CHAPTER 5 Access Control in the Enterprise
by Mike Chapple
Access Control and Identity Management, 3rd Edition
- Cover
- Title Page
- Copyright Page
- Contents
- Preface
- Acknowledgments
- About the Author
- Dedication
- CHAPTER 1 Access Control Framework
- CHAPTER 2 Business Drivers for Access Controls
- CHAPTER 3 Human Nature and Organizational Behavior
- The Human Element
- Organizational Structure and Access Control Strategy
- Job Rotation and Position Sensitivity
- Requirement for Periodic Vacation
- Separation of Duties
- Responsibilities of Access Owners
- Training Employees
- Ethics
- Best Practices for Handling Human Nature and Organizational Behavior
- Case Studies and Examples
- CHAPTER SUMMARY
- KEY CONCEPTS AND TERMS
- CHAPTER 3 ASSESSMENT
- CHAPTER 4 Assessing Risk and Its Impact on Access Control
- CHAPTER 5 Access Control in the Enterprise
- Access Control Lists (ACLs) and Access Control Entries (ACEs)
- Access Control Models
- Discretionary Access Control (DAC)
- Mandatory Access Control (MAC)
- Role-Based Access Control (RBAC)
- Attribute-Based Access Control (ABAC)
- Rule-Based Access Control (RuBAC)
- Risk-Adaptive Access Control (RAdAC)
- Authentication Factors
- Types of Factors
- Factor Usage Criteria
- How Does Kerberos Authentication Work?
- Use of Symmetric Key and Trusted Third Parties for Authentication
- Key Distribution Center (KDC)
- Authentication Tickets
- Potential Weaknesses
- Kerberos in a Business Environment
- Network Access Control
- Wireless IEEE 802.11 LANs
- Single Sign-On (SSO)
- Best Practices for Handling Access Controls in an Enterprise Organization
- Case Studies and Examples
- CHAPTER SUMMARY
- KEY CONCEPTS AND TERMS
- CHAPTER 5 ASSESSMENT
- CHAPTER 6 Mapping Business Challenges to Access Control Types
- CHAPTER 7 Access Control System Implementations
- Transforming Access Control Policies and Standards into Procedures and Guidelines
- Identity Management and Access Control
- Size and Distribution of Staff and Assets
- Multilayered Access Control Implementations
- Access Controls for Employees, Remote Employees, Customers, and Business Partners
- Remote Virtual Private Network (VPN) Access—Remote Employees and Workers
- Intranets—Internal Business Operations and Communications
- Extranets—External Supply Chains, Business Partners, Distributors, and Resellers
- Secure E-Commerce Sites with Encryption
- Secure Online Banking Access Control Implementations
- Logon/Password Access
- Identification Imaging and Authorization
- Federated Identities and Third Party Identity Services
- Best Practices for Access Control Implementations
- Case Studies and Examples
- CHAPTER SUMMARY
- KEY CONCEPTS AND TERMS
- CHAPTER 7 ASSESSMENT
- CHAPTER 8 Access Control for Information Systems
- Access Control for Data
- Access Control for File Systems
- Access Control for Executables
- Microsoft Windows Workstations and Servers
- Linux
- Supervisory Control and Data Acquisition (SCADA) and Industrial Control Systems
- Best Practices for Access Controls for Information Systems
- Case Studies and Examples
- CHAPTER SUMMARY
- KEY CONCEPTS AND TERMS
- CHAPTER 8 ASSESSMENT
- CHAPTER 9 Physical Security and Access Control
- Physical Security
- Designing a Comprehensive Plan
- Biometric Access Control Systems
- Technology-Related Access Control Solutions
- Outsourcing Physical Security—Pros and Cons
- Best Practices for Physical Access Controls
- Case Studies and Examples
- CHAPTER SUMMARY
- KEY CONCEPTS AND TERMS
- CHAPTER 9 ASSESSMENT
- CHAPTER 10 Access Control Solutions for Remote Workers
- Growth in Mobile Work Force
- Remote Access Methods and Techniques
- Access Protocols to Minimize Risk
- Remote Authentication Protocols
- Network Authentication Protocols
- Virtual Private Networks (VPNs)
- Web Authentication
- Best Practices for Remote Access Controls to Support Remote Workers
- Case Studies and Examples
- CHAPTER SUMMARY
- KEY CONCEPTS AND TERMS
- CHAPTER 10 ASSESSMENT
- CHAPTER 11 Public Key Infrastructure and Encryption
- Public Key Infrastructure (PKI)
- Ensuring Integrity, Confidentiality, Authentication, and Nonrepudiation
- What PKI Is and What It Is Not
- What Are the Potential Risks Associated with PKI?
- Implementations of Business Cryptography
- Certificate Authorities (CAs) and Digital Certificate Management
- Best Practices for PKI Use Within Large Enterprises and Organizations
- Case Studies and Examples
- CHAPTER SUMMARY
- KEY CONCEPTS AND TERMS
- CHAPTER 11 ASSESSMENT
- CHAPTER 12 Testing Access Control Systems
- Purpose of Testing Access Control Systems
- Software Development Life Cycle and the Need for Testing Software
- Security Development Life Cycle and the Need for Testing Security Systems
- Security Monitoring, Incident Handling, and Testing
- Performing the Access Control System Penetration Test
- Preparing the Final Test Report
- CHAPTER SUMMARY
- KEY CONCEPTS AND TERMS
- CHAPTER 12 ASSESSMENT
- CHAPTER 13 Access Control Assurance
- What Is Information Assurance?
- How Can Information Assurance Be Applied to Access Control Systems?
- What Are the Goals of Access Control System Monitoring and Reporting?
- What Checks and Balances Can Be Implemented?
- Audit Trail and Audit Log Management and Parsing
- Audit Trail and Audit Log Reporting Issues and Concerns
- Security Information and Event Management (SIEM)
- Best Practices for Performing Ongoing Access Control System Assurance
- Case Studies and Examples
- CHAPTER SUMMARY
- KEY CONCEPTS AND TERMS
- CHAPTER 13 ASSESSMENT
- CHAPTER 14 Access Control Laws, Policies, and Standards
- U.S. Compliance Laws and Regulations
- Gramm-Leach-Bliley Act (GLBA)
- Health Insurance Portability and Accountability Act (HIPAA)
- Sarbanes-Oxley (SOX) Act
- Family Educational Rights and Privacy Act (FERPA)
- Communications Assistance for Law Enforcement Act (CALEA)
- Children’s Internet Protection Act (CIPA)
- Food and Drug Administration (FDA) Regulations
- North American Electric Reliability Council (NERC)
- Homeland Security Presidential Directive 12 (HSPD 12)
- Americans with Disabilities Act (ADA)
- Access Control Security Policy Best Practices
- IT Security Policy Framework
- Case Studies and Examples
- CHAPTER SUMMARY
- KEY CONCEPTS AND TERMS
- CHAPTER 14 ASSESSMENT
- ENDNOTE
- U.S. Compliance Laws and Regulations
- CHAPTER 15 Security Breaches and the Law
- Appendix A Answer Key
- Appendix B Standard Acronyms
- Glossary of Key Terms
- References
- Index
© fandijki/ShutterStock, Inc.
CHAPTER |
Access Control in the Enterprise |
ACCESS CONTROL AND AUTHENTICATION within an enterprise is a large-scale problem with multiple solutions. Each enterprise has its own way of handling it, depending on the risk associated with the information and activities on the network. The higher the risk of an attacker entering an organization and seeing or removing information, the more constraints the enterprise will put on users. An organization that maintains a large amount of credit card information or personally identifiable information (PII) on its customers will sustain a higher impact if that information is removed or accessed illicitly. Corporations are now required to let a third party know when certain information has been compromised within their systems. The reaction to this breach in information may stop people or other enterprises from doing business with them.
Chapter 5 Topics
This chapter covers the following topics and concepts:
- Access control lists (ACLs) and access control entries (ACEs)
- Which access control models are common in enterprise environments
- Authentication factors and the risks associated with them
- What Kerberos is and how it works
- How Layer 2 and Layer 3 access controls protect the network
- Which access controls are associated with wireless local area networks (WLANs)
- What single sign-on is and how to use it
- Which best practices help you implement access controls in an enterprise environment
- Case studies and examples
Chapter 5 Goals
When you complete this chapter, you will be able to:
- Understand how ACLs and ACEs are related and how to use them
- Identify mandatory access control (MAC), discretionary access control (DAC), role-based access control (RBAC), and attribute-based access control (ABAC), and other models
- Understand authentication factors and the strengths and weaknesses of something you know, something you have, and something you are
- Understand Kerberos, the Kerberos-trusted Key Distribution Center (KDC), the Kerberos Ticket-Granting Service (TGS), and the Kerberos Authentication Service
- Identify Layer 2 and Layer 3 techniques for controlling network access
- Implement security for a WLAN infrastructure
- Plan for single sign-on access control
- Apply best practices to access control implementation in an enterprise environment
- Apply lessons learned from case studies to real-world situations
-
No Comment
..................Content has been hidden....................
You can't read the all page of ebook, please click here login for view all page.