Scribd
Upload
101 views25 pages

Access Control Concepts Slides

The document discusses access control concepts for the CCSM certification. It covers topics like identification, authentication, authorization, separation of duties, least privilege, and accounting/auditing. The document provides an overview of these key access control concepts.

Uploaded by

Rajan V
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
101 views25 pages

Access Control Concepts Slides

The document discusses access control concepts for the CCSM certification. It covers topics like identification, authentication, authorization, separation of duties, least privilege, and accounting/auditing. The document provides an overview of these key access control concepts.

Uploaded by

Rajan V
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 25

Access Controls Concepts for CC℠

Access Controls Concepts

Kevin Henry
CISM CISSP CCSP

kevin@kmhenrymanagement.com
CC℠ Certification Examination

Domains Weights
1. Security Principles 26%
2. Business Continuity (BC), Disaster Recovery 10%
(DR), & Incident Response
3. Access Control Concepts 22%
4. Network Security 24%
5. Security Operations 18%
Access Controls Concepts for the CC℠
Certification
Agenda:

Access Controls Physical Access Logical Access


Concepts Controls Controls
Access Controls Concepts
Access
Enforcement

Access
Relationships Subject Object

Asset
Determines Owner

Access Rules (ACL)


Key Concepts

Separation of Duties Least Privilege Need-to-Know


Separation of Duties

AKA segregation of duties


Enforced through:
- Mutual exclusivity
- Dual control
- Roles

Bypassed by collusion
- Job rotation
- Mandatory vacations
Identification

Claim of unique identifier


- Account number
- Employee number
- Customer number
- Government issued identifier
- Email address
- User identifier/USER ID
- Process ID
Proofing of Identity

Establish ownership of the identity


- Secret question

Password resets
Modification to permissions
Identification

Unique (enables accountability)


Not shared (especially admins)
Secure registration process
- CAPTCHA
- Approval
Authentication
Authentication

Verify, validate, prove the Identity


- Proof of possession
- Secret question

What you:
- Know
- Have
- Are
What You Know

Password, passphrase, secret question


- Static value
- Subject to replay attack
- Should be changed on a periodic basis
What You Have

Employee ID badge
Token
Smartcard
Passport
What You Are

Biometrics
Behavioral
Physiological
Behavioral Biometrics

Voice print Signature dynamics Keystroke dynamics


Physiological
Biometrics
Iris scan
Retina scan
Palm print
- Venous scan

Fingerprint
Facial recognition
User concerns
-

Biometric -
-
Acceptance
Cost
Maintenance/registration
Node Authentication

Authentication based on device:

IP address MAC address RFID


Radio frequency
identification
Authentication is the validation
of the identity
Key Points Authentication is based on three factors:
Review - What you know
- What you have
- What you are
Authorization and Accounting
Authorization

Rights Privileges Permissions Granted to an


authenticated
entity
Permissions

Read, write, update


Execute, create, delete
- Least privilege
- Need to know
- Separation of duties
Unauthorized users cannot make
modifications
Authorized cannot make improper
modifications
Accounting/Auditing

Tracking and logging all Log retention


activity on a system
Regulatory
Associate all activity with an
identified user or process Business needs
Summary
This module set out the concepts of
access controls.
All authorized users should be identified,
authenticated, authorized and subject to
logging of all actions taken

You might also like