all right, now, we just mentioned a little bit about cryptography. Will pick up on that topic a little bit more later on. But right now, we're gonna go ahead and movinto access control. And for those of you that have taken the C I S s P exam Ah, lot of overlap here.
Uh, we're a little bit more focused, of course, on extending access control beyond our intermediate domain or our immediate de bain.
And taking that access crow control to software as a service where we can have single sign, own and access office 3 65 And all those other software is a service products. All right, so when we talk about access control, just a nisi definition is we're going to regulate what a subject can do to an object.
So subjects of passive entity and object I'm sorry. Subjects active
and in objects passive. So when I go to access a folder on the subject, the folder is the object. Well, you know, in addition to just people being subjects we have processes, for instance, and processes could also be objects as well, so we can't just think in terms of people And what they access. We think about active entities
accessing passive entities,
and we want in with the term beyond access control, the term is really kind of morphed into this idea of identity and access management. So it's bigger than just access control, starting with identify and identity. How do I know you are who you say you are? Well, we've got to start with how you're gonna say you are who you are,
if that makes sense.
So we're gonna start off with figuring out your identity, granting an account based on that identity providing credentials, which we'll use to log in or get authenticated to prove your identity. And then authorization comes as a result of who you identify us identifies that men I'm authorized
to perform certain activities.
And then, of course, accounting or accountability or auditing kind of comes at the end there where we can match what Kelly Hander him does to specific actions.
So ultimately, what we're looking at in this next section is to figure out how we're gonna address subjects, how we're gonna create accounts or managed accounts that may already be built in based on these subjects, how we're gonna provide verification of identity,
make sure that we give the correct level of access. Sometimes we think of access is
keeping the bad guys out right? Just making sure. But it is. We've also got a lift, the good guys in, and we've got to make sure that they have appropriate access.
So we're gonna look at all of these pieces together.
And one of the first things that that's most relevant when we come to think about security is making sure that our privileged users and there's privileged accounts are managed properly.
So when we're talking about privileged accounts were thinking about administrators, right Or, um, we would think that route with UNIX or those other roles that we've assigned a lot of writes a lot of permissions to.
These were the ones that give us the highest risk. Right? Because of an admin account is compromised. We could see a lot of damage. The general user account, ideally for set up properly, is not gonna cause the same degree of damage.
So we want to make sure that we monitor the usage of these privileged accounts, the creation of privileged accounts that should be very, very restricted. The review of privileged accounts over time because sometimes what happens is we grant these privileges to an individual,
and over time they might move from department to department. And they just continue
this build up of credentials and privileges and rights. That's called privilege creeps. So we want to make sure that we're reviewing there's accounts on a regular basis. We're looking at all their activities. Really. You know, the the administrative accounts have to be audited thoroughly.
where side says logs successful and failed events. Yeah, there certainly are types of events we want to know that are happening again. User creation, privileged account creation rights, assignment, that sort of stuff.
All right, so that's gonna bring us up to our next section on identity and access Manager.