Welcome the Cyber Aires video Siris on the Company, a Security 501 Certification and Exam.
I'm your instructor, Ron Water
Police. See cyber dot i t. For more information on this and other certifications
in section 4.3, we'll talk about strategies and methods for implementing identity and access management controls.
Access control generally refers to the process of making resource is available to accounts that should have access
while limiting that access toe on Lee. What is required. So authentication authorization.
In this video, we'll cover access control models,
physical access controls,
certificate based authentication, file system security and data base security.
There are different strategies or models associated with access control, determining who gets access to what who's authorized or has permissions
few terms you should be aware of to start. First of all, a subject. A subject is an active entity like an individual process device,
while an object is some resource that the subject is attempting to access. So in this case, I could be a subject. Accessing a computer system or a website like cyber ery cyber in this case would be the object.
There are five different types of access control models will talk about.
I'll go through each in detail.
The first model will talk about is Mac or mandatory access control
where you start by assigning labels to re sources and objects such as files or data were databases
once you have the labels established, if you remember data labeling from an earlier session, then also are assigning users and subjects within a classifications level,
for example, secret, confidential top secret, etcetera.
The subject's access rights must be above the objects classifications. So, for example, I need to access a secret document.
My classifications top secret so I can see it.
Let's just say I have a lower classifications like confidential document. I want to see a secret. I would not be allowed to secret.
I would not be allowed to see it.
Access is non discretionary, can't be changed on a whim.
It's mostly used in government or military areas, and it's the most rigid and most secure of the models.
The second access model will discuss his dak were discretionary access control.
It's where access rights are at the discretion of the system or the information owner of that security principle.
So let's just say I'm these owner of a file I get to determine who has access. It's at my discretion.
The owner assigns the security access and has flexibility in accessing information or systems flowers for a lot more of dynamic sharing, a lot more usable.
There's also an increased risk, an unauthorized disclosure or access. This may be considered one of the least secure of the access models.
A back or attributes based access control is to find in ist 801 62.
It's where attributes are characteristics that define specific aspects of the subject object environment, conditions and or requested actions
that air predefined and pre assigned by an authority.
It considers all of the various attributes associated with the subject and the object in making an access control decision.
It's also a dynamic access control method
based on what the extensible access control markup language
there are. Two access control models that use the acronym are back. Yes, I know that's confusing to me, too.
1st 1 role based access control
where users are assigned to a group or a roll. Let's just say everyone on the help desk has the role of being in the help desk and all the access is defined based on that role. So access control is established based on rolls job functions, groups within an organization.
This reduces the effect of permissions. Creep
permissions. Creep is when someone gains too much access over time. You know that person has been with your organization 20 years and can access everything within the organization. The idea with role based access controls when you change jobs, change roles within an organization. Your access changes and you'll lose previous access.
The other are back is rule based access control.
This uses the settings and pre configured security policies to make all of the decisions.
Rule based Access control includes controls such as the time of day, day of week, specific terminal access, maybe even location like GPS coordinates of the requester. This would be implemented through access control lists or a C. L's
for the security plus exam. You need to be familiar with all of these access control models.
We talked about biometrics in an earlier video, something you are that part of multi factor authentication. It's identifying part of your body, such as your fingerprint. Fay's eyes, voice recognition,
gate, meaning how fast or slow you walk Those all are part of what could be used to identify and authenticate you.
I'll review this topic again about false acceptance rate, false rejection rate and crossover error rate.
These are the rates that you want to make sure our balanced for your biometric solution
false acceptance rate measures that likelihood that the access system will wrong. The except an access intent,
in other words, allow access to an unauthorized user.
False rejection rate is the other side
where the system fails to recognize an authorized person and rejects that person as unauthorized.
The crossover error rate. It's a percentage at which the F a, R and F R R are equal.
C E r will increase if routine maintenance procedures on biometric devices are not performed.
Generally the lower the c e r The higher the accuracy of the biometric system,
the lower the F, A, r and f R R. The better this system.
Another attribute for identity and authentication is token, something you carry with you. Something you have with you.
It could be a physical device on the screen. You see some common tokens that might be used, but a token in this case, could be software or hardware based. You might just have a token application like M s. Authenticator on your phone
uses something known as a OTP or one time password,
which is a continually changing password based on an algorithm and a time sequence.
You only have a short a pound amount of time to type in
that particular about pin or password. Examples of tokens include a wireless key card, key FOB
These tokens may also include a digital certificate and a static password token.
In addition to tokens, there are other types of physical access controls
that use embedded microchips. Proximity and smart cards are the most basic form of physical access controls.
Proximity cards have an embedded chip. Hold very little information. The main purpose of the card is to determine access by matching the card identification number two information
and an online database.
Smart cards are for also a form of something you have authentication
that uses a standard wallet card with an embedded ship that can automatically provide an authenticating cryptographic key to its reader.
Smartcards may also contain other useful data is part of identity and authentication.
There are specific examples of certificate based authentication on physical devices. For example, a P I VI CAC or Smart Card,
A P I V card. Personal identity verification card is a contactless smartcard. Usedto identify employees.
It's used primarily within the U. S. Federal Government
CAC Card Common Access card. It's like your credit card's smart card, but it requires you to insert it into a specific type of device.
I triple E n 2.1. Ex authentication is a standard
for this type of certificate based card. It allows only authorized devices to connect to the network. The most secure form of IEEE 802.1 Ex authentication is certificate based authentication.
When this authentication model is used, all clients must have a certificate toe validate their identity.
Now that we've worked through access control models and forms of performing access control, let's talk about how do we do it within file systems and databases.
File systems, also known as, ah flat file. It could be the files, directories and folders you'll find on a common computer system.
What you want to make sure is that you're leveraging the standard access control within the system setting specific permissions based on that need to know or you're using the different types of models.
You can set permissions on those files, folders and directories. Also consider using encryption
the data at rest and then raid technology to provide that redundancy on the back end discs.
Microsoft NT F. S allows that file level access control where their F 80 which older and legacy on Lee allows a shared level access.
Consider using that encryption for sensitive directories, and media will talk more about cryptography in the later video.
Databases, on the other hand, are different than flat or file system files.
Databases store in organizations. Usually it's most sensitive and critical data. You want a leverage network security and access controls along with the database management system. Specifics.
The D. P. M s. You are using Oracle M s equal etcetera might have a capability known as transparent data encryption to encrypt the data at rest within the database. So even database administrators can't view it,
providing that permissions on the data is also critical. Consider how you're managing your cryptographic keys. Who can unlock the database?
We'll talk about that when we talk about public key infrastructure or P k I in a later session.
All of these are considerations for securing databases
covered implementing identity and access management controls, including different strategies and models. Methodologies for securing access.
Let's work on a quiz question.
Which of the following authentication models provides credentials that air on Lee valid during a single session?
The answer is a tokens if you think about the one time password.
You were looking to implement a new access control mechanism that takes into account the entire environment and requested actions for access.
What model does this best describe?
This is the definition for a
A back attributes based access control.
If you have access to the Security plus lab environment, there's an exercise on managing certificates.
The module provides you with instruction on and server hardware to develop your hands on skill on the topics. Associate with managing certificate templates, configuring certificates implementing key archival etcetera.
Certificate templates are used by an enterprise certification authority. See A to define the purpose and content of certificates that could be issued to a requesting entity
like a user, computer or network service
we'll cover this exercise in a later video.
Consider it if you want to practice your hands on skills with certificate management and access control,
this concludes section 4.3.
Given a scenario, implement identity and access management controls.
Please refer to your study guide in other study materials for more information on this section.