CHAPTER 1 Access Control Framework
by Mike Chapple
Access Control and Identity Management, 3rd Edition
- Cover
- Title Page
- Copyright Page
- Contents
- Preface
- Acknowledgments
- About the Author
- Dedication
- CHAPTER 1 Access Control Framework
- CHAPTER 2 Business Drivers for Access Controls
- CHAPTER 3 Human Nature and Organizational Behavior
- The Human Element
- Organizational Structure and Access Control Strategy
- Job Rotation and Position Sensitivity
- Requirement for Periodic Vacation
- Separation of Duties
- Responsibilities of Access Owners
- Training Employees
- Ethics
- Best Practices for Handling Human Nature and Organizational Behavior
- Case Studies and Examples
- CHAPTER SUMMARY
- KEY CONCEPTS AND TERMS
- CHAPTER 3 ASSESSMENT
- CHAPTER 4 Assessing Risk and Its Impact on Access Control
- CHAPTER 5 Access Control in the Enterprise
- Access Control Lists (ACLs) and Access Control Entries (ACEs)
- Access Control Models
- Discretionary Access Control (DAC)
- Mandatory Access Control (MAC)
- Role-Based Access Control (RBAC)
- Attribute-Based Access Control (ABAC)
- Rule-Based Access Control (RuBAC)
- Risk-Adaptive Access Control (RAdAC)
- Authentication Factors
- Types of Factors
- Factor Usage Criteria
- How Does Kerberos Authentication Work?
- Use of Symmetric Key and Trusted Third Parties for Authentication
- Key Distribution Center (KDC)
- Authentication Tickets
- Potential Weaknesses
- Kerberos in a Business Environment
- Network Access Control
- Wireless IEEE 802.11 LANs
- Single Sign-On (SSO)
- Best Practices for Handling Access Controls in an Enterprise Organization
- Case Studies and Examples
- CHAPTER SUMMARY
- KEY CONCEPTS AND TERMS
- CHAPTER 5 ASSESSMENT
- CHAPTER 6 Mapping Business Challenges to Access Control Types
- CHAPTER 7 Access Control System Implementations
- Transforming Access Control Policies and Standards into Procedures and Guidelines
- Identity Management and Access Control
- Size and Distribution of Staff and Assets
- Multilayered Access Control Implementations
- Access Controls for Employees, Remote Employees, Customers, and Business Partners
- Remote Virtual Private Network (VPN) Access—Remote Employees and Workers
- Intranets—Internal Business Operations and Communications
- Extranets—External Supply Chains, Business Partners, Distributors, and Resellers
- Secure E-Commerce Sites with Encryption
- Secure Online Banking Access Control Implementations
- Logon/Password Access
- Identification Imaging and Authorization
- Federated Identities and Third Party Identity Services
- Best Practices for Access Control Implementations
- Case Studies and Examples
- CHAPTER SUMMARY
- KEY CONCEPTS AND TERMS
- CHAPTER 7 ASSESSMENT
- CHAPTER 8 Access Control for Information Systems
- Access Control for Data
- Access Control for File Systems
- Access Control for Executables
- Microsoft Windows Workstations and Servers
- Linux
- Supervisory Control and Data Acquisition (SCADA) and Industrial Control Systems
- Best Practices for Access Controls for Information Systems
- Case Studies and Examples
- CHAPTER SUMMARY
- KEY CONCEPTS AND TERMS
- CHAPTER 8 ASSESSMENT
- CHAPTER 9 Physical Security and Access Control
- Physical Security
- Designing a Comprehensive Plan
- Biometric Access Control Systems
- Technology-Related Access Control Solutions
- Outsourcing Physical Security—Pros and Cons
- Best Practices for Physical Access Controls
- Case Studies and Examples
- CHAPTER SUMMARY
- KEY CONCEPTS AND TERMS
- CHAPTER 9 ASSESSMENT
- CHAPTER 10 Access Control Solutions for Remote Workers
- Growth in Mobile Work Force
- Remote Access Methods and Techniques
- Access Protocols to Minimize Risk
- Remote Authentication Protocols
- Network Authentication Protocols
- Virtual Private Networks (VPNs)
- Web Authentication
- Best Practices for Remote Access Controls to Support Remote Workers
- Case Studies and Examples
- CHAPTER SUMMARY
- KEY CONCEPTS AND TERMS
- CHAPTER 10 ASSESSMENT
- CHAPTER 11 Public Key Infrastructure and Encryption
- Public Key Infrastructure (PKI)
- Ensuring Integrity, Confidentiality, Authentication, and Nonrepudiation
- What PKI Is and What It Is Not
- What Are the Potential Risks Associated with PKI?
- Implementations of Business Cryptography
- Certificate Authorities (CAs) and Digital Certificate Management
- Best Practices for PKI Use Within Large Enterprises and Organizations
- Case Studies and Examples
- CHAPTER SUMMARY
- KEY CONCEPTS AND TERMS
- CHAPTER 11 ASSESSMENT
- CHAPTER 12 Testing Access Control Systems
- Purpose of Testing Access Control Systems
- Software Development Life Cycle and the Need for Testing Software
- Security Development Life Cycle and the Need for Testing Security Systems
- Security Monitoring, Incident Handling, and Testing
- Performing the Access Control System Penetration Test
- Preparing the Final Test Report
- CHAPTER SUMMARY
- KEY CONCEPTS AND TERMS
- CHAPTER 12 ASSESSMENT
- CHAPTER 13 Access Control Assurance
- What Is Information Assurance?
- How Can Information Assurance Be Applied to Access Control Systems?
- What Are the Goals of Access Control System Monitoring and Reporting?
- What Checks and Balances Can Be Implemented?
- Audit Trail and Audit Log Management and Parsing
- Audit Trail and Audit Log Reporting Issues and Concerns
- Security Information and Event Management (SIEM)
- Best Practices for Performing Ongoing Access Control System Assurance
- Case Studies and Examples
- CHAPTER SUMMARY
- KEY CONCEPTS AND TERMS
- CHAPTER 13 ASSESSMENT
- CHAPTER 14 Access Control Laws, Policies, and Standards
- U.S. Compliance Laws and Regulations
- Gramm-Leach-Bliley Act (GLBA)
- Health Insurance Portability and Accountability Act (HIPAA)
- Sarbanes-Oxley (SOX) Act
- Family Educational Rights and Privacy Act (FERPA)
- Communications Assistance for Law Enforcement Act (CALEA)
- Children’s Internet Protection Act (CIPA)
- Food and Drug Administration (FDA) Regulations
- North American Electric Reliability Council (NERC)
- Homeland Security Presidential Directive 12 (HSPD 12)
- Americans with Disabilities Act (ADA)
- Access Control Security Policy Best Practices
- IT Security Policy Framework
- Case Studies and Examples
- CHAPTER SUMMARY
- KEY CONCEPTS AND TERMS
- CHAPTER 14 ASSESSMENT
- ENDNOTE
- U.S. Compliance Laws and Regulations
- CHAPTER 15 Security Breaches and the Law
- Appendix A Answer Key
- Appendix B Standard Acronyms
- Glossary of Key Terms
- References
- Index
© fandijki/ShutterStock, Inc.
CHAPTER |
Access Control Framework |
ORGANIZATIONS RELY UPON ACCESS CONTROLS to grant and restrict user access to information, systems, and other resources. Access control systems, when properly designed, implement business rules and often direct implementations of policy in such a manner that individuals have access to the information and resources needed to perform their responsibilities but no more.
The consequences of weak or nonexistent access controls range from inconvenient to downright disastrous, depending on the nature of the resources being protected. For the average user, it may be a personal invasion of privacy to have someone else reading your email. On the other hand, without strong access controls, companies could lose billions of dollars when disgruntled employees bring down mission-critical systems. Identity theft is a major concern in modern life, because so much of our private information is stored in accessible databases. The only way that information can be both useful and safe is through strong access controls.
Chapter 1 Topics
This chapter covers the following topics and concepts:
- What access control is
- What the principal components of access control are
- What the three stages of access control are
- What logical access controls are
- What authentication factors are
Chapter 1 Goals
When you complete this chapter, you will be able to:
- Identify the principal components of access control
- Define the three stages of access control
- Choose the best combination of authentication factors for a given scenario
-
No Comment
..................Content has been hidden....................
You can't read the all page of ebook, please click here login for view all page.