Access Control

Access control is the process of regulating and managing the access of users and systems to specific resources or areas in a network. The goal of access control is to ensure that only authorized individuals or systems are able to access sensitive information or resources, while preventing unauthorized access. Access control can be implemented through a variety of means, such as passwords, biometrics, and multi-factor authentication. There are different types of access control models, such as Discretionary Access Control (DAC), Mandatory Access Control (MAC), and Role-Based Access Control (RBAC) which are used to determine the level of access that a user or system has to a resource. In this module, we will explore the principles of access control and the different types of access control models and authentication methods that are used in cybersecurity.

Types of access control

There are several types of access control, including:

1. Discretionary Access Control (DAC): In this type of access control, the owner of a resource or the administrator of a system has the discretion to determine who can access the resource or system and what level of access they have. This type of access control is typically used in small to medium-sized organizations. Example: a small business owner who sets up a network and decides which employees have access to certain files and folders on the network. The owner has the discretion to decide who can access the resources and what level of access they have.
2. Mandatory Access Control (MAC): In this type of access control, access to a resource or system is determined by a pre-defined security policy. Users are only granted access to a resource if they have the appropriate clearance level. This type of access control is typically used in government or military organizations. Example: a government organization where access to classified information is restricted to individuals with the appropriate clearance level. Users are only granted access to a resource if they have the appropriate clearance level set by security policies.
3. Role-Based Access Control (RBAC): In this type of access control, access to a resource or system is determined by the role of the user within an organization. Users are granted access to resources based on their job function or responsibilities. This type of access control is commonly used in large organizations. Example: a large corporation where different departments have access to different resources based on their role within the organization. For example, HR employees might have access to employee files, while finance employees might have access to financial records.
4. Rule-Based Access Control (Rule-based AC): In this type of access control, the access to a resource or system is determined by a set of predefined rules. This type of access control is typically used in Cloud-based services. Example: a Cloud-based service provider where access to resources is determined by a set of predefined rules. For example, a rule might state that only users with a certain level of subscription can access certain features of the service.
5. Attribute-Based Access Control (ABAC): In this type of access control, the access to a resource is determined by a set of attributes of the user and the resource. This type of access control is typically used in distributed systems. Example: a distributed system where access to a resource is determined by a set of attributes of the user and the resource. For example, a user might only be able to access a resource if they have a certain security clearance and if the resource is located in a specific location.
6. Context-Based Access Control (CBAC): In this type of access control, the access to a resource is determined by the context in which the resource is being accessed, in addition to the user's identity and the resource's attributes. This type of access control is typically used in mobile devices. Example: a mobile device where access to certain apps or features is restricted based on the context of the device. For example, an app might only be accessible when the device is connected to a specific wifi network, or when the device is in a specific location.

Authentication methods

Authentication methods are the means by which a system verifies the identity of a user before granting access to resources. There are several different types of authentication methods, including:

1. Something you know: This type of authentication method relies on knowledge-based factors, such as a password or PIN. The user is required to provide a secret value that is known only to them. Example: a user logging into an online banking account using a password. The user is required to provide a secret value (the password) that is known only to them.
2. Something you have: This type of authentication method relies on possession-based factors, such as a smart card or token. The user is required to have physical possession of an object that is associated with their identity. Example: a user logging into a secure network using a smart card. The user is required to have physical possession of the smart card, which is associated with their identity, in order to be granted access to the network.
3. Something you are: This type of authentication method relies on biometric-based factors, such as a fingerprint or facial recognition. The user is required to provide a unique physiological characteristic that is associated with their identity. Example: a user logging into their mobile device using facial recognition. The user is required to provide a unique physiological characteristic (their face) that is associated with their identity in order to be granted access to the device.
4. Two-factor authentication (2FA): This type of authentication method requires the user to provide two types of authentication factors, such as a password and a fingerprint. This method provides an added layer of security by requiring the user to prove their identity through multiple channels. Example: a user logging into their email account using a password and a code sent to their mobile phone. The user is required to provide two types of authentication factors (the password and the code) in order to be granted access to the email account.
5. Multi-factor authentication (MFA): This type of authentication method requires the user to provide multiple types of authentication factors, such as a password, a smart card and a fingerprint. This method provides an added layer of security by requiring the user to prove their identity through multiple channels. Example: a user logging into a secure government database using a password, a smart card, and a fingerprint. The user is required to provide multiple types of authentication factors (the password, the smart card, and the fingerprint) in order to be granted access to the database.

Access control implementation and management

Access control implementation and management is an essential aspect of maintaining the security of an organization. The practical aspects of implementing and managing access controls within an organization include:

1. Developing an access control policy

Developing an access control policy is an important step in maintaining the security of an organization. A well-designed access control policy ensures that only authorized users have access to sensitive information, resources and systems. It helps to mitigate the risk of data breaches and unauthorized access to sensitive information by providing clear guidelines for granting and revoking access.

Developing an access control policy helps to:

1. Identify the organization's security requirements: By identifying the assets that need to be protected, the types of threats that need to be mitigated, and the level of security that is required, the organization can ensure that the access control measures put in place are appropriate for the organization's specific needs.
2. Determine the types of access controls that need to be implemented: By deciding which types of authentication methods and authorization controls are appropriate for different types of resources and users, the organization can ensure that the right level of security is in place for each resource and user.
3. Outline the procedures for granting and revoking access: By outlining the process for creating and managing user accounts, the process for approving access requests, and the process for revoking access when it is no longer needed, the organization can ensure that access is granted and revoked in a controlled and secure manner.
4. Provide a clear framework for compliance: By outlining the organization's access control policies and procedures, it becomes easier to ensure compliance with legal and regulatory requirements.

2. Choosing the right access control model

Choosing the right access control model is a crucial step in ensuring that the access controls implemented in an organization are appropriate for the organization's specific security requirements. Each of the six models discussed above (DAC, MAC, etc.) has its own advantages and disadvantages, and the appropriate model will depend on the organization's specific security requirements. For example, a government organization may require a high level of security, and therefore the Mandatory Access Control (MAC) model may be more appropriate. While a small organization with less security requirements may prefer a Discretionary Access Control (DAC) model.

3. Implementing and managing access control

Implementing access controls refers to the process of putting the access control policies and procedures into practice. It involves the selection, installation, and configuration of the necessary hardware and software to enforce the access control policies. Implementation processes include:

1. Identification and Authentication: Organizations must implement a process for verifying the identity of a user. This can be done through various methods such as usernames and passwords, biometric authentication, or smart cards. It is important to ensure that the authentication methods used are secure and meet the organization's security requirements.
2. Authorization: Organizations must also implement a process for granting or denying access to resources based on the user's identity and the access control policies. This can be done through role-based access control, rule-based access control, or other models. It is important to ensure that the authorization process is secure and efficient.

Managing access control refers to the ongoing process of maintaining and monitoring the access control systems to ensure that they are effective and secure. This includes tasks such as reviewing and updating access control policies, monitoring system logs, and responding to security incidents.

1. Auditing and monitoring: Organizations must have a mechanism for tracking and recording access attempts and changes to the access control policies. This can be done through logging, monitoring, and alerting tools. It is important to ensure that the auditing and monitoring process is secure, efficient and compliant with regulations and laws.
2. Maintenance and updates: This involves the process of maintaining and updating the access control systems to ensure that they remain effective and secure. This can include updating software, patching vulnerabilities, and testing the systems.

4. Compliance and legal considerations

Compliance and legal considerations refer to the various regulations, laws, and industry standards that organizations must comply with when implementing and managing access control systems.

1. Industry standards: Industry standards such as PCI DSS and HIPAA set guidelines for the implementation and management of access control systems in specific industries. Organizations in these industries must comply with these standards to ensure that their systems meet the required security levels.
2. Government regulations: Government regulations such as the General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA) set guidelines for the handling and protection of personal data. Organizations must comply with these regulations to ensure that they are protecting personal data in accordance with the law.
3. Privacy laws: Privacy laws such as the Health Insurance Portability and Accountability Act (HIPAA) and the Children's Online Privacy Protection Act (COPPA) set guidelines for the handling of sensitive personal information such as medical records and children's personal information. Organizations must comply with these laws to ensure that they are protecting sensitive personal information in accordance with the law.
4. Cybersecurity laws: Cybersecurity laws such as the Cybersecurity Information Sharing Act (CISA) and the European Union's Network and Information Systems Directive (NISD) set guidelines for the protection of critical infrastructure and sensitive data from cyber attacks. Organizations must comply with these laws to ensure that they are protecting critical infrastructure and sensitive data in accordance with the law.

References

---

[1] Access Control Systems: Security, Identity Management and Trust Models, John R. Vacca., 2015

Identity Management

Identity management (IM) is a system or set of processes, technologies and policies that enable an organization to manage the digital identities of its users. It is the process of managing the life cycle of digital identities, including creating, maintaining, and revoking digital identities.

IM is important as it allows organizations to secure, streamline and automate administrative processes, ensures compliance with regulations and industry standards, and improves security.

Types of Identity Management

There are several different types of identity management, including:

1. Single sign-on (SSO): This type of identity management allows users to authenticate once and then access multiple applications and resources without having to re-enter their credentials. SSO improves user convenience and reduces the risk of password-related security breaches. Example: A university student logs into their student portal using their university credentials and gains access to all the university's online resources such as library databases, email, and course management systems without having to enter their credentials again.
2. Federated identity management: This type of identity management allows different organizations or systems to share a common set of user identities and authentication mechanisms. This enables users to access multiple systems using a single set of credentials, and allows organizations to share user information and authentication data. Example: An employee of a company that is part of a federation of companies can use their company's credentials to access the resources of all the other companies in the federation.
3. Identity as a service (IDaaS): This type of identity management provides identity management capabilities as a cloud-based service. IDaaS allows organizations to outsource their identity management needs to a third-party service provider, which reduces the need for in-house IT staff and infrastructure. Example: A small business outsources its identity management to an IDaaS provider, which allows the business to authenticate and manage its users without having to maintain its own identity management infrastructure.
4. Identity and access management (IAM): This type of identity management includes both identity management and access control capabilities. IAM allows organizations to manage user identities and control access to resources and information based on user roles, permissions, and other factors. Example: A healthcare organization uses IAM to manage the identities of its patients, employees, and partners, and to control access to its electronic health records (EHRs) system based on user roles and permissions.
5. Identity Governance and Administration (IGA): This type of identity management includes both Identity management and access control capabilities, and also focus on managing user access, provisioning, and deprovisioning of identities and access privileges with the goal of reducing risk of breaches and ensuring compliance with governance policies, regulations and laws. Example: A financial institution uses IGA to manage its user access, provisioning, and deprovisioning of identities and access privileges, with the goal of reducing risk of breaches and ensuring compliance with governance policies, regulations and laws. It also regularly audits and reviews user access to sensitive information and systems, and revokes access when it is no longer needed.

Identity and access management (IAM) systems

Identity and access management (IAM) systems are solutions that allow organizations to manage user identities, control access to resources and information, and enforce security policies. Examples of IAM systems include Microsoft Azure Active Directory, Okta, OneLogin, Auth0, IBM Security Identity and Access Manager, Oracle Identity and Access Management and many more. IAM systems typically include the following components:

1. Identity Management: This component is responsible for creating, managing, and storing user identities, including user information and credentials.
2. Authentication: This component is responsible for verifying user identities and granting or denying access to resources.
3. Authorization: This component is responsible for determining what resources a user is allowed to access and what actions they can perform based on their role and permissions.
4. Access Management: This component is responsible for controlling access to resources and monitoring user activity.

IAM systems are important because they allow organizations to secure and manage access to their resources and information. They also help organizations to comply with security and regulatory requirements, and reduce the risk of security breaches.

Identity federation and single sign-on (SSO)

Identity federation is a method of securely sharing user identities across multiple systems and organizations. It allows users to authenticate once and use the same identity to access multiple systems and applications without needing to re-enter their credentials. This is achieved through the use of a trusted third-party identity provider (IdP) that manages user identities and authenticates users on behalf of other systems.

Single sign-on (SSO) is a subset of identity federation, it allows users to authenticate once and access multiple systems or applications without needing to re-enter their credentials. SSO is a user-centric approach that reduces the number of times a user needs to authenticate and makes it easier for them to access the resources they need.

For example, an employee at a company uses their company's SSO portal to access their email, calendar, and other internal resources, such as HR systems and customer relationship management (CRM) systems. Once they have logged in, they can access all of these resources without needing to enter their credentials again.

Identity federation and SSO are important for organizations because they provide a more seamless and secure user experience, and help organizations to comply with security and regulatory requirements. They also help organizations to reduce the risk of security breaches and improve the security of their systems and applications.

When implementing Identity federation and SSO, organizations should consider factors such as security, scalability, performance, and interoperability with existing systems and applications. They should also be able to integrate the IAM system with other security solutions, like multi-factor authentication, to provide additional security.

Identity federation and SSO can be implemented using a variety of protocols and technologies, such as Security Assertion Markup Language (SAML), OpenID Connect, and OAuth.

OpenID Connect (OIDC) is an authentication protocol built on top of OAuth 2.0 that allows users to authenticate with a third-party identity provider (IdP) and use the same identity to access multiple systems and applications. OIDC is an open standard that is based on the JSON Web Token (JWT) format and is designed to be simple and easy to use.

OAuth is an open standard for authorization that allows users to share their resources (e.g. data, files) with third-party applications without having to share their credentials. OAuth allows users to grant a third-party application access to their resources without having to share their username and password. Instead, the third-party application is issued a token that can be used to access the user's resources on their behalf.

Role-based access control (RBAC) and provisioning

Role-based access control (RBAC) is a type of access control that assigns roles to users and controls access to resources based on those roles. In this model, users are assigned to roles that align with their job responsibilities and are granted access to resources based on the permissions associated with those roles. This approach provides a more flexible and fine-grained way to control access to resources, as it allows for the separation of user identities from the access controls that are applied to them.

Provisioning is the process of creating, modifying, and deleting user accounts and assigning them to roles. This process is typically automated and can involve various stages such as request, approval, and provisioning. Provisioning can also include the de-provisioning of accounts when a user leaves the organization.

An example of RBAC and provisioning in action would be a company that has a human resources department. In this scenario, the HR department would be assigned the role of "HR administrator" and would be granted access to certain resources such as employee records. When a new employee joins the company, the HR department would create a new user account for that employee and assign them to the appropriate role, such as "employee." This would grant the employee access to resources that are relevant to their job responsibilities.

RBAC and provisioning are important because they ensure that users have access to the resources they need to do their jobs while also controlling access to sensitive data and systems. They also make it easier to manage access controls and identify which users have access to specific resources, making it easier to audit and troubleshoot access issues.

Implementing RBAC and provisioning involves identifying the roles and resources within an organization, mapping users to those roles and establishing the access controls that should be applied to each role. This can be done by using software tools such as Identity and Access Management (IAM) systems, which automate the process of creating, modifying, and deleting user accounts and assigning them to roles.

Compliance and regulatory requirements for IM

Compliance and regulatory requirements for identity management refer to the laws, regulations, and standards that organizations must adhere to when managing user identities and access controls. These requirements are put in place to protect sensitive information and ensure that organizations are taking appropriate measures to secure their systems and data.

One example of a compliance requirement for identity management is the General Data Protection Regulation (GDPR) which requires organizations to protect the personal data of European Union citizens. This regulation requires organizations to implement appropriate security measures, including measures to authenticate and authorize access to personal data. Organizations must also be able to demonstrate that they have implemented these measures and that they are regularly reviewing and testing them.

Another example is the Health Insurance Portability and Accountability Act (HIPAA) which regulates the handling of personal health information. HIPAA requires healthcare organizations to implement administrative, physical and technical safeguards to protect the confidentiality, integrity and availability of electronic protected health information.

Compliance and regulatory requirements for identity management can be complex and organizations must stay up-to-date with the latest requirements and best practices. This can include regular security audits, testing, and training for employees.

To meet compliance and regulatory requirements for identity management, organizations must implement a robust Identity and Access Management (IAM) program, which includes access controls, user provisioning, multi-factor authentication and regular monitoring. Organizations can also consider third-party solutions such as identity management services and security consulting to ensure they meet all necessary requirements.

References

---

[2] NIST Identity and Access Management (IAM) Fundamentals
[3] Identity Management: Concepts, Technologies and Systems, Flavio Lombardi and Silvio Ranise
[4] RSA Patent
[5] ECC Standard
[6] Identity Management: Governance, Risk Management, and Compliance by Scott David

Access control case study
securing a financial institution's network
Introduction

The CSA Financial Institution is a large bank with branches and ATMs located throughout the country. The bank's IT department recognized that the organization's network security was of vital importance to protect sensitive financial information and customer data. Therefore, they decided to improve their access control system to better secure their network.

Case Study

The first step taken by the IT department was to conduct a comprehensive risk assessment of the organization's network. This assessment helped identify potential vulnerabilities and areas where access controls needed to be strengthened. The IT department also reviewed the bank's current access control policy and procedures to ensure they were in line with industry standards and regulations.

One major issue identified during the risk assessment was that the bank was using an outdated authentication system. Passwords were easily guessed or compromised, and there was no multi-factor authentication in place. To address this, the IT department implemented a new authentication system that included multi-factor authentication, such as fingerprint or facial recognition, in addition to a password. This new authentication system was integrated into all access points on the network, including remote access and VPN connections.

The IT department also implemented a role-based access control (RBAC) system. This system ensured that only authorized personnel could access sensitive financial information and customer data. The IT department also implemented strict access control procedures for new hires and terminated employees to prevent unauthorized access.

The IT department also implemented a monitoring and alert system to detect and respond to any suspicious activity on the network. This system helped the IT department detect and respond to any potential security breaches in a timely manner.

Finally, the IT department conducted regular security audits and penetration testing to ensure the effectiveness of the new access control system. The organization also worked with a third-party security consultant to ensure compliance with industry regulations and standards.

As a result of these efforts, the CSA Financial Institution was able to significantly improve the security of its network. The new access control system helped protect sensitive financial information and customer data, and ensured compliance with industry regulations and standards. The IT department was also able to detect and respond to any potential security breaches in a timely manner, further securing the organization's network.

Case Study Questions

Attempt to answer the following questions before revealing the model answers:

1. What were the major issues identified during the CSA Financial Institution's risk assessment?
2. How did the IT department address the issue of outdated authentication in the bank?
3. What access control system did the IT department implement to ensure only authorized personnel could access sensitive financial information?
4. How did the IT department detect and respond to any potential security breaches on the network?
5. How did the IT department ensure compliance with industry regulations and standards?
6. Describe the steps taken by the IT department to improve the security of the network.
7. How did the IT department ensure that security measures were effective in protecting sensitive financial information and customer data?
8. How did the implementation of the new access control system benefit the CSA Financial Institution?
9. How can other organizations learn from the CSA Financial Institution's experience in securing their network?
10. What are the key takeaways from this case study that organizations can apply to improve their own access control systems?

Show Model Answers

Identity management case study
implementing IAM in a healthcare organization
Background

CSA is a large healthcare organization with multiple facilities across the country. The organization has grown rapidly over the past few years and currently employs over 10,000 staff members, including doctors, nurses, and administrative staff. With this growth, the organization has struggled to keep track of who has access to sensitive patient information and how they are accessing it. Additionally, CSA has recently faced several data breaches and regulatory violations, which have resulted in significant financial losses and damage to the organization's reputation.

Problem

CSA needs to implement an identity and access management (IAM) system to secure sensitive patient information and comply with regulatory requirements. The organization must be able to control who has access to sensitive information, how they are accessing it, and when their access should be revoked. Additionally, CSA must be able to quickly and easily revoke access in the event of a data breach or employee termination.

Solution

CSA decided to implement an IAM system that includes the following components:

• Identity federation: CSA implemented an identity federation solution that allows staff members to use their existing login credentials (e.g., employee ID and password) to access multiple systems and applications. This eliminates the need for staff members to remember multiple usernames and passwords, and improves the organization's ability to revoke access in the event of a data breach or employee termination.
• Single sign-on (SSO): CSA implemented an SSO solution that allows staff members to access multiple systems and applications with a single set of login credentials. This improves the organization's ability to track and control access to sensitive information.
• Role-based access control (RBAC): CSA implemented an RBAC solution that allows the organization to control access to sensitive information based on a staff member's role within the organization. For example, doctors may have access to more sensitive information than nurses.
• Provisioning: CSA implemented an automated provisioning solution that allows the organization to quickly and easily grant and revoke access to sensitive information. This improves the organization's ability to respond to data breaches and employee terminations.

Results

The IAM system has helped CSA to secure sensitive patient information and comply with regulatory requirements. The organization is now better able to control who has access to sensitive information and how they are accessing it. Additionally, CSA is now able to quickly and easily revoke access in the event of a data breach or employee termination. As a result, the organization has experienced a significant reduction in data breaches and regulatory violations.

Case Study Questions

Attempt to answer the following questions before revealing the model answers:

1. What was the main problem that CSA faced before implementing an IAM system?
2. What are the key components of the IAM system that CSA implemented?
3. How did the implementation of IAM improve security at CSA?
4. How did the IAM implementation at CSA help with compliance and regulatory requirements?

Show Model Answers

Research Assignment
Investigating the effectiveness of multi-factor authentication in access control
Introduction

Multi-factor authentication (MFA) is an access control method that requires the user to provide more than one form of identification before being granted access to a system or network. MFA is considered to be a more secure method of authentication than single-factor authentication, which relies on a single form of identification such as a password. In this research assignment, you will investigate the effectiveness of MFA in access control by analyzing current research on the topic, evaluating the MFA implementations in real-world organizations and proposing recommendations for improving the use of MFA in access control.

Instructions

1. Conduct a literature review on the current research on the effectiveness of MFA in access control.
2. Identify and evaluate the MFA implementations in at least three real-world organizations.
3. Compare and contrast the MFA implementations in the selected organizations.
4. Analyze the challenges faced by the organizations in implementing MFA and propose recommendations for overcoming these challenges.
5. Analyze the benefits and drawbacks of MFA and propose recommendations for improving the use of MFA in access control.

Deliverables

1. A written report summarizing your research findings and recommendations
2. A presentation summarizing your research findings and recommendations

Sources

• Books, articles, and scholarly papers on the history and current state of cryptography.
• Websites and resources of organizations and institutions involved in cryptography research and development, such as the National Institute of Standards and Technology (NIST) and the International Association for Cryptologic Research (IACR).
• Interviews with experts in the field of cryptography, such as researchers, professors, and professionals working in the industry.

Assessment Criteria

• The deliverable is a well-organized and clearly written research paper
• Thorough nalysis of MFA implementations in real-world organizations
• The paper should include recommendations for improving the use of MFA in access control
• The research report should be well-written, organized, and easy to understand. The report should be free of errors and should be appropriately formatted and referenced.