Time
12 hours 41 minutes
Difficulty
Advanced
CEU/CPE
15

Video Description

This video begins the discussion of the various access control models. We don't dig too deeply into these models in this section. That will be done in Part 04, however, we emphasize the importance and need for these controls. The concept of subject (user)/object (resource) is introduced. The basis of authorization is controlling what actions a subject is authorized to perform on an object with the appropriate rights. We point out that the principle of least privilege goes hand-in-hand with these concepts. The actions a subject can perform on an object are defined by the so-called CRUD operations: - Create - Read - Update - Destroy We next touch on the access control models: - DAC - discretionary access control - MAC - mandatory access control - RBAC - role-based access control - RuBAC - rules-based access control (firewalls or filtering using logic rules) We conclude this section by mentioning the important principle of accountability. This is concerned with tracing (associating) an action to a subject (identity) and falls under the auditing process. It's important to note that a multi-user environment were all users work on a shared account is not only ill-advisable on so many levels, but also prevents any kind of auditing and accountability. A key part of auditing is logging. Metrics and techniques typically maintained or used in audit logging are time stamps, source ID, and hashing to ensure the integrity of the logs. Policies such as how long to retain logs as well as the threshold for overwriting logs are also important considerations.

Video Transcription

00:04
from authenticity. We also look ATT authorization. So making sure that the subject is authorized to access the object but that the subject on Lee has the rights based on least privilege. And we've talked about the principle of least privilege. You're giving the
00:21
absolute minimum rights and permissions
00:24
to do your job. So we want to make sure that principle of Lise privileges always followed with authorization.
00:31
Ah, that needs to be addressed. I love the crowd operations. Love the crowd, acronym create, read, update and delete, but again making sure that based on job requirements and role within the organization, you have just the bare minimum permissions.
00:48
And we talked about some access control models. Dak Mac, and Are Back are back standing for role based access control.
00:55
One of the models, I did not mention his room back, which is rules based Access control. Rules based access control would be used, for instance, like on fire walls or any sort of filter rules based systems. Follow if then, logic. If traffic is coming from the 10 network than allow it
01:12
if traffic is coming from this network, then deny it.
01:15
So that idea, based on rules, would be another way that we control access and we require authorization before we authorize on entity a subject to access an object.
01:27
Okay, so some authorized authorization requirements might be
01:32
access to highly sensitive information is limited. Users with secret or top secret clearance on authenticated users will have re permission to public access page. You know, whatever those requirements are that meets your needs, we have to address the address authorization, accountability.
01:49
When we talk about accountability, we want to be able to trace an action
01:53
to a subject. Accountability in auditing go hand in hand.
01:59
And the success of auditing is really based on the identity of the subject, and action is gonna be map to the identity. So if you go back, you know, 10 15 years ago, in many offices, there would be one user account that everybody in the office would use, and this was in smaller offices. But you might have an office of 10 people
02:17
and everybody had
02:20
a single account, and I won't even address the fact that that single account usually had a minute administrative privileges. We won't even go down that trail. But the problem with users multiple users sharing the same account is we get no accountability, User. One is an account shared by 15 people.
02:37
So who was it that actually went and modified the registry?
02:39
We don't have that knowledge because we don't have separate identities. So identities air really important part to allow authenticate. I'm sorry to allow accountability and auditing.
02:52
So accountability requirements all failed. Log in. Attempts must be logged. There must be source. I d. There must be a time stamp. Um, lab. We could go back and add integrity requirements that say audit logs must be hash to guarantee no modification. So you can you know, you can
03:10
reference multiple requirements
03:13
at the same point in time. You know that accountabilities only accountability. If we can guarantee the integrity of the audit files.
03:22
How long must we retain those audit logs? How about overriding events? What happens if the log files get full again? These air, all requirements that we would address, all right, Authorization.
03:37
So, of course, authorization is what you are authorized to do what activities you can perform. And we've already talked about that a little bit. All right, those air, the core security requirements from there, we're going to talk about general requirements

Up Next

ISC2 CISSP

Our free online CISSP (8 domains) training covers topics ranging from operations security, telecommunications, network and internet security, access control systems and methodology and business continuity planning.

Instructed By

Instructor Profile Image
Kelly Handerhan
Senior Instructor