Reflection
500 words (or 2 pages double spaced) of how the knowledge, skills, or theories of this course have been applied, or could be applied, in a practical manner to your current work environment
Use of proper APA formatting and citations. If supporting evidence from outside resources is used those must be properly cited.
Share a personal connection that identifies specific knowledge and theories from this course.
Demonstrate a connection to your current work environment.
Topic is Access Control
Course Objective
Course Objectives/Learner Outcomes:
Upon completion of this course, the student will:
Identify the types of access control technologies used in a networking environment.
Implement knowledge-based and biometric authentication.
Identify knowledge-based and characteristics-based authentication technologies.
Recognize how single sign-on systems (SSOs), one-time passwords (OTPs), and smart cards are used for authentication
Determine the appropriate type of authentication to implement in a given enterprise scenario.
Recognize ways of securing passwords and identify different types of attacks against passwords and password files.
Select the appropriate access control model for a scenario.
Determine the most appropriate access control model to implement in a given situation.
Recognize how different types of access control techniques operate.
Distinguish between centralized and decentralized access control administration mechanisms.
Identify information detection system (IDS) mechanisms and implementation methods, and recognize various intrusion detection and prevention techniques.
Current Employment:
I currently work as an IT Systems Engineer so any IT Workplace Environment can be used as a reference to the paper
World Headquarters
Jones & Bartlett Learning
5 Wall Street
Burlington, MA 01803
978-443-5000
[emailprotected]
www.jblearning.com
Jones & Bartlett Learning books and products are available through most
bookstores and online booksellers. To contact Jones & Bartlett Learning directly,
call 800-832-0034, fax 978-443-8000, or visit our website, www.jblearning.com.
Substantial discounts on bulk quantities of Jones & Bartlett Learning publications
are available to corporations, professional associations, and other qualified
organizations. For details and specific discount information, contact the special
sales department at Jones & Bartlett Learning via the above contact information
or send an email to [emailprotected]
Copyright 2014 by Jones & Bartlett Learning, LLC, an Ascend Learning
Company
All rights reserved. No part of the material protected by this copyright may be
reproduced or utilized in any form, electronic or mechanical, including
photocopying, recording, or by any information storage and retrieval system,
without written permission from the copyright owner.
The content, statements, views, and opinions herein are the sole expression of the
respective authors and not that of Jones & Bartlett Learning, LLC. Reference
herein to any specific commercial product, process, or service by trade name,
trademark, manufacturer, or otherwise does not constitute or imply its
endorsement or recommendation by Jones & Bartlett Learning, LLC and such
reference shall not be used for advertising or product endorsement purposes. All
trademarks displayed are the trademarks of the parties noted herein. Access
Control, Authentication, and Public Key Infrastructure, Second Edition is an
independent publication and has not been authorized, sponsored, or otherwise
mailto:[emailprotected]
http://www.jblearning.com/
http://www.jblearning.com/
mailto:[emailprotected]
approved by the owners of the trademarks or service marks referenced in this
product.
There may be images in this book that feature models; these models do not
necessarily endorse, represent, or participate in the activities represented in the
images. Any screenshots in this product are for educational and instructive
purposes only. Any individuals and scenarios featured in the case studies
throughout this product may be real or fictitious, but are used for instructional
purposes only.
This publication is designed to provide accurate and authoritative information in
regard to the subject matter covered. It is sold with the understanding that the
publisher is not engaged in rendering legal or other professional service. If legal
advice or other expert assistance is required, the service of a competent
professional person should be sought.
Production Credits
Chief Executive Officer: Ty Field
President: James Homer
SVP, Editor-in-Chief: Michael Johnson
SVP, Curriculum Solutions: Christopher Will
Director of Sales, Curriculum Solutions: Randi Roger
Senior Marketing Manager: Andrea DeFronzo
Associate Marketing Manager: Kelly Thompson
VP, Design and Production: Anne Spencer
VP, Manufacturing and Inventory Control: Therese Connell
Manufacturing and Inventory Control Supervisor: Amy Bacus
Editorial Management: High Stakes Writing, LLC,
President: Lawrence J. Goodrich
Senior Editor, HSW: Ruth Walker
Senior Editorial Assistant: Rainna Erikson
Production Manager: Susan Schultz
Composition: Gamut+Hue, LLC
Cover Design: Kristin E. Parker
Director of Photo Research and Permissions: Amy Wrynn
Rights & Photo Research Assistant: Joseph Veiga
Cover Image: HunThomas/ShutterStock, Inc.
Chapter Opener Image: Rodolfo Clix/Dreamstime.com
Printing and Binding: Edwards Brothers Malloy
Cover Printing: Edwards Brothers Malloy
ISBN: 978-1-284-03159-1
Library of Congress Cataloging-in-Publication Data
Not available at time of printing.
http://dreamstime.com/
6048
Printed in the United States of America
17 16 15 14 13 10 9 8 7 6 5 4 3 2 1
Contents
Preface
Acknowledgments
PART ONE The Need for Information Security
CHAPTER
1
Access Control Framework
Access and Access Control
What Is Access?
What Is Access Control?
Principal Components of Access Control
Access Control Systems
Access Control Subjects
Access Control Objects
Access Control Process
Identification
Authentication
Authorization
Logical Access Controls
Logical Access Controls for Subjects
Group Access Controls
Logical Access Controls for Objects
Authentication Factors
Something You Know
Something You Have
Something You Are
CHAPTER SUMMARY
KEY CONCEPTS AND TERMS
CHAPTER 1 ASSESSMENT
CHAPTER
2
Assessing Risk and Its Impact on
Access Control
Definitions and Concepts
Threats and Vulnerabilities
Access Control Threats
Access Control Vulnerabilities
Risk Assessment
Quantitative Risk Assessment
Qualitative Risk Assessment
Risk Management Strategies
Value, Situation, and Liability
Potential Liability and Non-Financial Impact
Where Are Access Controls Needed Most?
How Secure Must the Access Control Be?
The Utility of Multilayered Access Control
Systems
Case Studies and Examples
Private Sector
Public Sector
Critical Infrastructure
CHAPTER SUMMARY
KEY CONCEPTS AND TERMS
CHAPTER 2 ASSESSMENT
CHAPTER
3
Business Drivers for Access
Controls
Business Requirements for Asset Protection
Importance of Policy
Senior Management Role
Classification of Information
Classification Schemes
Personally Identifiable Information (PII)
Privacy Act Information
Competitive Use of Information
Valuation of Information
Business Drivers
Cost-Benefit Analysis
Risk Assessment
Business Facilitation
Cost Containment
Operational Efficiency
IT Risk Management
Controlling Access and Protecting Value
Importance of Internal Access Controls
Importance of External Access Controls
Implementation of Access Controls with
Respect to Contractors, Vendors, and Third
Parties
Examples of Access Control Successes and
Failures in Business
Case Study in Access Control Success
Case Study in Access Control Failure
CHAPTER SUMMARY
KEY CONCEPTS AND TERMS
CHAPTER 3 ASSESSMENT
CHAPTER
4
Access Control Policies, Standards,
Procedures, and Guidelines
U.S. Compliance Laws and Regulations
Gramm-Leach-Bliley Act (GLBA)
Health Insurance Portability and Accountability
Act (HIPAA)
Sarbanes-Oxley (SOX) Act
Family Educational Rights and Privacy Act
(FERPA)
Communications Assistance for Law
Enforcement Act (CALEA)
Childrens Internet Protection Act (CIPA)
21 CFR Part 11
North American Electric Reliability Council
(NERC)
Homeland Security Presidential Directive 12
(HSPD 12)
Access Control Security Policy Best Practices
Private SectorEnterprise Organizations
Public SectorFederal, State, County, and City
Government
Critical Infrastructure, Including Utilities and
Transportation
IT Security Policy Framework
What Policies Are Needed for Access Controls?
What Standards Are Needed to Support These
Policies?
What Procedures Are Needed to Implement
These Policies?
What Guidelines Are Needed for Departments
and End Users?
Examples of Access Control Policies, Standards
Procedures, and Guidelines
Private Sector Case Study
Public Sector Case Study
Critical Infrastructure Case Study
CHAPTER SUMMARY
KEY CONCEPTS AND TERMS
CHAPTER 4 ASSESSMENT
ENDNOTE
CHAPTER Security Breaches and the Law
5
Laws to Deter Information Theft
U.S. Federal Laws
State Laws
Cost of Inadequate Front-Door and First-Layer
Access Controls
Access Control Failures
People
Technology
Security Breaches
Kinds of Security Breaches
Why Security Breaches Occur
Implications of Security Breaches
Private Sector Case Studies
Public Sector Case Study
Critical Infrastructure Case Study
CHAPTER SUMMARY
KEY CONCEPTS AND TERMS
CHAPTER 5 ASSESSMENT
PART TWO Mitigating Risk with Access Control
Systems, Authentication, and PKI
CHAPTER
6
Mapping Business Challenges to
Access Control Types
Access Controls to Meet Business Needs
Business Continuity
Risk and Risk Mitigation
Threats and Threat Mitigation
Vulnerabilities and Vulnerability Management
Solving Business Challenges with Access Control
Strategies
Employees with Access to Systems and Data
Employees with Access to Sensitive Systems
and Data
Administrative Strategies
Technical Strategies
Separation of Responsibilities
Least Privilege
Need to Know
Input/Output Controls
Case Studies and Examples
Private Sector Case Study
Public Sector Case Study
Critical Infrastructure Case Study
CHAPTER SUMMARY
KEY CONCEPTS AND TERMS
CHAPTER 6 ASSESSMENT
CHAPTER
7
Human Nature and Organizational
Behavior
The Human Element
Dealing with Human Nature
Pre-Employment Background Checks for
Sensitive Positions
Ongoing Observation of Personnel
Organizational Structure and Access Control
Strategy
Job Rotation and Position Sensitivity
Requirement for Periodic Vacation
Separation of Duties
Concept of Two-Person Control
Collusion
Monitoring and Oversight
Responsibilities of Access Owners
Training Employees
Acceptable Use Policy
Security Awareness Policy
Ethics
What Is Right and What Is Wrong
Enforcing Policies
Human Resources Involvement
Best Practices for Handling Human Nature and
Organizational Behavior
Make Security Practices Common Knowledge
Foster a Culture of Open Discussion
Encourage Creative Risk-Taking
Case Studies and Examples
Private Sector Case Study
Public Sector Case Study
Critical Infrastructure Case Study
CHAPTER SUMMARY
KEY CONCEPTS AND TERMS
CHAPTER 7 ASSESSMENT
CHAPTER
8
Access Control for Information
Systems
Access Control for Data
Data at Rest
Data in Motion
Object-Level Security
Access Control for File Systems
Access Control List
Discretionary Access Control List
System Access Control List
Access Control for Executables
Delegated Access Rights
Microsoft Windows Workstations and Servers
Granting Windows Folder Permissions
Domain Administrator Rights
Super Administrator Rights
UNIX and Linux
UNIX and Linux File Permissions
Linux Intrusion Detection System (LIDS)
The Root Superuser
Supervisory Control and Data Acquisition (SCADA)
and Process Control Systems
Best Practices for Access Controls for Information
Systems
Case Studies and Examples
Private Sector Case Study
Public Sector Case Study
Critical Infrastructure Case Study
CHAPTER SUMMARY
KEY CONCEPTS AND TERMS
CHAPTER 8 ASSESSMENT
CHAPTER
9
Physical Security and Access
Control
Physical Security
Designing a Comprehensive Plan
Building Security and Access
Points of Entry and Exit
Physical Obstacles and Barriers
Granting Access to Physical Areas Within a
Building
Biometric Access Control Systems
Principles of Operation
Types of Biometric Systems
Implementation Issues
Modes of Operation
Biometric System Parameters
Legal and Business Issues
Technology-Related Access Control Solutions
Physical Locks
Electronic Key Management System (EKMS)
Fobs and Tokens
Common Access Cards
Outsourcing Physical SecurityPros and Cons
Benefits of Outsourcing Physical Security
Risks Associated with Outsourcing Physical
Security
Best Practices for Physical Access Controls
Case Studies and Examples
Private SectorCase Studies and Examples
Public Sector Case Study
Critical Infrastructure Case Study
CHAPTER SUMMARY
KEY CONCEPTS AND TERMS
CHAPTER 9 ASSESSMENT
CHAPTER
10
Access Control in the Enterprise
Access Control Lists (ACLs) and Access Control
Entries (ACEs)
Access Control Models
Discretionary Access Control (DAC)
Mandatory Access Control (MAC)
Role-Based Access Control (RBAC)
Attribute-Based Access Control (ABAC)
Authentication Factors
Types of Factors
Factor Usage Criteria
Kerberos
How Does Kerberos Authentication Work?
Use of Symmetric Key and Trusted Third
Parties for Authentication
Key Distribution Center (KDC)
Authentication Tickets
Principal Weaknesses
Kerberos in a Business Environment
Network Access Control
Layer 2 Techniques
Layer 3 Techniques
CEO/CIO/CSO Emergency Disconnect Prime
Directive
Wireless IEEE 802.11 LANs
Access Control to IEEE 802.11 WLANs
Identification
Confidentiality
Authorization
Single Sign-On (SSO)
Defining the Scope for SSO
Configuring User and Role-Based User Access
Control Profiles
Common Configurations
Enterprise SSO
Best Practices for Handling Access Controls in an
Enterprise Organization
Case Studies and Examples
Private Sector Case Study
Public Sector Case Study
Critical Infrastructure Case Study
CHAPTER SUMMARY
KEY CONCEPTS AND TERMS
CHAPTER 10 ASSESSMENT
PART
THREE
Implementing, Testing, and Managing
Access Control Systems
CHAPTER
11
Access Control System
Implementations
Transforming Access Control Policies and
Standards into Procedures and Guidelines
Transform Policy Definitions into
Implementation Tasks
Follow Standards Where Applicable
Create Simple and Easy-to-Follow Procedures
Define Guidelines That Departments and
Business Units Can Follow
Identity Management and Access Control
User Behavior, Application, and Network
Analysis
Size and Distribution of Staff and Assets
Multilayered Access Control Implementations
User Access Control Profiles
Systems Access
Applications Access
File and Folder Access
Data Access
Access Controls for Employees, Remote
Employees, Customers, and Business Partners
Remote Virtual Private Network (VPN) Access
Remote Employees and Workers
IntranetsInternal Business Operations and
Communications
ExtranetsExternal Supply Chains, Business
Partners, Distributors, and Resellers
Secure E-commerce Portals with Encryption
Secure Online Banking Access Control
Implementations
Logon/Password Access
Identification Imaging and Authorization
Best Practices for Access Control Implementations
Case Studies and Examples
Private Sector Case Study
Public Sector Example
Critical Infrastructure Case Study
CHAPTER 11 SUMMARY
KEY CONCEPTS AND TERMS
CHAPTER 11 ASSESSMENT
CHAPTER
12
Access Control Solutions for
Remote Workers
Growth in Mobile Work Force
Remote Access Methods and Techniques
Identification
Authentication
Authorization
Access Protocols to Minimize Risk
Authentication, Authorization, and Accounting
(AAA)
Remote Authentication Dial In User Service
(RADIUS)
Remote Access Server (RAS)
TACACS, XTACACS, and TACACS+
Differences Between RADIUS and TACACS+
Remote Authentication Protocols
Virtual Private Networks (VPNs)
Web Authentication
Knowledge-Based Authentication (KBA)
Best Practices for Remote Access Controls to
Support Remote Workers
Case Studies and Examples
Private Sector Case Study
Public Sector Case Study
Critical Infrastructure Case Study
CHAPTER SUMMARY
KEY CONCEPTS AND TERMS
CHAPTER 12 ASSESSMENT
CHAPTER
13
Public Key Infrastructure and
Encryption
Public Key Infrastructure (PKI)
What Is PKI?
Encryption and Cryptography
Business Requirements for Cryptography
Digital Certificates and Key Management
Symmetric Versus Asymmetric Algorithms
Certificate Authority (CA)
Ensuring Integrity, Confidentiality, Authentication,
and Non-Repudiation
Use of Digital Signatures
What PKI Is and What It Is Not
What Are the Potential Risks Associated with PKI?
Implementations of Business Cryptography
Distribution
In-House Key Management Versus Outsourced
Key Management
Certificate Authorities (CA)
Why Outsourcing to a CA May Be
Advantageous
Risks and Issues with Outsourcing to a CA
Best Practices for PKI Use Within Large
Enterprises and Organizations
Case Studies and Examples
Private Sector Case Study
Public Sector Case Study
Critical Infrastructure Example
CHAPTER SUMMARY
KEY CONCEPTS AND TERMS
CHAPTER 13 ASSESSMENT
CHAPTER
14
Testing Access Control Systems
Purpose of Testing Access Control Systems
Software Development Life Cycle and the Need for
Testing Software
Planning
Requirements Analysis
Software Design
Development
Testing and Integration
Release and Training
Support
Security Development Life Cycle and the Need for
Testing Security Systems
Initiation
Acquisition and Development
Implementation and Testing
Operations and Maintenance
Sunset or Disposal
Information Security Activities
Requirements DefinitionTesting the
Functionality of the Original Design
Development of Test Plan and Scope
Selection of Penetration Testing Teams
Performing the Access Control System Penetration
Test
Assess if Access Control System Policies and
Standards Are Followed
Assess if the Security Baseline Definition Is
Being Achieved Throughout
Assess if Security Countermeasures and
Access Control Systems Are Implemented
Properly
Preparing the Final Test Report
Identify Gaps and Risk Exposures and Assess
Impact
Develop Remediation Plans for Closing
Identified Security Gaps Prioritized by Risk
Exposure
Prepare Cost Magnitude Estimate and Prioritize
Security Solutions Based on Risk Exposure
CHAPTER SUMMARY
KEY CONCEPTS AND TERMS
CHAPTER 14 ASSESSMENT
CHAPTER
15
Access Control Assurance
What Is Information Assurance?
C-I-A Triad
The Five Pillars
Parkerian Hexad
How Can Information Assurance Be Applied to
Access Control Systems?
Access Controls Enforce Confidentiality
Access Controls Enforce Integrity
Access Controls Enforce Availability
Training and Information Assurance Awareness
What Are the Goals of Access Control System
Monitoring and Reporting?
What Checks and Balances Can Be Implemented?
Track and Monitor Event-Type Audit Logs
Track and Monitor User-Type Audit Logs
Track and Monitor Unauthorized Access
Attempts Audit Logs
Audit Trail and Audit Log Management and Parsing
Audit Trail and Audit Log Reporting Issues and
Concerns
Security Information and Event Management
(SIEM)
Best Practices for Performing Ongoing Access
Control System Assurance
Case Studies and Examples
Private Sector Case Study
Public Sector Case Study
Critical Infrastructure Case Study
CHAPTER SUMMARY
KEY CONCEPTS AND TERMS
CHAPTER 15 ASSESSMENT
APPENDIX
A
Answer Key
APPENDIX
B
Standard Acronyms
Glossary of Key Terms
References
Index
Preface
Purpose of This Book
This book is part of the Information Systems Security & Assurance
Series from Jones & Bartlett Learning (www.jblearning.com).
Designed for courses and curriculums in IT Security, Cybersecurity,
Information Assurance, and Information Systems Security, this series
features a comprehensive, consistent treatment of the most current
thinking and trends in this critical subject area. These titles deliver
fundamental information-security principles packed with real-world
applications and examples. Authored by Certified Information
Systems Security Professionals (CISSPs), they deliver
comprehensive information on all aspects of information security.
Reviewed word for word by leading technical experts in the field,
these books are not just current, but forward-thinkingputting you in
the position to solve the cybersecurity challenges not just of today,
but of tomorrow, as well.
The goal of Access Control, Authentication, and Public Key
Infrastructure, Second Edition is to provide you with both academic
knowledge and real-world understanding of the concepts behind
access controls. These are tools you will use to secure valuable
resources within your organizations IT infrastructure. The authors
goal was to provide you with a book that would teach important
concepts first, and act as a useful reference later.
http://www.jblearning.com/
Access control goes beyond the simple username and password.
This book approaches access control from a broad perspective,
dealing with every aspect of access controls, from the very low-tech
to the cutting edge.
Part 1 of this book defines the components of access control,
provides a business framework for implementation, and discusses
legal requirements that impact access control programs.
In Part 2, the risks, threats, and vulnerabilities that are prevalent
in information systems and IT infrastructures are addressed with risk
mitigation strategies and techniques. Access control systems and
stringent authentication are presented as ways to mitigate risk.
Part 3 provides a resource for students and practitioners who are
responsible for implementing, testing, and managing access control
systems throughout the IT infrastructure. Use of public key
infrastructures for large organizations and certificate authorities is
presented to solve unique business challenges.
This book is more than just a list of different technologies and
techniques. You will come away with an understanding of how and
why to implement an access control system. You will know how to
conduct an effective risk assessment prior to implementation, and
how to test solutions throughout the life cycle of the system.
Learning Features
The writing style of this book is practical and conversational. Each
chapter begins with a statement of learning objectives. Step-by-step
examples of information security concepts and procedures are
presented throughout the text. Illustrations are used both to clarify
the material and to vary the presentation. The text is sprinkled with
Notes, Tips, FYIs, Warnings, and sidebars to alert the reader to
additional helpful information related to the subject under discussion.
Chapter assessments appear at the end of each chapter, with
solutions provided in the back of the book.
Chapter summaries are included in the text to provide a rapid
review or preview of the material and to help students understand
the relative importance of the concepts presented.
Audience
The material is suitable for undergraduate or graduate computer
science majors or information science majors, or students at a two-
year technical college or community college who have a basic
technical background, or readers who have a basic understanding of
IT security and want to expand their knowledge.
Acknowledgments
The production of a book is a complex effort involving many people. I
would like to thank everyone involved in this project, especially those
that I never had the opportunity to meet. Special thanks are due to
Jim Cavanagh, who served as an excellent technical editor; Larry
Goodrich and Randi Roger, who managed the project; and Ruth
Walker, our fearless copy editor. I would also like to thank Carole
Jelen, my literary agent with Waterside Productions.
Mike Chapple
The authors would like to thank Jones & Bartlett Learning for the
opportunity to write this book and be a part of the Information
Systems Security & Assurance Series project. Thanks also go to
Mike Chapple, our technical reviewer, and Kim Lindros, our project
manager. Mike ensured that every sentence in this book was as
clear and technically accurate as it could possibly be. Kim managed
the project on our behalf, reviewing and ferrying all the pieces that
flowed between us, Mike Chapple, and Jones & Bartlett Learning.
Our heartfelt gratitude to our extended family and friends, without
whose support we could not have written this book.
Bill and Tricia Ballad
To all my parents for providing the foundation that made this
possible. Thank you.
To the Ursos for letting me spend hours in the yellow house and
for making coffee. I am truly grateful.
To Mr. Weiss, I hope my words reflect all the guidance and
wisdom you provided. I have learned more from you than you will
ever know.
To Tarik and my family and friends who listened to me and still
missed me. I dont know what I would do without you.
To Marty Weiss, Carole Jelen, Mike Chapple, Kim Lindros, and all
the editors, for everything you do. Your assistance and advice are
truly appreciated.
To RSA, EMC, and all my colleagues: You guys make me love
security every day.
Erin K. Banks
About the Authors
MIKE CHAPPLE is senior director for Enterprise Support Services at
the University of Notre Dame. In this role, he oversees the
information security, IT architecture, project management, strategic
planning, and communications functions for the Office of Information
Technologies. He also serves as a concurrent assistant professor in
the universitys Computer Applications Department, where he
teaches an undergraduate course on Information Security. He is a
technical editor for Information Security magazine and has written
several books, including Information Security Illuminated (Jones &
Bartlett, 2005), SQL Server 2008 for Dummies (Wiley, 2008), and the
CISSP Prep Guide (Wiley, 2012). He earned his BS and PhD
degrees from Notre Dame in computer science and engineering. He
also holds an MS degree in computer science from the University of
Idaho and an MBA from Auburn University.
BILL BALLAD has been active in the IT security community since
the mid-1990s. He is the coauthor and SME for Securing PHP Web
Applications (Addison-Wesley Professional, 2008), and he wrote the
security chapters for PHP & MySQL Web Development All-in-One
Desk Reference for Dummies (Wiley, 2008). Professionally, Ballad is
a senior systems engineer working with mission-critical Windows
networks.
TRICIA BALLAD spent several years as a Web applications
developer before becoming a full-time freelance writer and technical
editor. She has written online courseware on various consumer
electronics and computing subjects, and has coauthored PHP &
MySQL Web Development All-in-One Desk Reference for Dummies
(Wiley, 2008) and Securing PHP Web Applications (Addison-Wesley
Professional, 2008).
ERIN K. BANKS is a security technology consultant for EMC,
providing security solutions to Fortune 500 companies. She has over
13 years of experience in the network and security fields supporting
customers and system integrators across a wide variety of
industries. Banks holds a BS in electrical engineering from
Northeastern University and is currently working on her MBA from
the Isenberg School of Management at the University of
Massachusetts Amherst. She holds the CISSP certification, among
other industry certifications.
This book is dedicated to the memory of Dewitt Latimer, my friend,
colleague, and mentor.Mike Chapple
To Will, Alex, Patrick, and Beth
Bill and Tricia Ballad
To Holly, you will always be my girl
Erin K. Banks
PART ONE
The Need for Access Control
Systems
CHAPTER
1
Access Control Framework
CHAPTER
2
Assessing Risk and Its Impact on
Access Control
CHAPTER
3
Business Drivers for Access Controls
CHAPTER
4
Access Control Laws, Policies, and
Standards
CHAPTER
5
Security Breaches and the Law
CHAPTER
1 Access Control
Framework
ORGANIZATIONS RELY UPON ACCESS CONTROLS to grant
and restrict user access to information, systems, and other
resources. Access control systems, when properly designed,
implement business rules, often direct implementations of policy, in
such a manner that individuals have access to the information and
resources needed to perform their responsibilities but no more.
The consequences of weak or nonexistent access controls range
from inconvenient to downright disastrous, depending on the nature
of the resources being protected. For the average user, it may be
annoying and inconvenient to have someone else reading your e-
mail. On the other end of the scale, without strong access controls,
companies could lose billions of dollars when disgruntled employees
bring down mission-critical systems. Identity theft is a major concern
in modern life, because so much of our private information is stored
in accessible databases. The only way that information can be both
useful and safe is through strong access controls.
Chapter 1 Topics
This chapter covers the following topics and concepts:
What access control is
What the principal components of access control
are
What the three stages of access control are
What logical access controls are
What the three authentication factors are
Chapter 1 Goals
When you complete this chapter, you will be able to:
Identify the principal components of access control
Define the three stages of access control
Choose the best combination of authentication
factors for a given scenario
Access and Access Control
There are two fundamentally important concepts you need to know
before diving into the content for this chapter:
1. What does access mean?
2. What is an access control?
In an ideal world, you wouldnt need to control access to whats
important to you or of valueyou wouldnt even need to lock your
doors. Unfortunately thats not realityat home or in the business
world. In the real worldespecially in businessthere is a need to
protect precious data, network bandwidth, and other assets from a
variety of threats. This chapter will help you understand how to lock
your virtual doors.
What Is Access?
Fundamentally, access refers to the ability of a subject and an
object to interact. That interaction is the basis of everything we do,
both in the information technology (IT) field and in life in general.
Access can be defined in terms of social rules, physical barriers, or
informational restrictions.
For example, consider a busy executive with an administrative
assistant who serves as a gatekeeper, deciding who will be allowed
to interact personally with the executive and who must leave a
message with the administrative assistant. In this scenario, the
visitor is the subject and the executive is the object. The
administrative assistant serves as the access control system,
restricting what individuals (subjects) may access the executive
(object).
Consider another scenario that is a bit closer to home. When you
leave your house, you lock the doors. The locked door physically
restricts access by anyone without a key to the assets stored inside
your houseyour TV, computer, and stereo system. When you come
home, you unlock the door and replace the physical restriction of the
locking mechanism with a human gatekeeper who decides whether
or not to let someone enter the house.
What would happen if data were freely available? After all, open
source software has certainly made a convincing case for open
information. What if the data in question is your companys payroll
file? If that file is unsecured, anyone could open the file and obtain
sensitive information, including your Social Security number and
annual salary. Think of the chaos that would ensue if a disgruntled
employee decided you did not deserve the money you made, and
reset your salary? Data is one of the most valuable assets an
organization possesses. IT professionals must invest time and
energy in appropriately securing it.
What do executives, deadbolts, and payroll have to do with IT?
They are physical counterparts to the technical access control
systems that we use to protect digital and electronic resources
sensitive files, servers, and network resources. You might not have
specific, documented rules for access when it comes to which
visitors you allow into your home, but information systems use
formalized systems to grant or restrict access to resources.
Computers are not very good at making intuitive decisions, so you
have to lay out specific rules for them to follow when deciding
whether to grant or deny access.
What Is Access Control?
Access contr
