Logical Access

Video Activity
Join over 3 million cybersecurity professionals advancing their career
Sign up with
Required fields are marked with an *
or

Already have an account? Sign In »

Time
7 hours 15 minutes
Difficulty
Intermediate
CEU/CPE
8
Video Transcription
00:00
>> Hi there and welcome to our next lesson, logical access.
00:00
In this lesson, we'll be covering
00:00
some key concepts about logical access to
00:00
the various information systems that you'll
00:00
be dealing with as a CISA.
00:00
We'll talk about some differences to access permissions,
00:00
IT Assets again,
00:00
mandatory access controls, discretionary access controls,
00:00
and the differences between the two,
00:00
information security and external parties and the role
00:00
human resources play in logical access.
00:00
Let's begin. Identity and Access Management,
00:00
IDAM or IDM, is basically the mechanism
00:00
which provides access to
00:00
all the systems within an organization.
00:00
Now, in some cases, this can be very simple.
00:00
It could be simply a username and password grants
00:00
access to all the systems within the organization.
00:00
However, it could be a little bit more complex,
00:00
so ultimately there could be multiple systems,
00:00
they could be single-sign-on involved in
00:00
which case System 1 username and password
00:00
will again give you access to
00:00
multiple systems and there could even be
00:00
third party access requirements
00:00
that need to be taken into account.
00:00
What IDAM basically does
00:00
is establish the user accountability.
00:00
It ensures that the users
00:00
are accountable for what they've been given
00:00
access to in terms of
00:00
need to know and need to hold basis.
00:00
Key obviously is it prevents
00:00
the unauthorized access for both the data and processes.
00:00
Now, the key to remember is that it's not
00:00
just the data that IDAM controls,
00:00
but it's also access to
00:00
processes within the system itself.
00:00
Basically, as an auditor,
00:00
you should be aware of the general IDAM architectures and
00:00
certainly the architecture that's
00:00
employed within the organization that you're working.
00:00
Just a little bit on system access permission.
00:00
System access permissions are
00:00
the ability to act on a computer's resource.
00:00
In other words, it is permission to use a resource,
00:00
whether that be access of data or access a process.
00:00
It is a technical privilege,
00:00
so it is something that is
00:00
technically implemented within a system,
00:00
and it provides the ability to create, read, update,
00:00
delete a file or data,
00:00
so in other words,
00:00
it allows you to do pretty much anything from simply
00:00
read all the way through to
00:00
actually modify the data itself.
00:00
Now the general principle of
00:00
system access permissions is need to know.
00:00
In other words, if a user doesn't have a need to know,
00:00
then they don't have access to
00:00
that particular data or a process.
00:00
Now, it applies across all IT Assets,
00:00
so networks, platforms, databases and applications.
00:00
In some cases there might be
00:00
different IDAM systems across
00:00
all of these different assets,
00:00
or in some cases,
00:00
it might be a single unified IDAM
00:00
within the organization which
00:00
manages access to everything
00:00
within the IT infrastructure.
00:00
Now the types of access controls, we have two of them.
00:00
The first one is Mandatory Access Controls,
00:00
and so these are controls that cannot be
00:00
modified by normally uses or data owner.
00:00
In other words, the organization makes
00:00
the determination that this is the level of
00:00
access that's going to be applied to
00:00
data processes and it's applied across the board.
00:00
These are applied to all assets by default,
00:00
so it is pretty much a blanket enforcement.
00:00
Basically it enforces
00:00
a critical security without exception.
00:00
In areas where there is
00:00
very strict control and access to data,
00:00
this is generally appropriate.
00:00
Areas such as critical infrastructure would
00:00
be an example where mandatory access controls are used.
00:00
The general principle is that anything that's not
00:00
expressly permitted is forbidden.
00:00
Now the other type of access control
00:00
is Discretionary Access Controls,
00:00
which most people would probably be more familiar
00:00
with within their organizational network systems.
00:00
It's essentially control activator to
00:00
modify at the discretion of the data owner.
00:00
For example, if you create a file on a Windows Server,
00:00
you have the ability to grant
00:00
access to people who can see,
00:00
modify, or do anything to that file.
00:00
You control the full control
00:00
of the access to that file or
00:00
that process and important thing to remember is
00:00
DACs cannot over ride MACs.
00:00
In other words, the Mandatory Access Controls
00:00
are superior and
00:00
the Discretionary Access Controls are subordinate
00:00
to in the hierarchy of access controls.
00:00
Now a key thing with organizations today,
00:00
information security and external parties.
00:00
In one stage, it very much used to
00:00
be the boundary of the organization,
00:00
was the boundary of the information system.
00:00
But we certainly live in a different age now where often
00:00
cases there might be extranet access to various systems,
00:00
and that could be something like the case
00:00
of suppliers and vendors who may
00:00
have agreements in place
00:00
to monitor each other stock levels,
00:00
or at least provide some access to their internal data.
00:00
In some cases, customers may have access to
00:00
information systems and then be users on
00:00
your system and they can be
00:00
often be third party agreements.
00:00
For example, I managed
00:00
service provider might be
00:00
managing your system on behalf of the organization.
00:00
Now an important thing to remember,
00:00
and it's quite often overlooked is
00:00
human resources role in logical access.
00:00
This is really
00:00
the ultimate gatekeeper for the organization.
00:00
They screen employees coming in,
00:00
there is responsibility in terms of
00:00
monitoring and any actions from those monitoring,
00:00
and very importantly, the removal of access rights.
00:00
In other words, human resources are
00:00
ultimately responsible for the decision to
00:00
provision the user and also for
00:00
the decision to deprovision a user.
00:00
This needs to be taken into account within any of
00:00
the policies and procedures around a logical access.
00:00
That's the end of our lesson, so we've covered a few of
00:00
the key concepts regarding identity management,
00:00
logical access, and all the
00:00
associated criteria around it.
00:00
We've talked about system access permissions,
00:00
how it applies to different IT assets,
00:00
and we've talked about the two types of access controls,
00:00
so mandatory and discretionary,
00:00
how they differ and where they fit in the hierarchy.
00:00
We've looked at information systems
00:00
and external parties and
00:00
the complexities that the current information environment
00:00
has in terms of
00:00
introducing external people
00:00
into the organizational boundaries.
00:00
Also we talked about the often overlooked area of
00:00
human resources and how they
00:00
apply to logical access for systems.
00:00
I hope you enjoyed
00:00
this lesson and I will see you at the next one.
Up Next