Access Control and Identity Management, 3rd Edition

Table of contents

1. Cover
2. Title Page
3. Copyright Page
4. Contents
5. Preface
6. Acknowledgments
7. About the Author
8. Dedication
9. CHAPTER 1 Access Control Framework
   1. Access and Access Control
      1. What Is Access?
      2. What Is Access Control?
      3. What Is Identity Management?
   2. Principal Components of Access Control
      1. Access Control Systems
      2. Access Control Subjects
      3. Access Control Objects
   3. Access Control Process
      1. Identification
      2. Authentication
      3. Authorization
   4. Logical Access Controls
   5. Logical Access Controls for Subjects
      1. Group-Based Access Controls
      2. Logical Access Controls for Objects
   6. Authentication Factors
      1. Something You Know
      2. Something You Have
      3. Something You Are
   7. CHAPTER SUMMARY
   8. KEY CONCEPTS AND TERMS
   9. CHAPTER 1 ASSESSMENT
10. CHAPTER 2 Business Drivers for Access Controls
    1. Business Requirements for Asset Protection
       1. Importance of Policy
       2. Senior Management Role
    2. Classification of Information
       1. Classification Schemes
       2. Personally Identifiable Information (PII)
       3. Privacy Act Information
       4. Privacy Controls Catalog
    3. Competitive Use of Information
       1. Valuation of Information
    4. The Business Drivers for Access Control
       1. Cost-Benefit Analysis
       2. Risk Assessment
       3. Business Facilitation
       4. Cost Containment
       5. Operational Efficiency
       6. IT Risk Management
    5. Controlling Access and Protecting Value
       1. Importance of Internal Access Controls
       2. Importance of External Access Controls
    6. Case Studies and Examples
       1. Case Study in Access Control Success
       2. Case Study in Access Control Failure
    7. CHAPTER SUMMARY
    8. KEY CONCEPTS AND TERMS
    9. CHAPTER 2 ASSESSMENT
11. CHAPTER 3 Human Nature and Organizational Behavior
    1. The Human Element
       1. Dealing with Human Nature
       2. Social Engineering
       3. Pre-Employment Background Checks for Sensitive Positions
       4. Ongoing Observation of Personnel
    2. Organizational Structure and Access Control Strategy
    3. Job Rotation and Position Sensitivity
    4. Requirement for Periodic Vacation
    5. Separation of Duties
       1. Concept of Two-Person Control
       2. Collusion
       3. Monitoring and Oversight
    6. Responsibilities of Access Owners
    7. Training Employees
       1. Acceptable Use Policy
       2. Security Awareness Policy
    8. Ethics
       1. What Is Right and What Is Wrong
       2. Enforcing Policies
       3. Human Resources Involvement
    9. Best Practices for Handling Human Nature and Organizational Behavior
       1. Make Security Practices Common Knowledge
       2. Foster a Culture of Open Discussion
       3. Encourage Creative Risk-Taking
    10. Case Studies and Examples
        1. Private Sector Case Study
        2. Public Sector Case Study
        3. Critical Infrastructure Case Study
    11. CHAPTER SUMMARY
    12. KEY CONCEPTS AND TERMS
    13. CHAPTER 3 ASSESSMENT
12. CHAPTER 4 Assessing Risk and Its Impact on Access Control
    1. Definitions and Concepts
    2. Threats and Vulnerabilities
       1. Access Control Threats
       2. Access Control Vulnerabilities
    3. Risk Assessment
       1. Quantitative Risk Assessment
       2. Qualitative Risk Assessment
       3. Risk Management Strategies
    4. Value, Situation, and Liability
       1. Potential Liability and Nonfinancial Impact
       2. Where Are Access Controls Needed Most?
       3. How Secure Must the Access Control Be?
    5. Case Studies and Examples
       1. Private-Sector Case Study
       2. Public Sector Case Study
       3. Critical Infrastructure Case Study
    6. CHAPTER SUMMARY
    7. KEY CONCEPTS AND TERMS
    8. CHAPTER 4 ASSESSMENT
13. CHAPTER 5 Access Control in the Enterprise
    1. Access Control Lists (ACLs) and Access Control Entries (ACEs)
    2. Access Control Models
       1. Discretionary Access Control (DAC)
       2. Mandatory Access Control (MAC)
       3. Role-Based Access Control (RBAC)
       4. Attribute-Based Access Control (ABAC)
       5. Rule-Based Access Control (RuBAC)
       6. Risk-Adaptive Access Control (RAdAC)
       7. Authentication Factors
       8. Types of Factors
       9. Factor Usage Criteria
       10. How Does Kerberos Authentication Work?
       11. Use of Symmetric Key and Trusted Third Parties for Authentication
       12. Key Distribution Center (KDC)
       13. Authentication Tickets
       14. Potential Weaknesses
       15. Kerberos in a Business Environment
    3. Network Access Control
       1. Layer 2 Techniques
       2. Layer 3 Techniques
       3. CEO/CIO/CSO Emergency Disconnect Prime Directive
    4. Wireless IEEE 802.11 LANs
       1. Access Control to IEEE 802.11 WLANs
       2. Identification
       3. Confidentiality
       4. Authorization
    5. Single Sign-On (SSO)
       1. Defining the Scope for SSO
       2. Configuring User and Role-Based User Access Control Profiles
       3. Common Configurations
       4. Enterprise SSO
    6. Best Practices for Handling Access Controls in an Enterprise Organization
    7. Case Studies and Examples
       1. Private Sector Case Study
       2. Public Sector Case Study
       3. Critical Infrastructure Case Study
    8. CHAPTER SUMMARY
    9. KEY CONCEPTS AND TERMS
    10. CHAPTER 5 ASSESSMENT
14. CHAPTER 6 Mapping Business Challenges to Access Control Types
    1. Access Controls to Meet Business Needs
       1. Business Continuity and Disaster Recovery
       2. Risk and Risk Mitigation
       3. Threats and Threat Mitigation
       4. Vulnerabilities and Vulnerability Management
    2. Solving Business Challenges with Access Control Strategies
       1. Employees with Access to Systems and Data
       2. Employees with Access to Sensitive Systems and Data
       3. Administrative Strategies
       4. Technical Strategies
       5. Separation of Privileges
       6. Least Privilege
       7. Need to Know
       8. Input/Output Controls
    3. Access Control System Design Principles
    4. Case Studies and Examples
       1. Private Sector Case Study
       2. Public Sector Case Study
       3. Critical Infrastructure Case Study
    5. CHAPTER SUMMARY
    6. KEY CONCEPTS AND TERMS
    7. CHAPTER 6 ASSESSMENT
15. CHAPTER 7 Access Control System Implementations
    1. Transforming Access Control Policies and Standards into Procedures and Guidelines
       1. Transform Policy Definitions into Implementation Tasks
       2. Follow Standards Where Applicable
       3. Create Simple and Easy-to-Follow Procedures
       4. Define Guidelines That Departments and Business Units Can Follow
    2. Identity Management and Access Control
       1. User Behavior, Application, and Network Analysis
    3. Size and Distribution of Staff and Assets
    4. Multilayered Access Control Implementations
       1. User Access Control Profiles
       2. System Access Control Lists
       3. Applications Access
       4. File and Folder Access
       5. Data Access
    5. Access Controls for Employees, Remote Employees, Customers, and Business Partners
       1. Remote Virtual Private Network (VPN) Access—Remote Employees and Workers
       2. Intranets—Internal Business Operations and Communications
       3. Extranets—External Supply Chains, Business Partners, Distributors, and Resellers
       4. Secure E-Commerce Sites with Encryption
       5. Secure Online Banking Access Control Implementations
       6. Logon/Password Access
       7. Identification Imaging and Authorization
    6. Federated Identities and Third Party Identity Services
    7. Best Practices for Access Control Implementations
    8. Case Studies and Examples
       1. Private Sector Case Study
       2. Public Sector Example
       3. Critical Infrastructure Case Study
    9. CHAPTER SUMMARY
    10. KEY CONCEPTS AND TERMS
    11. CHAPTER 7 ASSESSMENT
16. CHAPTER 8 Access Control for Information Systems
    1. Access Control for Data
       1. Data at Rest
       2. Data in Motion
       3. Object-Level Security
    2. Access Control for File Systems
       1. Access Control List
       2. Discretionary Access Control List
       3. System Access Control List
    3. Access Control for Executables
       1. Delegated Access Rights
    4. Microsoft Windows Workstations and Servers
       1. Granting Windows Folder Permissions
       2. Domain Administrator Rights
       3. Super Administrator Rights
       4. Pass-the-Hash Attacks
    5. Linux
       1. Linux File Permissions
       2. The Root Superuser
    6. Supervisory Control and Data Acquisition (SCADA) and Industrial Control Systems
    7. Best Practices for Access Controls for Information Systems
    8. Case Studies and Examples
       1. Private Sector Case Study
       2. Public Sector Case Study
       3. Critical Infrastructure Case Study
    9. CHAPTER SUMMARY
    10. KEY CONCEPTS AND TERMS
    11. CHAPTER 8 ASSESSMENT
17. CHAPTER 9 Physical Security and Access Control
    1. Physical Security
    2. Designing a Comprehensive Plan
       1. Building Security and Access
       2. Points of Entry and Exit
       3. Physical Obstacles and Barriers
       4. Granting Access to Physical Areas Within a Building
    3. Biometric Access Control Systems
       1. Principles of Operation
       2. Types of Biometric Systems
       3. Implementation Issues
       4. Modes of Operation
       5. Biometric System Parameters
       6. Legal and Business Issues
    4. Technology-Related Access Control Solutions
       1. Physical Locks
       2. Electronic Key Management System (EKMS)
       3. Fobs and Tokens
       4. Common Access Cards
    5. Outsourcing Physical Security—Pros and Cons
       1. Benefits of Outsourcing Physical Security
       2. Risks Associated with Outsourcing Physical Security
    6. Best Practices for Physical Access Controls
    7. Case Studies and Examples
       1. Private Sector Case Study and Example
       2. Public Sector Case Study
       3. Critical Infrastructure Case Study
    8. CHAPTER SUMMARY
    9. KEY CONCEPTS AND TERMS
    10. CHAPTER 9 ASSESSMENT
18. CHAPTER 10 Access Control Solutions for Remote Workers
    1. Growth in Mobile Work Force
    2. Remote Access Methods and Techniques
       1. Identification
       2. Authentication
       3. Authorization
    3. Access Protocols to Minimize Risk
       1. Authentication, Authorization, and Accounting (AAA)
       2. Remote Authentication Dial in User Service (RADIUS)
       3. Remote Access Server (RAS)
       4. TACACS, XTACACS, and TACACS+
       5. Differences Between RADIUS and TACACS+
    4. Remote Authentication Protocols
    5. Network Authentication Protocols
    6. Virtual Private Networks (VPNs)
    7. Web Authentication
       1. Knowledge-Based Authentication (KBA)
    8. Best Practices for Remote Access Controls to Support Remote Workers
    9. Case Studies and Examples
       1. Private Sector Case Study
       2. Public Sector Case Study
       3. Critical Infrastructure Case Study
    10. CHAPTER SUMMARY
    11. KEY CONCEPTS AND TERMS
    12. CHAPTER 10 ASSESSMENT
19. CHAPTER 11 Public Key Infrastructure and Encryption
    1. Public Key Infrastructure (PKI)
       1. What Is PKI?
       2. Encryption and Cryptography
       3. Business Requirements for Cryptography
       4. Digital Certificates and Key Management
       5. Symmetric Versus Asymmetric Algorithms
       6. Certificate Authority (CA)
    2. Ensuring Integrity, Confidentiality, Authentication, and Nonrepudiation
       1. Use of Digital Signatures
    3. What PKI Is and What It Is Not
    4. What Are the Potential Risks Associated with PKI?
    5. Implementations of Business Cryptography
       1. Distribution
       2. In-House Key Management Versus Outsourced Key Management
    6. Certificate Authorities (CAs) and Digital Certificate Management
       1. Why Outsourcing a CA May Be Advantageous
       2. Risks and Issues with Outsourcing a CA
    7. Best Practices for PKI Use Within Large Enterprises and Organizations
    8. Case Studies and Examples
       1. Private Sector Case Study
       2. Public Sector Case Study
       3. Critical Infrastructure Example
    9. CHAPTER SUMMARY
    10. KEY CONCEPTS AND TERMS
    11. CHAPTER 11 ASSESSMENT
20. CHAPTER 12 Testing Access Control Systems
    1. Purpose of Testing Access Control Systems
    2. Software Development Life Cycle and the Need for Testing Software
       1. Planning
       2. Requirements Analysis
       3. Software Design
       4. Development
       5. Testing and Integration
       6. Release and Training
       7. Support
    3. Security Development Life Cycle and the Need for Testing Security Systems
       1. Initiation
       2. Acquisition and Development
       3. Implementation and Testing
       4. Operations and Maintenance
       5. Sunset or Disposal
    4. Security Monitoring, Incident Handling, and Testing
       1. Requirement Definition—Testing the Functionality of the Original Design
       2. Development of Test Plan and Scope
       3. Selection of Penetration Testing Teams
    5. Performing the Access Control System Penetration Test
       1. Assess if Access Control System Policies and Standards Are Followed
       2. Assess if the Security Baseline Definition Is Being Achieved Throughout
       3. Assess if Security Countermeasures and Access Control Systems Are Implemented Properly
    6. Preparing the Final Test Report
       1. Identify Gaps and Risk Exposures and Assess Impact
       2. Develop Remediation Plans for Closing Identified Security Gaps Prioritized by Risk Exposure
       3. Prepare Cost Magnitude Estimate and Prioritize Security Solutions Based on Risk Exposure
    7. CHAPTER SUMMARY
    8. KEY CONCEPTS AND TERMS
    9. CHAPTER 12 ASSESSMENT
21. CHAPTER 13 Access Control Assurance
    1. What Is Information Assurance?
       1. C-I-A Triad
       2. The Five Pillars
       3. The Parkerian Hexad
    2. How Can Information Assurance Be Applied to Access Control Systems?
       1. Access Controls Enforce Confidentiality
       2. Access Controls Enforce Integrity
       3. Access Controls Enforce Availability
       4. Training and Information Assurance Awareness
    3. What Are the Goals of Access Control System Monitoring and Reporting?
    4. What Checks and Balances Can Be Implemented?
       1. Track and Monitor Event-Type Audit Logs
       2. Track and Monitor User-Type Audit Logs
       3. Track and Monitor Unauthorized Access Attempts Audit Logs
    5. Audit Trail and Audit Log Management and Parsing
    6. Audit Trail and Audit Log Reporting Issues and Concerns
    7. Security Information and Event Management (SIEM)
    8. Best Practices for Performing Ongoing Access Control System Assurance
    9. Case Studies and Examples
       1. Private Sector Case Study
       2. Public Sector Case Study
       3. Critical Infrastructure Case Study
    10. CHAPTER SUMMARY
    11. KEY CONCEPTS AND TERMS
    12. CHAPTER 13 ASSESSMENT
22. CHAPTER 14 Access Control Laws, Policies, and Standards
    1. U.S. Compliance Laws and Regulations
       1. Gramm-Leach-Bliley Act (GLBA)
       2. Health Insurance Portability and Accountability Act (HIPAA)
       3. Sarbanes-Oxley (SOX) Act
       4. Family Educational Rights and Privacy Act (FERPA)
       5. Communications Assistance for Law Enforcement Act (CALEA)
       6. Children’s Internet Protection Act (CIPA)
       7. Food and Drug Administration (FDA) Regulations
       8. North American Electric Reliability Council (NERC)
       9. Homeland Security Presidential Directive 12 (HSPD 12)
       10. Americans with Disabilities Act (ADA)
    2. Access Control Security Policy Best Practices
       1. Private Sector—Enterprise Organizations
       2. Public Sector—Federal, State, County, and City Government
       3. Critical Infrastructure, Including Utilities and Transportation
    3. IT Security Policy Framework
       1. Which Policies Are Needed for Access Controls?
       2. What Standards Are Needed to Support These Policies?
       3. Which Procedures Are Needed to Implement These Policies?
       4. What Guidelines Are Needed for Departments and End Users?
    4. Case Studies and Examples
       1. Private Sector Case Study
       2. Public Sector Case Study
       3. Critical Infrastructure Case Study
    5. CHAPTER SUMMARY
    6. KEY CONCEPTS AND TERMS
    7. CHAPTER 14 ASSESSMENT
    8. ENDNOTE
23. CHAPTER 15 Security Breaches and the Law
    1. Laws to Deter Information Theft
       1. U.S. Federal Laws
       2. State Laws
    2. Cost of Inadequate Front-Door and First-Layer Access Controls
    3. Access Control Failures
       1. People
       2. Technology
    4. Security Breaches
       1. Kinds of Security Breaches
       2. Why Security Breaches Occur
       3. Implications of Security Breaches
    5. Case Studies and Examples
       1. Private Sector Case Studies
       2. Public Sector Case Study
       3. Critical Infrastructure Case Study
    6. CHAPTER SUMMARY
    7. KEY CONCEPTS AND TERMS
    8. CHAPTER 15 ASSESSMENT
24. Appendix A Answer Key
25. Appendix B Standard Acronyms
26. Glossary of Key Terms
27. References
28. Index