Home Page Icon
Home Page
Table of Contents for
Title Page
Close
Title Page
by Mike Chapple
Access Control and Identity Management, 3rd Edition
Cover
Title Page
Copyright Page
Contents
Preface
Acknowledgments
About the Author
Dedication
CHAPTER 1 Access Control Framework
Access and Access Control
What Is Access?
What Is Access Control?
What Is Identity Management?
Principal Components of Access Control
Access Control Systems
Access Control Subjects
Access Control Objects
Access Control Process
Identification
Authentication
Authorization
Logical Access Controls
Logical Access Controls for Subjects
Group-Based Access Controls
Logical Access Controls for Objects
Authentication Factors
Something You Know
Something You Have
Something You Are
CHAPTER SUMMARY
KEY CONCEPTS AND TERMS
CHAPTER 1 ASSESSMENT
CHAPTER 2 Business Drivers for Access Controls
Business Requirements for Asset Protection
Importance of Policy
Senior Management Role
Classification of Information
Classification Schemes
Personally Identifiable Information (PII)
Privacy Act Information
Privacy Controls Catalog
Competitive Use of Information
Valuation of Information
The Business Drivers for Access Control
Cost-Benefit Analysis
Risk Assessment
Business Facilitation
Cost Containment
Operational Efficiency
IT Risk Management
Controlling Access and Protecting Value
Importance of Internal Access Controls
Importance of External Access Controls
Case Studies and Examples
Case Study in Access Control Success
Case Study in Access Control Failure
CHAPTER SUMMARY
KEY CONCEPTS AND TERMS
CHAPTER 2 ASSESSMENT
CHAPTER 3 Human Nature and Organizational Behavior
The Human Element
Dealing with Human Nature
Social Engineering
Pre-Employment Background Checks for Sensitive Positions
Ongoing Observation of Personnel
Organizational Structure and Access Control Strategy
Job Rotation and Position Sensitivity
Requirement for Periodic Vacation
Separation of Duties
Concept of Two-Person Control
Collusion
Monitoring and Oversight
Responsibilities of Access Owners
Training Employees
Acceptable Use Policy
Security Awareness Policy
Ethics
What Is Right and What Is Wrong
Enforcing Policies
Human Resources Involvement
Best Practices for Handling Human Nature and Organizational Behavior
Make Security Practices Common Knowledge
Foster a Culture of Open Discussion
Encourage Creative Risk-Taking
Case Studies and Examples
Private Sector Case Study
Public Sector Case Study
Critical Infrastructure Case Study
CHAPTER SUMMARY
KEY CONCEPTS AND TERMS
CHAPTER 3 ASSESSMENT
CHAPTER 4 Assessing Risk and Its Impact on Access Control
Definitions and Concepts
Threats and Vulnerabilities
Access Control Threats
Access Control Vulnerabilities
Risk Assessment
Quantitative Risk Assessment
Qualitative Risk Assessment
Risk Management Strategies
Value, Situation, and Liability
Potential Liability and Nonfinancial Impact
Where Are Access Controls Needed Most?
How Secure Must the Access Control Be?
Case Studies and Examples
Private-Sector Case Study
Public Sector Case Study
Critical Infrastructure Case Study
CHAPTER SUMMARY
KEY CONCEPTS AND TERMS
CHAPTER 4 ASSESSMENT
CHAPTER 5 Access Control in the Enterprise
Access Control Lists (ACLs) and Access Control Entries (ACEs)
Access Control Models
Discretionary Access Control (DAC)
Mandatory Access Control (MAC)
Role-Based Access Control (RBAC)
Attribute-Based Access Control (ABAC)
Rule-Based Access Control (RuBAC)
Risk-Adaptive Access Control (RAdAC)
Authentication Factors
Types of Factors
Factor Usage Criteria
How Does Kerberos Authentication Work?
Use of Symmetric Key and Trusted Third Parties for Authentication
Key Distribution Center (KDC)
Authentication Tickets
Potential Weaknesses
Kerberos in a Business Environment
Network Access Control
Layer 2 Techniques
Layer 3 Techniques
CEO/CIO/CSO Emergency Disconnect Prime Directive
Wireless IEEE 802.11 LANs
Access Control to IEEE 802.11 WLANs
Identification
Confidentiality
Authorization
Single Sign-On (SSO)
Defining the Scope for SSO
Configuring User and Role-Based User Access Control Profiles
Common Configurations
Enterprise SSO
Best Practices for Handling Access Controls in an Enterprise Organization
Case Studies and Examples
Private Sector Case Study
Public Sector Case Study
Critical Infrastructure Case Study
CHAPTER SUMMARY
KEY CONCEPTS AND TERMS
CHAPTER 5 ASSESSMENT
CHAPTER 6 Mapping Business Challenges to Access Control Types
Access Controls to Meet Business Needs
Business Continuity and Disaster Recovery
Risk and Risk Mitigation
Threats and Threat Mitigation
Vulnerabilities and Vulnerability Management
Solving Business Challenges with Access Control Strategies
Employees with Access to Systems and Data
Employees with Access to Sensitive Systems and Data
Administrative Strategies
Technical Strategies
Separation of Privileges
Least Privilege
Need to Know
Input/Output Controls
Access Control System Design Principles
Case Studies and Examples
Private Sector Case Study
Public Sector Case Study
Critical Infrastructure Case Study
CHAPTER SUMMARY
KEY CONCEPTS AND TERMS
CHAPTER 6 ASSESSMENT
CHAPTER 7 Access Control System Implementations
Transforming Access Control Policies and Standards into Procedures and Guidelines
Transform Policy Definitions into Implementation Tasks
Follow Standards Where Applicable
Create Simple and Easy-to-Follow Procedures
Define Guidelines That Departments and Business Units Can Follow
Identity Management and Access Control
User Behavior, Application, and Network Analysis
Size and Distribution of Staff and Assets
Multilayered Access Control Implementations
User Access Control Profiles
System Access Control Lists
Applications Access
File and Folder Access
Data Access
Access Controls for Employees, Remote Employees, Customers, and Business Partners
Remote Virtual Private Network (VPN) Access—Remote Employees and Workers
Intranets—Internal Business Operations and Communications
Extranets—External Supply Chains, Business Partners, Distributors, and Resellers
Secure E-Commerce Sites with Encryption
Secure Online Banking Access Control Implementations
Logon/Password Access
Identification Imaging and Authorization
Federated Identities and Third Party Identity Services
Best Practices for Access Control Implementations
Case Studies and Examples
Private Sector Case Study
Public Sector Example
Critical Infrastructure Case Study
CHAPTER SUMMARY
KEY CONCEPTS AND TERMS
CHAPTER 7 ASSESSMENT
CHAPTER 8 Access Control for Information Systems
Access Control for Data
Data at Rest
Data in Motion
Object-Level Security
Access Control for File Systems
Access Control List
Discretionary Access Control List
System Access Control List
Access Control for Executables
Delegated Access Rights
Microsoft Windows Workstations and Servers
Granting Windows Folder Permissions
Domain Administrator Rights
Super Administrator Rights
Pass-the-Hash Attacks
Linux
Linux File Permissions
The Root Superuser
Supervisory Control and Data Acquisition (SCADA) and Industrial Control Systems
Best Practices for Access Controls for Information Systems
Case Studies and Examples
Private Sector Case Study
Public Sector Case Study
Critical Infrastructure Case Study
CHAPTER SUMMARY
KEY CONCEPTS AND TERMS
CHAPTER 8 ASSESSMENT
CHAPTER 9 Physical Security and Access Control
Physical Security
Designing a Comprehensive Plan
Building Security and Access
Points of Entry and Exit
Physical Obstacles and Barriers
Granting Access to Physical Areas Within a Building
Biometric Access Control Systems
Principles of Operation
Types of Biometric Systems
Implementation Issues
Modes of Operation
Biometric System Parameters
Legal and Business Issues
Technology-Related Access Control Solutions
Physical Locks
Electronic Key Management System (EKMS)
Fobs and Tokens
Common Access Cards
Outsourcing Physical Security—Pros and Cons
Benefits of Outsourcing Physical Security
Risks Associated with Outsourcing Physical Security
Best Practices for Physical Access Controls
Case Studies and Examples
Private Sector Case Study and Example
Public Sector Case Study
Critical Infrastructure Case Study
CHAPTER SUMMARY
KEY CONCEPTS AND TERMS
CHAPTER 9 ASSESSMENT
CHAPTER 10 Access Control Solutions for Remote Workers
Growth in Mobile Work Force
Remote Access Methods and Techniques
Identification
Authentication
Authorization
Access Protocols to Minimize Risk
Authentication, Authorization, and Accounting (AAA)
Remote Authentication Dial in User Service (RADIUS)
Remote Access Server (RAS)
TACACS, XTACACS, and TACACS+
Differences Between RADIUS and TACACS+
Remote Authentication Protocols
Network Authentication Protocols
Virtual Private Networks (VPNs)
Web Authentication
Knowledge-Based Authentication (KBA)
Best Practices for Remote Access Controls to Support Remote Workers
Case Studies and Examples
Private Sector Case Study
Public Sector Case Study
Critical Infrastructure Case Study
CHAPTER SUMMARY
KEY CONCEPTS AND TERMS
CHAPTER 10 ASSESSMENT
CHAPTER 11 Public Key Infrastructure and Encryption
Public Key Infrastructure (PKI)
What Is PKI?
Encryption and Cryptography
Business Requirements for Cryptography
Digital Certificates and Key Management
Symmetric Versus Asymmetric Algorithms
Certificate Authority (CA)
Ensuring Integrity, Confidentiality, Authentication, and Nonrepudiation
Use of Digital Signatures
What PKI Is and What It Is Not
What Are the Potential Risks Associated with PKI?
Implementations of Business Cryptography
Distribution
In-House Key Management Versus Outsourced Key Management
Certificate Authorities (CAs) and Digital Certificate Management
Why Outsourcing a CA May Be Advantageous
Risks and Issues with Outsourcing a CA
Best Practices for PKI Use Within Large Enterprises and Organizations
Case Studies and Examples
Private Sector Case Study
Public Sector Case Study
Critical Infrastructure Example
CHAPTER SUMMARY
KEY CONCEPTS AND TERMS
CHAPTER 11 ASSESSMENT
CHAPTER 12 Testing Access Control Systems
Purpose of Testing Access Control Systems
Software Development Life Cycle and the Need for Testing Software
Planning
Requirements Analysis
Software Design
Development
Testing and Integration
Release and Training
Support
Security Development Life Cycle and the Need for Testing Security Systems
Initiation
Acquisition and Development
Implementation and Testing
Operations and Maintenance
Sunset or Disposal
Security Monitoring, Incident Handling, and Testing
Requirement Definition—Testing the Functionality of the Original Design
Development of Test Plan and Scope
Selection of Penetration Testing Teams
Performing the Access Control System Penetration Test
Assess if Access Control System Policies and Standards Are Followed
Assess if the Security Baseline Definition Is Being Achieved Throughout
Assess if Security Countermeasures and Access Control Systems Are Implemented Properly
Preparing the Final Test Report
Identify Gaps and Risk Exposures and Assess Impact
Develop Remediation Plans for Closing Identified Security Gaps Prioritized by Risk Exposure
Prepare Cost Magnitude Estimate and Prioritize Security Solutions Based on Risk Exposure
CHAPTER SUMMARY
KEY CONCEPTS AND TERMS
CHAPTER 12 ASSESSMENT
CHAPTER 13 Access Control Assurance
What Is Information Assurance?
C-I-A Triad
The Five Pillars
The Parkerian Hexad
How Can Information Assurance Be Applied to Access Control Systems?
Access Controls Enforce Confidentiality
Access Controls Enforce Integrity
Access Controls Enforce Availability
Training and Information Assurance Awareness
What Are the Goals of Access Control System Monitoring and Reporting?
What Checks and Balances Can Be Implemented?
Track and Monitor Event-Type Audit Logs
Track and Monitor User-Type Audit Logs
Track and Monitor Unauthorized Access Attempts Audit Logs
Audit Trail and Audit Log Management and Parsing
Audit Trail and Audit Log Reporting Issues and Concerns
Security Information and Event Management (SIEM)
Best Practices for Performing Ongoing Access Control System Assurance
Case Studies and Examples
Private Sector Case Study
Public Sector Case Study
Critical Infrastructure Case Study
CHAPTER SUMMARY
KEY CONCEPTS AND TERMS
CHAPTER 13 ASSESSMENT
CHAPTER 14 Access Control Laws, Policies, and Standards
U.S. Compliance Laws and Regulations
Gramm-Leach-Bliley Act (GLBA)
Health Insurance Portability and Accountability Act (HIPAA)
Sarbanes-Oxley (SOX) Act
Family Educational Rights and Privacy Act (FERPA)
Communications Assistance for Law Enforcement Act (CALEA)
Children’s Internet Protection Act (CIPA)
Food and Drug Administration (FDA) Regulations
North American Electric Reliability Council (NERC)
Homeland Security Presidential Directive 12 (HSPD 12)
Americans with Disabilities Act (ADA)
Access Control Security Policy Best Practices
Private Sector—Enterprise Organizations
Public Sector—Federal, State, County, and City Government
Critical Infrastructure, Including Utilities and Transportation
IT Security Policy Framework
Which Policies Are Needed for Access Controls?
What Standards Are Needed to Support These Policies?
Which Procedures Are Needed to Implement These Policies?
What Guidelines Are Needed for Departments and End Users?
Case Studies and Examples
Private Sector Case Study
Public Sector Case Study
Critical Infrastructure Case Study
CHAPTER SUMMARY
KEY CONCEPTS AND TERMS
CHAPTER 14 ASSESSMENT
ENDNOTE
CHAPTER 15 Security Breaches and the Law
Laws to Deter Information Theft
U.S. Federal Laws
State Laws
Cost of Inadequate Front-Door and First-Layer Access Controls
Access Control Failures
People
Technology
Security Breaches
Kinds of Security Breaches
Why Security Breaches Occur
Implications of Security Breaches
Case Studies and Examples
Private Sector Case Studies
Public Sector Case Study
Critical Infrastructure Case Study
CHAPTER SUMMARY
KEY CONCEPTS AND TERMS
CHAPTER 15 ASSESSMENT
Appendix A Answer Key
Appendix B Standard Acronyms
Glossary of Key Terms
References
Index
Search in book...
Toggle Font Controls
Playlists
Add To
Create new playlist
Name your new playlist
Playlist description (optional)
Cancel
Create playlist
Sign In
Email address
Password
Forgot Password?
Create account
Login
or
Continue with Facebook
Continue with Google
Sign Up
Full Name
Email address
Confirm Email Address
Password
Login
Create account
or
Continue with Facebook
Continue with Google
Prev
Previous Chapter
Cover
Next
Next Chapter
Copyright Page
Add Highlight
No Comment
..................Content has been hidden....................
You can't read the all page of ebook, please click
here
login for view all page.
Day Mode
Cloud Mode
Night Mode
Reset