Authorization

Video Activity
Join over 3 million cybersecurity professionals advancing their career
Sign up with
Required fields are marked with an *
or

Already have an account? Sign In »

Time
15 hours 43 minutes
Difficulty
Advanced
CEU/CPE
16
Video Transcription
00:00
>> Now if you'll recall,
00:00
we talked about with access management.
00:00
I mentioned earlier, usually we
00:00
think about the I Triple A.
00:00
We find a way to identify.
00:00
Then we authenticate, which
00:00
we talked about in the last section.
00:00
Now it's time to be authorized.
00:00
In this section we're going to
00:00
talk about authorization essentially
00:00
being how I'm granted access to
00:00
>> perform actions on resources or with resources.
00:00
>> Authorization is what I can do
00:00
and then we'll discuss some of
00:00
the basic principles of authorization.
00:00
Authentication is proving I am who I say I am.
00:00
But then the question is, so what?
00:00
I believe you're Kelly Handerhan, who cares?
00:00
Well, our systems care because
00:00
based on being Kelly Handerhan.
00:00
I can reset accounts so I can
00:00
access the sales or training folders.
00:00
There's certain rights and permissions
00:00
associated with my account.
00:00
Those rights, permissions,
00:00
those fall under the category of authorization.
00:00
Now just some general principles with authorization.
00:00
As a general rule,
00:00
we want to implement a default no access policy,
00:00
which we sometimes call an implicit deny.
00:00
Meaning, by default you have no access to anything.
00:00
What I want you to have access to,
00:00
I will explicitly grant.
00:00
You don't just come in with
00:00
full control permission of course.
00:00
You come in with no permissions.
00:00
I specifically grant the
00:00
>> permissions I want you to have.
00:00
>> Now I'm going to follow the
00:00
>> principle of least privilege,
00:00
>> which means I'm not going to give you
00:00
more access than I absolutely have to
00:00
so that you can do your job and
00:00
need to know goes along with that same idea.
00:00
I'm not going to allow you to access files that
00:00
you don't have a legitimate need to know for.
00:00
A lot of people will use those terms interchangeably.
00:00
But really principle of least
00:00
>> privilege is about action.
00:00
>> Need to know is about data access.
00:00
For instance, I don't allow
00:00
end users to install applications on their own systems.
00:00
That's the principle of least privilege.
00:00
You're not on the sales team.
00:00
I don't allow you to access a sales folder.
00:00
That's need to know.
00:00
There is a difference. They're both
00:00
working towards the same goal.
00:00
Then we have content versus
00:00
>> context-based access control.
00:00
>> Content based access control is what we
00:00
normally use and we don't even think about using it.
00:00
Who should I get a key to the closet?
00:00
Well, the next question is probably
00:00
going to be what's in the closet.
00:00
I grant access to
00:00
a resource based on the content of the resource.
00:00
I've got sales done in this folder,
00:00
I'm going to give access to the sales team.
00:00
We don't sit around and say, well,
00:00
I think we should use context based control here,
00:00
but that's what we're doing.
00:00
Now, context-based control means,
00:00
I don't care what you access.
00:00
I'm more interested in limiting how you access.
00:00
For instance, I want you to access the network.
00:00
I just don't want you to access
00:00
the network after 5:00 PM.
00:00
I'll set a rule that uses context-based access
00:00
that says block John Smith after 5:00 PM.
00:00
That's context-based.
00:00
Both of those are valid and they just go hand
00:00
in hand with authorization principles.
00:00
That's what we covered in this section.
00:00
We just primarily focused on
00:00
best practices for authorization.
Up Next