Presentation is loading. Please wait.

Presentation is loading. Please wait.

© 2013 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved. Fundamentals of Information Systems Security.

Similar presentations


Presentation on theme: "© 2013 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved. Fundamentals of Information Systems Security."— Presentation transcript:

1 © 2013 Jones and Bartlett Learning, LLC, an Ascend Learning Company All rights reserved. Fundamentals of Information Systems Security Chapter 5 Access Controls

2 Page 2 Fundamentals of Information Systems Security © 2013 Jones and Bartlett Learning, LLC, an Ascend Learning Company All rights reserved. Learning Objective  Explain the role of access controls in implementing security policy.

3 Page 3 Fundamentals of Information Systems Security © 2013 Jones and Bartlett Learning, LLC, an Ascend Learning Company All rights reserved. Key Concepts  Authorization policies that apply access control to systems, application, and data  The role of identification in granting access to information systems  The role of authentication in granting access to information systems  Authentication factor types and the need for two- or three-factor authentication  The pros and cons of the formal models used for access controls

4 Page 4 Introduction to Information Systems Security © 2013 Jones and Bartlett Learning, LLC, an Ascend Learning Company All rights reserved. DISCOVER: CONCEPTS

5 Page 5 Fundamentals of Information Systems Security © 2013 Jones and Bartlett Learning, LLC, an Ascend Learning Company All rights reserved. Defining Access Control  The process of protecting a resource so that it is used only by those allowed to do so  Prevents unauthorized use

6 Page 6 Fundamentals of Information Systems Security © 2013 Jones and Bartlett Learning, LLC, an Ascend Learning Company All rights reserved. Four Parts of Access Control Access Control Component Description AuthorizationWho is approved for access and what can they use? IdentificationHow are they identified? AuthenticationCan their identities be verified? AccountabilityHow are actions traced to an individual to ensure that the person who makes data or system changes can be identified?

7 Page 7 Fundamentals of Information Systems Security © 2013 Jones and Bartlett Learning, LLC, an Ascend Learning Company All rights reserved. Access Control Basics  Access control provides a set of resources available to the authenticated identity.  Access controls can be logical or physical.  Before authorization can occur, the identity of the account attempting to access a resource must be determined.

8 Page 8 Fundamentals of Information Systems Security © 2013 Jones and Bartlett Learning, LLC, an Ascend Learning Company All rights reserved. Access Control Basics (Continued)  Identification presents credentials.  Authentication associates those credentials with a security principal.  Accountability traces an action to a person or process to know who made the changes to the system or data.

9 Page 9 Fundamentals of Information Systems Security © 2013 Jones and Bartlett Learning, LLC, an Ascend Learning Company All rights reserved. Asynchronous Token Challenge- Response

10 Page 10 Fundamentals of Information Systems Security © 2013 Jones and Bartlett Learning, LLC, an Ascend Learning Company All rights reserved. Rule-Based Access Control

11 Page 11 Fundamentals of Information Systems Security © 2013 Jones and Bartlett Learning, LLC, an Ascend Learning Company All rights reserved. An Access Control List (ACL)

12 Page 12 Fundamentals of Information Systems Security © 2013 Jones and Bartlett Learning, LLC, an Ascend Learning Company All rights reserved. Role-Based Access Control

13 Page 13 Fundamentals of Information Systems Security © 2013 Jones and Bartlett Learning, LLC, an Ascend Learning Company All rights reserved. Content-Dependent Access Control

14 Page 14 Fundamentals of Information Systems Security © 2013 Jones and Bartlett Learning, LLC, an Ascend Learning Company All rights reserved. Policy Definition and Policy Enforcement Phases  Policy definition phase decides who has access and what systems or resources they can use. It is tied to the authorization phase.  Policy enforcement phase grants or rejects requests for access based on the authorizations defined in the first phase. It is tied to identification, authentication, and accountability phases.

15 Page 15 Introduction to Information Systems Security © 2013 Jones and Bartlett Learning, LLC, an Ascend Learning Company All rights reserved. DISCOVER: ROLES

16 Page 16 Fundamentals of Information Systems Security © 2013 Jones and Bartlett Learning, LLC, an Ascend Learning Company All rights reserved. Who Sets or Defines These Controls? Mandatory access Discretionary access Non- discretionary access Role-based access Rule-based access Content- dependent access

17 Page 17 Introduction to Information Systems Security © 2013 Jones and Bartlett Learning, LLC, an Ascend Learning Company All rights reserved. DISCOVER: PROCESS

18 Page 18 Fundamentals of Information Systems Security © 2013 Jones and Bartlett Learning, LLC, an Ascend Learning Company All rights reserved. Scenario 1  Select access control methods for the Department of Defense (DoD) network.

19 Page 19 Fundamentals of Information Systems Security © 2013 Jones and Bartlett Learning, LLC, an Ascend Learning Company All rights reserved. Solution  Use a combination of biometric, token-based, and password-form access methods.  Use more complex forms of authentication, such as time-of-day restrictions and hardware encryption devices.  Each account attempting to make a transaction must be properly identified.

20 Page 20 Fundamentals of Information Systems Security © 2013 Jones and Bartlett Learning, LLC, an Ascend Learning Company All rights reserved. Scenario 2  Select access control methods for an organization that does the majority of its business through public kiosks.

21 Page 21 Fundamentals of Information Systems Security © 2013 Jones and Bartlett Learning, LLC, an Ascend Learning Company All rights reserved. Solution  Authentication can be as simple as an automatic anonymous guest logon shared by all visitors.

22 Page 22 Fundamentals of Information Systems Security © 2013 Jones and Bartlett Learning, LLC, an Ascend Learning Company All rights reserved. Scenario 3  Select access control methods for an organization that does the majority of its business through Web-based servers.

23 Page 23 Fundamentals of Information Systems Security © 2013 Jones and Bartlett Learning, LLC, an Ascend Learning Company All rights reserved. Solution  Role-based access  Single sign-on  Remote Authentication Dial In User Service (RADIUS)  Strong passwords

24 Page 24 Fundamentals of Information Systems Security © 2013 Jones and Bartlett Learning, LLC, an Ascend Learning Company All rights reserved. Logical Access Control Features Logical ControlsSolution? Biometrics Tokens Passwords Single sign-on

25 Page 25 Fundamentals of Information Systems Security © 2013 Jones and Bartlett Learning, LLC, an Ascend Learning Company All rights reserved. Logical Access Control Solutions Logical ControlsSolutions BiometricsStatic: Fingerprints, iris granularity, retina blood vessels, facial features, and hand geometry Dynamic: Voice inflections, keyboard strokes, and signature motions TokensSynchronous or asynchronous Smart cards and memory cards PasswordsStringent password controls for users Account lockout policies Auditing logon events Single sign-onKerberos process Secure European System for Applications in a Multi-Vendor Environment (SESAME)

26 Page 26 Fundamentals of Information Systems Security © 2013 Jones and Bartlett Learning, LLC, an Ascend Learning Company All rights reserved. Summary  Access control is the process of protecting a resource so that it is used only by those allowed to do so.  Access controls can be logical or physical.  Access control includes identification, authentication, authorization, and accountability.  The four parts of access control can be categorized into policy definition phase and policy enforcement phase.


Download ppt "© 2013 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved. Fundamentals of Information Systems Security."

Similar presentations


Ads by Google