2. Overview
Access Control - Only authorized users, programs, and systems are
allowed to access resources
Not surprisingly, the process for defining access control is:
1. Define Resources
2. Define Users
3. Specify Access between users and resources
4. Stances
1. Allow-By-Default
1. Easy to set up, hard to secure
2. Deny-By-Default
1. Easy to secure, hard to set up
Defence in Depth
• Layer different access control styles
• Every layer reduced the chance that a single attacker will find a hole
through all of the layers
Overview
5. Separation Of Duties
Separation of Duties - 2 keys to launch the nuke!
Process/Concerns:
• Element identity, importance and criticality
• Identify areas at risk/prone to abuse
• Add an "approval" step
• Operational considerations
• Efficiency
• Cost vs. Risk
• User skill/availability
• Must be enough personnel
6. Least Privilege
Only give enough access for users to perform their jobs
Need to know
• Simple way to implement least privilege
• Only share information with a user if they "need" it
Compartmentalization
• Isolate groups from each other so information doesn't get leaked
7. Security Domain
Set up a hierarchy of access
PC user accounts example:
1. Guest
2. User
3. Power user
4. Admin
8. Information Classification
Different security levels for different information
Benefits:
• Establish ownership of info
• Reduce waste
• Focus resources on the highest risk
• Easier to find areas which are lacking
• Can quickly reveal info's worth
• Easier to raises awareness
• Easier to train/retrain staff
9. Information Classification
The Process:
1. Determine Objectives
1. This is a process, not a project! It will be ongoing forever
2. Defining objectives on each iteration helps you keep track of
the work and celebrate the victories along the way
2. Establish Organizational Support
1. Get buy-in on the objectives from management
2. If they can't see the cost-to-benefit they may not you work
3. Develop Info Class Policy & Procedures
1. Requirements, scope, purpose, definitions
(Mostly high-level up to this point)
10. Information Classification
4. Process Flows
1. Document the process, flow charts
5. Tools
1. Make sure everyone is speaking the same language
6. Identify Application Owners
1. Custodians of data. They can help identify stakeholders
7. Identify Info Owners
1. They know the data, decide who can access data
8. Distribute templates
1. Info owners fill them out to identify the data they manage
(Mid-level up to this point)
11. Information Classification
9. Classify Info
1. Is it public? Internal only? Confidential? Restricted?
10. Develop Auditing
1. Perform this process again on new data
2. Do "spot" checks (check track, locked screens)
11. Load Classification Info Into A Repository
1. Allows analysis
12. Train
1. What classifications mean, importance, scenarios
13. Review and Update
1. Improve quality, keep the process ongoing
12. Labeling
Use your classification system
Create silos if it's easier:
• Mark all backup tapes as "confidential" instead of separating out the
confidential data to it's own tapes
13. Access Control Requirements
1. Reliability
2. Transparency
3. Scalability
4. Integrity
5. Maintainability
6. Auditability
7. Authentication Data Security
14. Access Control Types & Cats
2 Methods of defining Access Controls
1. By Type
1. What the control itself is doing
2. By Category
1. Who is implementing the control -or-
2. How the control is used