Identity Management, Authentication and Access Control
4 hours 7 minutes
Welcome to lesson six point to protect identity management authentication and access control.
So in this video will cover the protect function category number two. Identity management authentication and access control. The principle of least privilege and segregation of duties.
So with this protect um function category we're looking at identity management authentication and access control. And really what this is focusing on is access to data and devices and ensuring that it's limited to authorized individuals, processes and devices and that it's managed consistent with the assessed risk of unauthorized access.
So what we get into here is identities and credentials, making sure that um they're issued managed, verified revoked and audited for authorized individuals processes and devices and making sure that you have policies, processes and procedures to manage this,
ensuring that even physical access um is also managed to data and devices um along with remote access which becomes vitally important especially now with a lot of people working remotely that you're managing, who has remote access to your network.
Um As well as looking at access permissions and authorizations ensuring their managed, incorporating the principles of least privilege
and separation of duties which we're going to get into and later slides, um but also making sure that the integrity of your network is protected. Um So whether that's your network is segregated, um in some instances this is done especially um if you have to adhere to the payment card industry data security standards, P. C. I. D. S. S,
sometimes that may be put on a separate network to segregate it um or even segmented from um other parts of your network because it is such sensitive data.
Um So those are things to think of um when you're looking at this particular category and especially if that subcategory maybe something that you need to adhere to. Um And finally the last subcategory is that individuals and devices are approved and bound credentials and authenticated commensurate with the risk of the transaction.
So individual security and privacy risks um and other organizational risks are taken to an account
when you're doing that.
So to get into the principle of least privilege, what this means is allowing only authorized accesses for users um or processes which are necessary to accomplish assigned tasks in accordance with organizational missions and business functions. Um And I think I mentioned this before in the previous lesson is that
if someone is working in HR
they don't necessarily need to have access to finance data, there's no purposes they would need to have access to that. So making sure that um really you're looking at possibly role based access um to ensure that people are only accessing data pertaining to their role within the organization.
So you know,
uh someone who maybe works in customer service wouldn't need access um as a privileged account user um You know separating process domains. Um You see the eight things that I have listed here and this is not an exhaustive list of the principle of least privilege. But it's really just trying to give you some examples
of what's meant by the principle of least privilege
and you always want to make sure that you're reviewing and auditing. I know I have here user privileges because you want to ensure that, let's say someone came into the company and they were working in finance but then moved to marketing. You want to make sure that when they did migrate to that of the department that they then were
had access deep provisions for those
financial systems so that they don't still have access to that. Um So you want to make sure that you have processes and procedures for that. Should someone move roles in the company or even when people leave company, that's part of your off boarding process um that you have user services
directly removing their access to different systems or applications within your company.
So that's really what we're focusing on with the principle of least privilege. And now we're going to get into how segregation of duties sort of differs from that.
So really what segregation of duties, it's dressing the potential for abuse of an authorized privileged privileges and helps to reduce the risk of malevolent activity without collusion. So what's really meant by this is um you know if you have security personnel that you know they're ministering access control functions,
they shouldn't also be the same person that is auditing those functions because
then it would be very easy for them to um change a setting or access something they have no business doing and pretend that they don't see that or even delete that record during the audit. So you want to make sure that those two functions are done by different individuals or different roles. Um You want to divide mission functions and information systems, support functions among different roles.
You don't want someone um basically uh basically auditing themselves or making sure that they are not the one doing something you really want to make sure that those duties are done by separate roles and individuals because it can lead to
um insider activity. Um You know everyone focuses so much on you know an external source, hacking or gaining um unauthorized access to the network but it could very easily be someone within your organization um that basically is trying to enact malevolent activity
so you want to make sure that um even if it's a small team um that those duties are separate amongst individuals within that business function. Um Even not just from a security standpoint but even looking at finance or hr um that someone doing a particular function is not also the same one that has to audit it or monitor it. Um Because then they're monitoring themselves um
and so it's easy for them to basically commit a bad act and then cover it up later and that's what we want to prevent and that's really what segregation of duties means.
So quiz question which control is not an implemented ble control for the principle of least privilege. Review and auditing of user privileges,
separate processing domains or divide mission functions among different roles.
So the answer here is divide mission functions among different roles. So the question was, what was a control that's not implemented? Able for principle of least privilege, divide mission functions among different roles. That is really a control for segregation of duties, not principle of least privilege. Remember the principle of least privilege has to do with only ensuring someone has access to something that they need to have access to.
And that's not what this divide mission functions among different roles gets into ensuring that someone is not um handling control and then also monitoring or auditing themselves against that control. Um So that's why number three is the incorrect answer here is because that really is
a segregation of duties control, not a principle of least privilege control.
So in this video we cover the subcategories of the protect function. Category # two we looked at the control enhancements for a principle of least privilege as well as guidance on segregation of duties. So I hope you'll join me as we move into the next video.