responsibilities within the
47. organization. Also discussed is how policies are created,
revised, reviewed,
approved and retired.
deal with the operational aspects of
the organization.
For example, definitions of the physical access control to a
facility, or definition
of the access control policies for certain systems. How
employees are trained in
the application of policies in their roles is part of operations.
For example; the
access control and authentication models used in an
organization; how systems
are configured, firewall policies, use of encryption, how
accounts are managed.
Across these three categories there needs to be agreement
throughout the organization as
to the importance of security. There must be a top to bottom
commitment in the
organization to successfully implement the security policy.
Having mechanisms for
http://csrc.nist.gov/publications/nistpubs/800-12/handbook.pdf
http://csrc.nist.gov/publications/nistpubs/800-12/handbook.pdf
48. verifying security compliance and assigning accountability for
compliance is required for
a successful implementation.
Every organization has a security policy. Some organizations
have very strong policies
which are implemented with documentation, training, audit
procedures, certification
requirements, compliance reviews, and other mechanisms. Some
organizations have no
stated policy. They just wing it, hoping everything will work
out. Those are the two
extremes, with other organizations policies spread out across
the spectrum.
RFC 2196 is the internet working group that provides guidance
for developing security
policy and procedures for systems on the Internet.
http://www.faqs.org/rfcs/rfc2196.html
The working definition RFC 2196 provides for security policy
is:
Definition: Security Policy: A security policy is a formal
statement of the rules
49. by which people who are given access to an organization's
technology and
information assets must abide.
Having a written security policy is fundamental to an
organization. It provides acceptable
behaviors, practices, responsibilities around the handling of
information, systems, brick
and mortar facilities and anything else related to security.
Policies do not have to be complex. In fact, policies should be
simple to access, easy to
understand and easy to seek clarification on. Similarly the
implementation of security
policies should be easy to follow and they should support the
task at hand. Further,
security policies need to be enforced at all levels of the
organization.
Seems like a simple concept. For many organizations security
policies are anything but
simple. For many organizations security policies are not clearly
defined if defined at all.
The policies cannot be easily located and once they have they
50. may be out of date. The
policies may be pages and pages of technical and legal verbiage
that is not well-organized
and require the entire document to be studied, rather than
having it clearly divided into
the necessary levels of abstractions to quickly and easily
understand issues.
Defining a Workable Policy
An effective security policy requires broad acceptance
throughout the organization. This
buy-in has to be at all levels of the organization. Security policy
has to originate at the top
levels of management. Management needs to prioritize the
definition of a Security Policy.
This starts with management articulating the importance of
protecting company assets.
Management must support the process through all phases of the
Security Policy. This
includes requirements definition, review cycles,
education/training, implementation and
maintenance. This requires an ongoing investment in time,
staffing, physical resources.
51. A successful policy must have broad representation across the
organization contributing
to the definition. RFC 2196 suggests the following
representation. The list should be used
http://www.faqs.org/rfcs/rfc2196.html
for guidance and modified according to the needs of your
organization. I have made a
couple of additions.
ation technology technical staff (e.g., staff from
computing center)
(e.g., business
divisions, computer science department within a university,
etc.)
representatives of the user groups affected by the security
policy
management)
52. The fundamental steps as defined in RFC 2196 for establishing
a security policy is:
effective manner.
process continuously and make improvements
each time a weakness
is found.
Enforcing the Policy
Having a security policy is only as good as the enforcement of
it. The policy must be easy
to enforce and it must be consistently enforced. The
mechanisms for enforcing the
security policy should be clearly defined in the policy
documents. It is important that
security enforcement is as automated as possible. For example,
acquiring accounts,
system permissions, access to confidential information, access
53. to physical resources
should all be seamlessly integrated into the request process so
that no “special” steps
need to be taken.
It is of the utmost importance that security procedures are
enforced. If the policy can be
bypassed by a quick phone call or mail message you do not have
an effective policy.
An effective security policy needs to be easy to use and it needs
to provide a predictable
and timely response to a request for security access. A security
policy must be
consistently enforced at all levels of the organization. If the
policy is seen to be bypassed
by individuals because of their position in the organization
everyone will try to bypass
the system.
If these characteristics are not present in a security policy
people will seek alternatives,
54. they will avoid aspects of their job that require dealing with
security and they will
become disgruntled.
Automated Security Event Auditing
Ronald Reagan made popular the phrase “trust but verify”. This
basically means that
entities can be trusted as long as the facts around the trust can
be verified. The tool for
doing this is auditing. Every security event should be able to be
audited. This means a
record gets written to an audit file each time a security event
occurs. If you recall in the
lecture on access control we learned about auditing in the
context of accessing objects.
Security auditing is a similar concept.
An audit capability is an integral part of a security system. The
audit capability records
any action involving security access to a log file. There must be
some way to control
what security information is written to the log file. The security
policy should provide
guidance as to what information needs to be audited.
55. An audit capability should provide the tools to easily select
information from the audit
log based on various parameters. For example, one should be
able to select information
based on user, security event, object type, date, time and other
criteria.
Security event auditing could be integrated with a general audit
capability provided by an
operating system, application or physical security mechanism.
Assessing the Risk
The cost of not having a security policy can be very large. In
fact it is a ticket to disaster.
Some companies have been driven out of business because of a
simple security breach.
The business disaster may not have been the actual breach, but
rather the bad press
caused when the lack of adequate policy protecting assets
became public knowledge.
Loss of customer confidence can be more damaging than the
loss of tangible assets.
The risk assessment methodology should be part of the security
policy document. It is
important to understand the policy around what assets need to
56. be protected and how they
should be protected. It is equally important to understand how
the decisions were made to
protect some assets and not others. Knowing the methodology
used for risk assessment
and the assumptions made is a key input to understanding the
security policy.
We discussed in week 1 the importance of doing a risk
assessment. That discussion
focused on computer based assets but it really applies to all
assets. Reviewing some of
these concepts is worthwhile. I have replicated some material
from week1 as it is relevant
to the discussion on security policy. Further it amplifies the fact
that security policy and
risk assessment are key elements that contribute to a secure
information infrastructure.
Some areas to consider in risk assessment are:
57. information safe
When defining the security policy each of the above items needs
to be considered from
the perspective of:
or disaster?
tecting against an attack or
disaster?
Asset Classification
The following table can help support a risk assessment. If
numbers are assigned to each
58. category rather than High, Medium, Low weighted averages and
threshold values could
be calculated that could help determine the security measures to
implement (or not).
ASSET VULNERABILITY THREAT COST TO
IMPLEMENT
PROTECTION
COST TO
RECOVER
FROM
ASSET n High High Medium High
ASSET
n+1
Low High Low Low
ASSET
n+2
Low Medium High Low
ASSET
59. n+3
High Low Low High
ASSET
n+m
Etc. Etc. Etc. Etc.
Consider the following examples for a given asset n. Keep in
mind that the rationale used
analyzing any threat and determining how it will be handled is
highly subjective.
Example: If the threat of a security breach is high and the cost
recovering from
the breach occurring is high you may decide that the benefit of
implementing
protections worth it.
Example: The cost associated with recovering from a security
breach of this type
is high. The threat of the breach occurring is low and the cost to
implement
60. protection breach is also low. Despite the fact that the threat is
low, the protection
cost is also low therefore with a high recovery cost you might
decide to protect
against the attack.
Example: The cost associated with recovering from a security
breach of this type
is low. The threat of the breach occurring is high and the cost to
implement
protection breach is also high. Since the recovery cost from this
attack is low you
might decide to defer the high cost of protection despite the
high breach potential.
Impact and Probability
Another useful tool for assessing risk is an Impact and
Probability Matrix. The
objective is to have all threats have a low impact to the
information system and for each
threat to have a low probability of occurring. While this is the
ideal it probably does not
represent reality. By determining a numeric impact and
61. probability ranking each threat
could be placed within a quadrant. Based on which quadrant a
threat falls into the
organization may decide to implement protection mechanisms or
not.
The following chart is credited to “Network Security
Assessment” by Michael Gregg and David Kim. This
text provides one source for how to develop a ranking
methodology for risk assessment.
Security Education
High Impact
Low Probability
High Impact
High Probability
Low Impact
Low Probability
Low Impact
High Probability
62. Objective
Impact
of
Event
Low
High
High
Low
w
Probability of
Event
Impact and Probability Matrix
Security education is an ongoing process that strives to provide
the proper security skills
needed by each individual in the organization.
Another goal of security education is to get everyone in the
organization to always think
about security. This requires integrating security consciousness
63. into every member of the
organization. Everyone needs to be security conscious, from
cleaning crew members to
the CEO. Security needs to be integrated into the work
environment so that it becomes
automatic to each employee. Ongoing security education
throughout the organization
supports this goal.
There are levels of security training. The type of security
education can be categorized
based on the target audience and the particulars of the training.
For a given organization
or role the division of security training may differ.
General Information: Companies can post security policies at
physical premises. Some
ways this can be accomplished are: posting security reminders
on company web sites,
distribution of fliers at facility entrance/exit points, short
seminars, publishing security
notes in company news letters, sending regular mail messages.
Another technique is to
encourage employee feedback, providing recognition/rewards
64. for ideas.
General Awareness: All employees need to be generally aware
of security policy. They
must understand what assets need to be protected, the value of
the assets, general forms
of attack, liability of a security breach. Employees must
understand acceptable employee
behavior. They need to know who to report problems to. A
typical awareness course
might be given every 6 to 12 months through the company
intranet. Each employee must
read the high level policy and indicate they will abide by it by
completing some online
acceptance. There may be a short quiz on the material that a
minimal grade needs to be
attained.
Job Specific Training: All employees involved with IT systems
are required to know
more about the security policies. They need to know more
system specific policies
dealing with the security tools, system procedures. As users of
IT assets they need to
65. understand threats, vulnerabilities and defenses. Course work
may be required based on
their job code or role. Their knowledge is expected to be deeper
than the general
employee awareness. General technical training may involve
one or two courses a year
perhaps 3 – 5 hours for each course. Specific training related to
a job code or role may
also be required which is more in-depth.
Security Education: Moving up on the security knowledge
ladder some employees have
the requirement for detailed security education which can be
college style courses,
targeted professional seminars or both. This is also coupled
with on the job training and
experience. Employees requiring this level of course work
typically work in security
related positions performing functions such as: developing
security policies, performing
security audits, developing security software, maintaining
security assets.
66. Security Auditing
Security auditing refers to a review of an organizations security
processes and
procedures. In some ways a security audit resembles an I.R.S.
audit (knock on wood).
The procedure proceeds as follows. A specific project team is
selected to be audited.
They are contacted by the security audit team to prepare for a
security audit. They are
told to make available various documents that describe aspects
of security. These may be
discrete documents or may be sections of documents that
address various security issues.
The documents are provided for review by the security team.
Following is an
hypothetical example of the type of documentation that may be
reviewed.
Security Policy – Defines overall security policy
Functional Specification - (identifying security specific aspects)
Design Specification - (if applicable identifying security
67. specific aspects)
Security support plan - (describing aspects of the policy that
that the audited
process of product must address)
Security roles – Identification of roles, identification of
individuals that are in
roles
Testing Plan – How is security functionality tested?
Maintenance – How will the security functionality be
maintained? (Virus
protection, patches applied, CERTs)
Disaster Plan – What to do when disaster occurs.
Recovery Plan – How to recover from a disaster.
Risk Identification and Risk Management Plan
Issue Identification and Issue Management Plan
68. Proper signoff – Each document must show proper signoff by all
parties that
have an interest in the integrity of the system.
Sometime later the auditors appear after reviewing the
documents. They come with a
group of individuals that have expertise in various areas. The
auditors’ use the documents
as a guideline to start interviews with team members to assess
the level of compliance to
security policy. If additional artifacts are needed, including
demonstration of
functionality that is provided. The audit takes place as an
iterative procedure.
Once completed the security team issues a report describing the
nature of the audit, what
was reviewed, the areas of compliance and areas of
noncompliance. Any areas of
noncompliance are ranked with a severity indicating the urgency
that needs to be applied
to get to compliance.
69. Discussion: Audits can be very difficult procedures for some
team members to
participate in. Particularly for teams that are low on the SEI-
CMMI maturity scale
(Software Engineering Institute – Capability Maturity Model
Integration
http://www.sei.cmu.edu/
Audits are a critical element that contributes to a mature
security environment. As
employees and project teams mature on the SEI-CMMI scale
they will see the
value of the security audit. It takes a lot of management effort
and support to
institute and support an audit process. Employees have a
tendency to resist the
process. Nowadays the audit procedure is more universally
accepted. The
convergence of internet standards has contributed to acceptance,
since they
provide a framework that a project/process can be compared to.
Also, the benefit
of adhering to standards is now intrinsic in the engineering
70. psyche. There was a
time this was not the case.
I remember the “old days” when code reviews, design reviews,
quality reviews
and security reviews were formally introduced. The meetings
often became a
hostile environment. Individuals would take personal offense
for any type of
project criticism. There was little visible respect for
participating groups and
group members. It was an ugly, painful meeting that few
individuals looked
forward to, or saw any value in. Fortunately, the engineering
process has
improved.
Summary of Policy
This section should be viewed as a sampling of some security
policy issues. It is
important to recognize that having a security is fundamental to
the health of your
71. organization. The details of a particular security policy are
unique to the organization’s
needs. There are many resources available to guide the creation
of a security policy.
Some resources are:
RFC 2196 is the internet working group that provides guidance
for developing
security policy and procedures for systems on the Internet.
http://www.faqs.org/rfcs/rfc2196.html
Software Engineering Institute – Capability Maturity Model
Integration, Carnegie
Mellon Institute
http://www.sei.cmu.edu/
http://www.sei.cmu.edu/
http://www.faqs.org/rfcs/rfc2196.html
http://www.sei.cmu.edu/
NIS (National Institute of Standards) Recommended Security
Controls for Federal
Information Systems
http://csrc.nist.gov/publications/nistpubs/800-53-Rev2/sp800-
72. 53-rev2-final.pdf
CERT (Computer Emergency Response Team), Carnegie
Mellon
http://www.cert.org/
http://csrc.nist.gov/publications/nistpubs/800-53-Rev2/sp800-
53-rev2-final.pdf
http://www.cert.org/
Physical Security Control
Week6 Part5-IS
RevisionSpring2014
Physical Security Control
Physical security control is strongest when it adheres to the
principles of defense in depth
and least privilege. Defense in depth and least privilege should
be guiding principles that
are fundamental to any comprehensive security strategy.
Implementing security in layers
73. provides a robust and redundant defense. Also, restricting
access to only those that
require access makes security sense. Consider an analogy of
how you protect your house.
You would not consider protecting your house with only
perimeter defense of having a
locked gate on the driveway. You have doors with multiple
locks and windows with
locks. You also may have alarm systems with multiple defenses;
including motion,
sound, perimeter defense and the ability to call authorities. You
may also have closed
circuit television (CCTV), guard dogs and personal protection
devices. Defense in depth
is what you are implementing for your home in the previous
example. Also, with respect
to least privilege you certainly would not give a house key or
alarm code to someone you
don’t want in your house.
Physical security for your organization should be implemented
using the principles of
defense in depth and least privilege.
74. Keeping People Safe
An obvious component of physical security is making sure that
people are kept safe. The
facility must have adequate protection against a range of
disasters. Safety standards must
be followed as dictated by local standards, for example local
fire and building codes must
be followed. Some safety standards for operating machinery or
maintaining workplace
safety are dictated by national organizations such as the
Organization of Safety and
Health Association (OSHA). Organizations are subject to
inspection by these safety
organizations for compliance and if not adhering to standards
can be fined or shut down.
Also, depending on where the facility is located protection
against other “acts of God”
such as hurricane, tornado, flooding also need to be accounted
for. Local standards
should always be followed as a minimum
These protections also need to be applied to physical assets in
the facility, but specific
75. attention needs to be applied to the health and well-being of
personnel in the physical
premises. Sound policy and procedures and education around
personal safety should be
number one on the list of physical security.
Perimeter Control
Secure physical access starts with securing your perimeter. For
some types of sites the
perimeter can be secured using CCTV. This can monitor the
coming and going of traffic
into company parking lots. It also provides employees with
protection against personal
threat and vandalism to their vehicles. Having adequate lighting
in outside areas is
important as well. Lighting discourages theft and vandalism as
well as providing some
safety.
In a more secure or government facility gated entries can be
implemented staffed with
76. guards. N-factor authentication can also be implemented to gain
entry to the premises.
Perimeter controls using walls, barbed wire and guards can be
implemented depending on
the level of protection required. Protecting trash and recycle
areas is important. Several
very damaging attacks have been engineered by attackers having
acquired valuable
intellectual assets by “dumpster diving”.
Security measures need to be taken to protect cabling, wiring
and associated
infrastructure. This is needed to protect the physical medium
from damage in the event of
environmental disaster or man-made sabotage. Adequate
security for protecting signals
from third party interception when transmitted through wireless
or wired medium is
needed. For protecting wired medium from man-in-the-middle
or eavesdropping attacks
sufficient physical shielding of wires is needed to protect
against physical intercept of
signals. For protection of wireless signals the use of cryptologic
controls such as
77. encryption and hashing is needed. This is an example where
physical controls and
programmatic controls intersect in a classic defense in depth
scenario to provide
protection for the information infrastructure.
Entering and Exiting the Premises
For most large companies employees stream through the
entrance doors during normal
work hours. Guard desks sometimes are staffed by less than
diligent guards that simply
do not check the badge of every person entering the premises.
Plus with only one door for
entry, several employees stream into the building at one time.
Even if familiar faces are
entering the building they could have been terminated the
previous day and are re-
entering with some malicious intent in mind. This can be a
security problem. Displaying
a badge to a guard as you walk by does not provide a real safe
guard against false entry.
A more secure approach would be to implement some sort of
multi-factor authentication
78. to gain access to the building. For example, each employee has
a coded badge requiring
them to swipe it and enter a PIN before the door opened. If the
PIN is correct the door
opens to allow entry. This can present a problem of rapid entry
to the building
particularly in inclement weather if there are a lot of people,
however with multiple
doors, turnstiles or man-traps the problem of multiple people
entering can be mitigated.
Using a keycard badge to enter and exit the building also
provides the benefit of having
an audit trail of who entered and exited the building and the
date and time.
Entering the facility after hours through a locked door can be
handled through coded
badge access. Multi-factor authentication is very important in
case a card was lost or
stolen. Having a CCTV camera on each entry is important.
Something that is hard to
control after normal business hours entry is “tailgating”. This is
where someone closely
79. follows an authenticated person into a facility without being
authenticated. This is easiest
to control if employees are educated that tailgating is not
allowed. Employees will
generally comply with this policy. The person that won’t
comply is the person trying to
gain illegal access. If they force themselves in it is difficult to
make it the employee’s
responsibility to keep them out, but the company should provide
a contact that the
legitimate employee can reach to explain what happened.
For smaller places of business having protections similar to
your house are in order:
nd sound detection, automatic
notification of
authorities
Entering and Exiting Secure Spaces
Entering secure rooms have similar issues as entering secure
grounds and buildings. The
problems can also be mitigated by similar mechanisms. Physical
access to certain areas
80. within the premise should be guided by the principle of least
privilege.
Principle of Least Privilege: No person should be granted more
access than they
need to do their job.
Access to these rooms should be controlled by n-factor
authentication. Minimally, entry
could be gained by a swipe of a badge and entry of a PIN code.
This coupled with CCTV
would provide secure access with two levels of authentication
along with a video record..
For more critical areas biometric access could be implemented
to ensure a badge and PIN
was not compromised. And of course, for ultra-secure areas
guards in addition to the
aforementioned mechanisms may be in order. Exit of secure
spaces should also make use
of the same authentication techniques that are used to enter the
secure space.
COMMON ACCESS CARDS
Some organizations and government agencies control access to
all assets using common
81. access cards (CAC). A CAC contains multiple types of
identification. It contains a
picture identifying the owner of the card. It contains a magnetic
stripe for accessing
rooms and areas requiring this type of access. The card contains
an integrated computer
chip making it into a smart card that controls access to
computer systems that have
suitable readers. By implementing components of PKI (Public
Key Infrastructure) a user
can be identified using encryption and digital signing
capabilities. The card is also
synched with using SYK (Something You Know) authentication
such as a PIN or
password. When the SYK factor is used in conjunction with the
CAC another factor of
authentication is provided.
An advantage of a CAC is that logging of all automated CAC
uses can be done and
written to a centralized audit file providing a record of access.
82. The CAC demonstrates the merging of authentication, access
and auditing controls for
both physical (e.g. buildings/rooms) and electronic (e.g.
computers/files) assets.
Environmental Controls
Some environmental control needs will be common across most
facilities in most
industries, particularly those that deal with the safety of people.
Some unique concerns may be dependent on the business being
conducted at the facility.
For example, power needs. In the case of a power outage can the
facility be emptied and
everyone allowed to go home, or does backup power need to be
supplied that supports a
24 X 7 operation? Does the 24 X 7 operation need to
accommodate machines and a
skeleton staff, or a full work staff? What about the use of
elevators in a high-rise
business? Can egress be accomplished by backup power?
Fire suppression technology is another area that may require
special needs depending on
83. the type of business being conducted. What fire suppression
technology is needed for
what asset type? Opening a deluge of water on a million dollar
computer system is
probably not the optimal first choice for fire suppression.
However, suppressing a fire in
a meeting room with water to protect people and the building
may be the correct solution.
Heating, Ventilation and Air Conditioning is another area that
requires analysis.
Computer rooms need reliable air conditioning that is often
quite cool, office areas need
air conditioning that is comfortable for humans. Heating and
clean air are equally
important and the needs for them need to be considered.
Auditing and Physical Security
The need to audit physical security events is as important as for
events that apply to
information technology assets. All forms of entrance and egress
from buildings and
secure rooms should be audited. Any access controlled through
keycards, pin pads,
84. biometric scans or other forms of automated access should have
a record of the activity
automatically recorded to an audit file. Records of entry and
egress recorded by hand
written logs and CCTV needs to be recorded and retained in an
orderly manner.
Records need to be kept of physical equipment. All equipment
should have asset tags that
record the model and serial number of the equipment. Also
recorded should be where the
equipment is located and the responsible party.
There may be regulatory laws that require auditing all access to
various physical
resources (e.g. buildings and rooms). This requirement is no
different than for accessing
computer systems and electronic files.
How Much Physical Security is enough?
Just as the risk to your information assets needed to be
assessed, so does the risk to your
85. physical assets.
The number of choices and variations in physical security are
many. Consider a sampling
of the numerous choices for protecting access to a room storing
records in a file cabinet.
Do you use: a keyed or combination lock? What Underwriters
Laboratory (UL) rating is
required for the locks? Is multifactor factor authentication
needed for some aspects of
physical security, such as for building access or secure room
access? Should CCTV be
implemented in the parking areas, on building doors and on
access to restricted areas
such as for computer lab environments and critical record
storage? Are human guards
required in areas to control access? The choices of protection to
use are many. The proper
protection to use can only be determined after the assets that
require protection are
assessed.
Your physical assets need to inventoried and assessed along
several dimensions. The
86. dimensions are no different than what we started with for
assessing the information
assets. At some point the physical assets will likely intersect
with the information assets.
That is, they are one in the same.
In order to implement a security plan it is necessary to
understand:
f attacks that can take place against each asset
attack or to recover
from an attack
he
cost of protecting
against the attack
Only after performing a complete assessment can you determine
how much physical
security is enough.
87. Authorization
Week6 Part4-IS
RevisionSu2013
Authorization
Authorization is that part of access control where an
organization has to determine how
much access a user is given. The access control model being
used in your organization
has an impact on the authorization a user or process has to
access various resources.
Access control models fall into three general categories.
1. Discretionary Access Control (DAC)
2. Mandatory Access Control (MAC)
3. Role Based Access Control (RBAC)
Irrespective of the access control model in your organization
accepted security practice is
88. to implement according to the principle of least privilege. Least
privilege is the principle
that a user is authorized to the minimum amount of access they
need to get their job done.
By granting the user the least privilege the amount of damage
that can be intentionally or
accidentally caused is limited.
Subjects and Objects
In an access control system subjects access objects. Access
control works by controlling
the access granted to subjects to access objects. If every subject
could access every object
there would be no access control and no security.
Access control systems can be modeled by using access control
matrices. Following is a
simplified access control matrix that has three subjects and
three objects. Think of the
subjects as users and the objects as files.
In this model:
89. S1 has read access to file1 and file2. It has write access to file3.
S1 is the owner of
file2.
S2 has write access to file1, execute access to file2 and read,
write access to file3.
S2 is also the owner of file3.
S3 is the owner of file1, has write access to file2 and read
access to file 3.
SUBJECTS
OBJECTS
file1 file2 file3
S1 read read
owner
write
S2 write execute read
write
90. owner
S3 owner write read
The access matrix is a model however one can envision defining
data structures that
support an actual implementation of this matrix to support an
access control system.
The above is a very simplified access control model. Access
control concepts are
extended to more than just files. They are also used to control
access to processes,
devices, memory locations and other constructs that need to
have access controlled.
Discretionary Access Control (DAC)
Discretionary access control is the type of access control that is
used in most commercial
operating systems. Unix/Linux and Windows use a discretionary
control model. DAC
operates on the principle that an object has an owner. The
owner controls what subjects
are granted access to the object. The owner also has the
authority to grant another subject
91. owner access so they may grant other subjects access.
The above access control matrix models a simplified DAC
model since owners are
indicated for each of the objects.
DAC model supports the principle of least privilege, but it is
easy to find users that have
more access than they need to do their job. Supporting least
privilege in a DAC model
takes some active management to ensure users do not have more
privilege then their jobs
require. DAC supports limited separation of duties based on the
group an individual may
be in, but the model is limited and other tools are used such as
SUDO (Super User Do) in
Unix/Linux environments for finer grained control of access.
Access Control Example
A description of access control concepts includes a discussion
of Subjects, Objects and
92. Permissions. Depending on the particular system the
terminology may vary slightly but
the concepts should be similar. Following is an example of a
UNIX access control
systems. This could also be extended to a LINUX system.
Subjects:
– The owner of the Object.
– All users including the owner that have the same
Group ID in the UIC
as the objects owner.
– All users defined in the system
*Another Subject not in the list is the superuser. This is
someone that obtains superuser
privilege by logging into root. Someone with root privilege
could alter the owner of the
object.
Permissions:
ht to read, print, or copy the file.
93. file
an executable
program image or a script.
The UNIX permissions access control model is a discretionary
access control model. The
UNIX model implements access control to files by using
permissions. Supplementing
permissions in most UNIX/LINUX distributions are access
control lists.
Permissions are specified for three subjects: user, group and
other. You may see this
abbreviated to ugo. The objects controlled by permissions are
files. Many control
structures in UNIX are implemented as files. For example
directories, links (symbolic
and hard), pipes, sockets and device drivers (block and
character) are implemented as
files. Therefore while permissions control access to files, they
effectively control access
to other mechanisms that deal with directory structures,
input/output, and inter-process
94. communication. The permissions for a file can be viewed by
using the UNIX command ls
–l command. There are other options that can be used but –l will
provide us the
information we need.
$ ls –l
-rw-r--r-- 1 wvales accfac 23 12 Feb
8:11 test.txt
-rw-r--r-- 1 wvales accfac 23 12 Feb
8:12 test1.txt
drw-r--r-- 1 wvales accfac 10 12 Feb
9:10 test.dir
The file type is designated by the first character in the ls output.
A hyphen “–”
indicates the file is “normal” files in UNIX speak. Think of this
as a text file. The
“d” indicates the file is a directory.
The above ls command outputs information for 3 files. Two
95. files are “normal”
files and one file is a “directory” file.
The permission breakdown is based on three types of subject.
The user (i..e owner) of
the object, group members that are in the same group the owner
is a member of and
anyone else which is denoted by other. These permissions
pertain to any object that can
be specified in the field preceding the permission field (in
green). Objects can be a: file,
directory, symbolic link, named pipe, socket, block device,
character device.
The following table shows the three subject types and the seven
object types in the UNIX
DAC model.
SUBJECTS OBJECTS
User Group Other “Object” Type
-rwx rw- rw- files
drwx rw- rw- directory
lrwx rw- rw- symbolic link
96. prwx rw- rw- named pipe
srwx rw- rw- socket
brwx rw- rw- block device
crwx rw- rw- character device
There are three permissions (or access modes) assigned to the
object for each subject
type. Depending on the object type the access mode (rwx)
means different things.
– read access. For a file object read access means the file
can be accessed by a
text editor, or a variety of utilities such as cat or more. For a
directory object read
access indicates that the entries for each file in the directory
can be accessed
(read).
– write access. For a file object write access allows a new
version of the file to
be written. For a directory object write access means files can
be entered,
removed or renamed into the directory. For a block or character
device write
97. access means the device can be "written" to.
– execute access. For a script or image file executes means
the file can be run by
the shell, or invoked by the image activator. For a directory
object execute access
means the files in the directory can be listed (ls –l *). If there is
no execute access
on the directory you are effectively denying access to the
directory and everything
beneath it in the directory tree.
Access Control Lists (ACLs)
Another discretionary access control in most operating systems
(UNIX/Linux/Windows)
is the Access Control List (ACL). The UNIX style permission
structure results in a coarse
granularity of access control. If you want to allow access to
files for certain individuals
you have to create new groups that include the users you want
to grant access to. Creating
and deleting groups and changing group membership can
become very difficult to
manage. Using an access control list simplifies this.
98. The access control list allows users to specify access for
specific users to a file. This
access is “finer grained” than the permissions which only
control full group access. ACLs
are not available on all implementations of UNIX. ACLs are
controlled by using the
setfacl and getfacl commands.
Mandatory Access Control (MAC)
Mandatory access control is a type of access control that is used
in an environment where
access is controlled by the system. Many government systems
use Mandatory Access
Control. In a mandatory access control system there is no owner
for an object. Access to
an object is controlled by the system not by a subject. MAC
systems have the concept of
labels. Labels correspond to access levels. A typical MAC
system has labels that
correspond to security levels. Using the government model there
are security levels of:
unclassified, confidential, secret, top secret. Labels are attached
to both objects and to
99. subjects.
Access works as follows; a subject has access to an object that
has equal or less level of
security associated with it. If a subject attempts to access an
object that requires a higher
level of access the access is denied. For example, a subject with
a label of confidential
can access objects with a label of confidential or unclassified.
They cannot access objects
with a label of secret or top secret.
MAC systems support the concept of least privilege. Separation
of duties is supported
based on the labels that an individual has assigned to them.
Role Based Access Control (RBAC)
Role Based Access Control works by assigning access to an
object according to the role a
subject has within a system. A particular subject can have
several roles in a system at any
time. Each role potentially has different levels of access.
100. RBAC is rapidly gaining
popularity as the need to control access based on role as is
being mandated by
government legislation such as Sarbanes-Oxley.
Large organizations are starting to use RBAC systems because
of the relative ease of
granting access to objects by assigning roles to the subjects
(employees). The ease of
assigning and removing access translates into large cost saving
for companies that have
large turnover of employees or changing of roles in an
organization.
RBAC systems support the concept of least privilege.
Separation of duties is supported
based on roles that individuals are assigned to. Some RBAC
implementations support the
concept of separation of duties by implementing constraints
between mutually exclusive
roles. A constraint of this type means that if a subject is
assigned multiple roles that are in
conflict for accessing a particular object then the access to that
object is restricted. For
101. example, assume someone is serving the dual roles of a loan
officer and a loan auditor.
They should not be allowed access to audit loans since they are
also approved as a loan
officer.
Auditing
Auditing of access control operations is a requirement for
running a secure information
infrastructure. All major operating systems have auditing
systems. Windows has the
event viewer application that allows viewing of various events
related to: System,
Security, Applications, and Internet Explorer. UNIX/Linux has
the syslog utility for
recording similar events. Many applications have auditing
systems for any application
specific operations. For example, a firewall application will
keep a log related to various
accesses. Database systems have audit logs for recording
modifications to the database
metadata as well as accesses to data.
For a particular environment the amount of information that
102. could be recorded to an audit
file could be voluminous. As long as the tools that read the
audit log allow searching and
sorting of entries the size of the audit logs may not be an issue.
However, there are some
cases that the amount of information being audited is so large
that there is a performance
impact on the system writing information to the audit log. Also
the amount of disk space
used may also be an issue.
Most audit systems have the ability to specify what information
is to be audited. Instead
of auditing every access to every file perhaps audit entries only
need to be written when
critical files are accessed. Typically, with high bandwidth, big
disks and good sorting and
searching capabilities in the audit system users will audit
everything until a problem
occurs that dictates the amount of data to be audited should be
reduced.
103. Discussion: While managing the development and maintenance
of a Transaction
Processing System (TPS) we had a customer that used the
system for online
options trading. The customer decided to audit all access
control activity. At peak
trading times the transaction rate exceeded several thousand
transactions a
minute. This resulted in a huge amount of data to be audited.
System performance
eventually ground to a halt affecting the ability to perform the
options trading.
The large amount of data being written to the audit log was
causing thrashing
between the process writing the audit file and the trading
program. By assigning a
higher priority to the trading program it allowed that program to
run before the
audit writing program. This worked for a while until the buffers
for the audit
program filled up with information that needed to be written to
the audit disk. The
next fix was to expand the buffers for containing the audit
information. Knowing
104. this would postpone the problem we decided to move the audit
disk to a separate
disk where there was no contention by any other process.
Mode Access
The subject/object access models we just discussed assume the
subjects all have the same
privileges. This is not the case. Some users have more
privileges then others. In the
Windows XP (personal), Windows 7 and Windows 8 systems
there are Administrator and
User accounts. Any user with administrator privileges can
perform more operations then
a user with user privileges.
Windows XP Account Types.
105. Windows 7 Account Types.
In UNIX/Linux there are two types of users; root and user. Any
user that has logged into
the root account is the “superuser”. With superuser or root
privileges the user can do
anything. They have access to everything any other user has and
more. They can create
accounts, change passwords, kill user processes, change file
ownership, format devices
and many other operations that a user cannot do.
Superuser in UNIX or administrator in windows has unfettered
access to all aspects of the
systems. Being logged into an account with these elevated
privileges on all of the time is
not recommended for a secure system. Accidents can happen,
and malicious activity can
result in privileged accounts to be hijacked. It is best to switch
to elevated privileges
when they are needed and then switch back to normal (user)
106. privileges when done. It only
takes one errant Delete or rm command to occur when running
with elevated privileges to
make this point.
Many UNIX/Linux systems disable the root account and force
the user to use the root
account via the sudo utility which is a tool that limits superuser
access to a particular
command for a set time period.
Reasons for Auditing
Analyzing System Activity
Many times activity on a system needs to be looked at in
retrospect. For example, some
security breaches could occur that are not detected until after
the fact. For example; a file
is removed, or confidential information accessed or a program
is accessed that in the
normal day to day operation is not considered abnormal.
However, after learning that
confidential information has been leaked it may become
necessary to determine what
107. users had access to the information, or the program that
accessed the information. By
having these accesses recorded in the audit logs it is a simple
matter to search the logs to
determine when the accesses occurred.
Compliance Reporting
In this age of corporate fraud and security breaches of sensitive
information it is
becoming increasingly important for organizations to prove that
access to information is
limited and information is protected. Regulations such as
Sarbanes-Oxley require that
companies keep accurate information trails for government
compliance reporting.
Another motivator for organizations to audit information is in
case there is litigation of
damages related to the improper care of client information.
A key part of a security strategy is to have policies and
procedures in place that audit
108. activities. This includes the auditing of activities related to
computer access as well as
auditing access to physical properties such as rooms, buildings,
parking lots and any
other area of importance. Determining the right amount of
access information to audit is
also important. The amount of information that is to be audited
should be based on the
asset in question. Too much audit information may require the
use of too much disk space
and require too much time to sort through. Auditing too little
information may not
provide the trail of access needed to determine when something
went wrong.
Examples of Authentication Systems
Week6 Part3-IS
RevisionSu2013
109. Examples of Authentication Systems
Authentication services tend to be part of a larger system such
as an operating system,
middleware system, database management system or some other
type of application.
Authentication services can be implemented as services with
well defined interfaces so
one authentication service could be used by a variety of
systems.
There are numerous authentication systems available; each has
their own strengths and
weaknesses. Some authentication schemes were developed to
support particular
applications so they have unique features to support those
environments (e.g. remote,
mobile computing, and wireless). Some authentication schemes
protect against certain
types of attacks that may be more prevalent to a particular
application or environment.
In this section we take a look at a few representative
authentication schemes.
Kerberos
110. Kerberos is a network authentication system developed by MIT
(Massachusetts Institute
of Technology) in the 1980s for project Athena. Kerberos
(Cerberus) is the name from
Greek mythology for the three headed dog that guards the gate
of Hades.
Kerberos supports single user sign-on allowing users to access
various server services in
a network environment. It makes use of symmetric encryption to
support secure
communications between systems. Kerberos uses a centralized
server called a Key
Distribution Center (KDC) which stores all passwords and is
responsible for centralized
authentication. It is critical the Kerberos KDC is kept SECURE.
Since all the passwords
and key information is stored in the KDC it represents a single
point of failure.
The Kerberos protocol uses a “ticket” model where clients
request tickets for services and
present these tickets to the server as credentials for the
requested service.
111. Kerberos technology is widely used in many operating systems
and applications
including Windows 2000 and later, UNIX distributions
including Sun Solaris, FreeBSD
and various Linux distributions.
Virtual Private Networks (VPN)
In the “old days” if a company wanted a secure connection from
one destination to
another they would pay the money to have private lines strung
between the locations.
This provided a dedicated, secure but very expensive solution.
In today’s remote, mobile
internet environment hardwiring of secure connections is not
always feasible. To support
secure connections over the internet Virtual Private Networks
(VPN) have been
implemented. VPN technology supports creating secure
connections over an insecure
median (internet).
A VPN is implemented on the internet by establishing a secure
connection between two
112. parties that want to communicate over the internet. The secure
connection is established
by placing a wrapper around the data to be transmitted and
encrypting the data within the
wrapper. The wrapping of information is known as
encapsulating the data. The
encryption keys are known only to the sender and receiver of
the data. This results in a
secure connection for the two parties using an insecure medium
which is the internet.
The creation of a VPN may make use of a technique known as
tunneling. Tunneling uses
one protocol to encapsulate and another protocol for
transmission. Tunneling allows a
protocol that is incompatible with the underlying network to be
carried over the network.
Tunneling also supports the secure transmission of information
across an insecure path by
allowing the information flowing through the tunnel to be
encrypted.
There are several different protocols that can be used to support
tunneling. Some popular
113. ones are:
col (L2TP)
VPNs support the secure exchange of information by
implementing functionality that
provides:
network
re exchange of routing information
VPNs need to authenticate clients and servers. There are
different services that can be
used to perform authentication. Depending on the type of
connection a different
authentication scheme may make more sense than another.
Following is a small representative sample of authentication
114. schemes.
Extensible Authentication Protocol (EAP)
EAP is more of a framework than an actual implementation of
authentication services.
EAP was designed with Point to Point tunneling Protocol
(PPTP) in mind. PPTP protocol
was developed to allow PPP (point to point) an older protocol to
be encapsulated within
IP packets and forwarded over any IP network. EAP provides
the framework where
proprietary authentication schemes with standard authentication
protocols that make use
of passwords, digital certificates can be implemented on an IP
network.
Challenge Handshake Authentication Protocol (CHAP)
CHAP is a three part protocol that supports the establishing of
secure connections
between a client and server. CHAP also has the feature of
periodically re-authenticating
the client. This re-authentication provides for a more robust
115. level of security.
The challenge works by the following two attributes:
1. Client and server use the same hash function to compute the
message digest. The
use of a particular hash function is a given for the CHAP
protocol.
2. The client and the server have a shared secret. This is
something the server
generates after the request is made from the client to establish a
connection
The three part protocol or handshaking makes use of a one
way hash function to authenticate the client.
1. Client makes request to server for a connection.
2. Server generates a challenge. The challenge could be string
of random numbers.
Server sends challenge to the client.
3. Client responds to challenge. The response is the client
calculating a message
digest using the random numbers provided by the server.
4. Server receives challenge and compares what the client
calculated for the
116. challenge with what the server calculated using the value. If the
results are the
same, the client is authenticated. If they are the same the client
is authenticated
and a connection established. If they are different the client is
not authenticated
and no connection is established.
Password Authentication Protocol (PAP)
PAP is the most basic type of authentication. The username and
password are sent from
the client to the server in clear text format. If the client is
known to the server the server
responds by authenticating the client. A fundamental problem
with this scheme is that
passwords can be intercepted on the client, the server or during
transmission on the
“wire”.
An obvious improvement that can be made to this scheme is
encrypting the passwords.
This is done in several protocols, one such is SPAP.
117. Internet Protocol Security (IPSec)
IPsec is used to create VPNs. There are numerous features in
IPsec that support
authentication of clients and server and the secure exchange of
data over the
authenticated connections. Authentication is done by using
symmetric encryption and
hashing technologies. IPSec provides encryption and
authentication services. It also
supports two different modes: tunneling and transport. In
tunneling mode the IP routing
information is encrypted providing proxy type services for
further protection. IPSec
operates at the Internet layer of the Internet Protocol suite. This
equates to layer 3
(Network layer) of the OSI reference model.
IPSec services can be used alone to establish secure connections
(VPN) or IPsec services
can be used by other protocols to provide services in their
environment. For example
L2TP (Layer 2 Tunneling Protocol) operates at the data link
layer in the OSI reference
118. model. L2TP does not implement any authentication or
encryption services in the
protocol. IPSec is typically used by L2TP to provide
confidentiality and authentication
services for establishing a secure VPN.
There is much more to say about IPSec, for now, be aware that
IPsec does provide
authentication services. These authentication services can be
used within an IPSec
implementation or they can be used in conjunction with other
protocols.
Authentication, Access Control, Accounting Protocols
Authentication, Access Control, Accounting Protocols (AAA)
are protocols used for the
centralized management of computers enabling them to connect
to network resources.
These protocols were initially developed to provide dial-up
access via PPP (point-to-
point protocol) and terminal servers. There are increased
demands on AAA protocols to
support new technologies, new devices and new protocols. For
example, supporting
119. mobile IP connections with roaming technology require using
different protocols, devices
and functionality than implementing geographically static PPP
connections.
AAA technologies allow companies to establish policies for
authentication and access
control which can be administered at a centralized location.
Accounting services are also
provided which audit access by users providing historical access
records and metrics that
are used for billing.
Internet Service Providers (ISPs) and other large enterprises are
users of AAA
technology. In general, these systems support a centralized
database of credentials and
access information that can be used to connect to multiple
servers. AAA systems can
make use of a variety of authentication protocols (e.g. CHAP,
EAP, PAP, Kerberos,
Active Directory) and can also integrate customer systems into
the AAA implementation
for items such as using locally stored credentials that are
120. external to the AAA system, or
storing accounting information into a customers MySQL
database. AAA systems will
need to continue to evolve in their capabilities by embracing
new technologies and
protocols that support secure network access as well as
integrating customer specific
needs into an implementation.
Three AAA systems are: RADIUS, Diameter, TACACS.
RADIUS: Remote Authentication Dial in User System is a
defacto standard for many
large customers in the corporate world. Originally developed to
support PPP protocols.
RADIUS was developed in 1991 by Livingston Enterprises.
Implementations make use
of unreliable transport (UDP).
Diameter: The predecessor to RADIUS. Planned to be “twice as
good as RADIUS”
(pun). Diameter provides upgraded services and support from
121. RADIUS to support latest
technologies. Diameter uses reliable transport protocol (TCP)
and makes uses of network
level security (IPSEC or TLS (SSL)). Diameter does provide an
upgrade path from
RADIUS.
TACACS: Terminal Access Controller Access-Control System
provides AAA
functionality commonly used in UNIX networks. TACACS+
provides updated protocol
Single Sign On (SSO)
A problem for a user that requires access to several systems is
that they need to
authenticate themselves as they access each system. Kerberos
mitigates this problem
within an organization by implementing a Single Sign On (SSO)
model. This allows the
user to log on to the system once and they remain authenticated
for access to any system
within a Kerberos “Realm”. Think of a realm as being
implemented for an organization.
The Kerberos model can be extended to include multiple realms,
122. which extends the reach
of the SSO to multiple organizations.
Federated Identity Management
Kerberos SSO makes sense within an organization or across
several organizations within
a larger enterprise. However, implementing SSO across several
heterogeneous
enterprises, websites and other entities requiring authentication
presents different
problems.
Think about how many different sets of authentication
credentials you have. Most people
have credentials for every web site you do ecommerce with:
Amazon, Ebay, Staples,
Microsoft, Google, etc. Plus, credentials for all the banking and
finance institutions you
deal with, add to that websites for universities, insurance
companies, hospitals. You get
the idea, the number of credentials a user has to remember is
difficult to manage.
In an effort to simplify the online experience for users, simplify
123. account management
through standards and to encourage enterprises to establish new
meaningful business
relationships with one another the idea of providing Federated
Identity Management has
taken hold. Federated Identity Management is the idea that an
identity infrastructure
could be shared by enterprises across industries to store
credentials, provide access and
provide a secure environment.
Development of these concepts is being done under the umbrella
of the Liberty Alliance.
Liberty Alliance began in 2001 and has grown to include over
200 companies. Some of
the companies are large multi-national finance, technology and
manufacturing
companies.
Federated Identity Management is a needed technology worth
exploring. More can be
found at www.projectliberty.org