Access control is a crucial part of securing a network and it is not just technical, but also physical, so making sure unauthorized people do not get access to data, files, equipment, or areas. Many organizations in the private sector implement a role-based access control because it provides more flexibility in assigning access. One topic that stood out was that security professionals agree the use of passwords is coming to an end as computing power is increasing which allows for cracking simpler passwords in less time. In place of passwords would be alternative technologies such as access cards, tokens, or biometrics. These technologies are secure and good options, but I also think organizations could implement better password policies and force employees to use an enterprise password manager. This would allow employees to create long complex passwords without having to memorize them and most password managers allow for multi-factor authentication as an additional layer of security such as tokens.
Hey Nicholas – I think you make some good points. In several organizations that I have worked in, the ownership of physical security and logical security were separated among departments. I understand there may be a need for this based on the situation, but it made it difficult to ensure there was a comprehensive program of access control. In my opinion, the physical controls area is the foundation because you can have the best logical access controls in place but if the physical access controls are ineffective, then the logical controls will be useless in many cases. I also think you make a good point about organizations taking a better stance with password policies and the use of enterprise password managers. I’m not sure why more organizations do not support the use of password managers more broadly.
The key takeaway I had from this reading was the three functions of access controls, which are authentication, authorization, and auditing. The section I was least familiar with before reading this was the one about Biometric Authentication. I thought the discussion on which is worse – false acceptance or false rejection – to be interesting. I had not thought about this before; the book made a great point that it depends on the context as to which one is worse. I also found the discussion on the strength of the different biometric methods to be interesting. The iris recognition is the gold standard but more complex and expensive than other methods.
One important point from this reading is the section on addressing loss and theft. No matter the security measures put in place, it is always possible that a device could be lost or stolen, or a password could be compromised. Physical device cancellation ability is one of the best tools to combat this. If a stolen phone, for example, is lost, the company can turn it off. One important consideration is the amount of time that should pass before a device is turned off. A shorter cancellation time may lead to the discovery that the device was not actually stolen, but just misplaced. But, waiting too long gives a criminal more time to access the stolen device.
I’ve come across that situation before where somebody thought they lost their company laptop. They did what they should have, and notified IT right away. Because this person had given a presentation, then gone to lunch at a restaurant, and returned without their laptop in their briefcase, everyone assumed it was gone forever. IT remotely wiped the laptop. Probably an hour later, the laptop was found in the conference room where this employee had given his presentation. He never actually took it with him when he went to lunch. There ended up being a lot recovery for a laptop that wasn’t actually lost.
There is so much focus today on logical security, that sometimes organizations either do not think about physical security and/or the correlation between physical security and logical security. Not only can you learn cyber hacking techniques from online videos but there are viral videos available teaching individuals how to pick locks and develop tools to assist in gaining physical access to restricted areas or buildings which can be used to steal equipment or perhaps take pictures of classified information with a cell phone. I found the section on ISO/IEC Security clause 9: Physical and Environmental Security to be most interesting particularly section 9.1 Secure Areas, which focused on securing physical areas, including entire buildings, equipment room, logging physical entry/exits to the room or building, etc. This chapter made me recognize the importance of not only the defense in depth concept (logical) we learned in chapter 6 but also the defense of the physical perimeter including but not limited to entrances and exits (including fire escapes and emergency exits), loading docks and delivery areas, rules for working in secured areas, and security guards. So I think it’s fair to say that while the concept of the logical defense of the perimeter is not the best choice for implementing countermeasures, maintaining the physical security of the perimeter is critical.
Industries need to control the access of resources by using physical and electronic methods. There are AAA protections, which indicate authentication, authorization, and auditing. The most interesting part for me is biometric authentication. It is not only base on the users’ fingerprint, iris pattern, face, voice, or hand geometry. It is also included something users do, like write, type, and walk. The purpose of biometric authentication is to make reusable passwords obsolete. It sets up a users’ template by scan and extracts key features for identifying or verify users in the future. Even biometrics seems relatively secure because it is unique to every individual; however, it is still having an error rate. Sometimes, it might allow attackers into the system by using false acceptance, or simply an inconvenience by using the false rejection. Also. Some people might not have well-defined fingerprints for different reasons. Fingerprint authentication may not be useful for them.
In my opinion, access control should be a major emphasis in any audit or risk assessment. It’s something that every company does, but not every company gets right. Role-based access control increases effectiveness and reduces management costs. But in my experience I’ve seen older companies that are stuck in their ways that don’t feel the need to change from their methods of individually assigning access. Additionally, everyone is focused on authentication and authorization, but accounting (auditing) should not take a back seat. Logs of actions are crucial in any forensics investigations. As for the idea of passwords being phased out, I’m generally in favor of it, but my fear is that access tokens will all be migrated onto someone’s smartphone and then if an attacker steals your phone they essentially have access to all of your accounts.
An interesting takeaway from this reading is identity management, described as the centralized policy-based management of identifying; maintaining; using; deprovisioning and authenticating, users’ identities. The benefits of identity management includes: cost reduction associated with redundant work for example, provisioning & deprovisioning access rights, password resets; single change to add, change or remove users’ access privileges on all servers in the organizations; centralized auditing of users’ access privileges; SSO & compliance.
A number of good industry standard practices are covered in the text. RBAC, or Role-Based Access Control, has a number of advantages. It is easy to manage, reduces chances of errors, and it is easy to remove access. Two-factor authentication or even multifactor authentication provides organizations with defense in depth. Physical security and physical access control are also covered in the text, however, as highlighted in the text, humans are still the weakest link in security, as humans create opportunities to bypass even the strongest technology.
I agree with your comments. You made several good points about RBAC, 2FA and physical security. This chapter did seem to place some time on physical security and physical access controls which are valuable ideas to help mitigate the risk.
Access Control is essential for sensitive resource. It is interesting to know that password is one of weakest level of authentication. we all are familiar to password function and it is built into every kind of computer operating system. If attackers crack the root account password, they will “own” the machine and server. To reduce the risk, firms need strong password policies to ensure that passwords are long and complex. They specifically should not be common words or slight variations on common words. The company also needs to develop a password reset system for lost passwords.
Hi Wei. Thank you for bring up the point that access control is fundamental for the protection of sensitive information. I agree passwords are the weakest level of authentication. This is why implementing multi-factor authorization is essential in order to protect data. With multi-factor authorization a user needs to provide something they know, something they have and/or a biometric identity.
An important takeaway that interested me from Chapter 5 Access Control was that Access controls have 3 functions known as authentication, authorization, and auditing. According to the textbook, access control is the policy-driven control of access to systems, data, and dialogues. Authentication is the process of accessing the identity of the user claiming to have the permission of usage. On the other hand, authorization is the specific permissions that a particular authenticated user should have, given his or her authenticated identity. A method to protect and verify authentication is by using two-factor authentication. According to the book a Trojan Horse and man-in-the-middle is able to negate two-factor authentication. Individual and Role-Based Access Control implements rules based on access rules on individual accounts. I also thought that it was important to note that discretionary access control provides departmental ability to alter access control rules set by higher authorities where mandatory access control gives no departmental ability to alter access control rules set by authorities.
Access controls have 3 functions, the AAA. Authentification, authorization, and auditing. Authentication is verifying the individual requesting access is who they say they are. They are called the supplicant, and the person providing is the verifier. The supplicant authenticates themselves with a password, fingerprint scan, facial recognition, two-factor authentification, etc. Authorization is specific permission that a specific authenticated user has. For example, the admin should have permission to download, update, or change a program on the computer, but a regular employee will not be able to download, alter, or uninstall software. This is authorization based on authentification. Auditing is looking into an individual’s activity log and analyzing it in real-time or using it for later analysis. Auditing helps keep authentication and authorization policies to be followed.
Access Control and Identity Management has always been my favorite IT Risk Control. It is very straightforward, yet very nuanced. As auditors, IT or otherwise, we are in a unique position because we are typically granted access to systems that do not fall within our line of business. This even translates into physical security as well like access to physical locations or parts of an office building that closed off (pre-covid stuff). It is important that access is being granted for business needs only and being erased when there is no longer a business need. If an employee transfers to a different LOB within the same organization, it is important that they are stripped of access to their former LOB. This gets a little trickier when you’re an auditor and conduct periodic audits of a LOB. Having to request access to a system every time you audit it could potentially be bad for business.
Federated identity management is an important concept from this chapter. Digital identity management is now essentially universal, and organizations must rely on vendors for a variety of business processes. By necessity, an organization’s identity management system must be able to interface with its vendors’ identity management systems to maintain security in those business processes. Federated identity management serves this purpose. First, a vendor recognizes the organization as “trusted”, opening its system to communications from the organization’s systems in the form of assertions. After a user in the organization authenticates in their identity management system, an assertion is sent to the vendor’s system which includes a variety of information including who has authenticated, what their roles in the vendor system are, and the attributes of those roles. The vendor identity management system can translate that assertion and authenticate the user for access to the information systems needed to complete the business process.
The password policy section was interesting to me. Although, this may seem like common sense, a password policy should be in place, Pages 278-279 discusses using a password management program, password duration policies (like 90 days), and disabling no longer used passwords. These are all great ideas to help the company reduce the risk of a password attack, Considering, the password is contingent on a user to create, a password policy, although potentially annoying to the employee is in the companys best interest.
This is the most annoying control for me personally. Mainly because I hate having to change my password every few months. That being said, a duration policy only makes sense if the password requirements are complex enough that it’d take X amount of days to crack it. Or else it doesn’t matter essentially.
This reading gave an overview of access controls. Some of the topics covered where passwords, physical access, biometrictric authentication, and directory servers. This reading was particularly interesting to me because, as an auditor, access controls are among my favorite controls to test. This is where we see a lot of client typically have exceptions in their audits. Many organizations take for granted the importance of regularly reviewing who access to systems and whether that access is appropriate as well as insuring that access is approved by appropriate parties before access is granted.
What stood out to me from this reading is the Authentication function from access control. Nowadays, single factor authentication is almost obsolete to rid the unwanted intrusion. The two-factor authentication has more security, but may not get away from intrusions such as trojans and man-in-the-middle incidents. That is where the multi-factor authentication steps in granting access to the user after receiving more than 2 forms of authenticity (validity) of the user.
Nicholas Fabrizio says
Access control is a crucial part of securing a network and it is not just technical, but also physical, so making sure unauthorized people do not get access to data, files, equipment, or areas. Many organizations in the private sector implement a role-based access control because it provides more flexibility in assigning access. One topic that stood out was that security professionals agree the use of passwords is coming to an end as computing power is increasing which allows for cracking simpler passwords in less time. In place of passwords would be alternative technologies such as access cards, tokens, or biometrics. These technologies are secure and good options, but I also think organizations could implement better password policies and force employees to use an enterprise password manager. This would allow employees to create long complex passwords without having to memorize them and most password managers allow for multi-factor authentication as an additional layer of security such as tokens.
Megan Hall says
Hey Nicholas – I think you make some good points. In several organizations that I have worked in, the ownership of physical security and logical security were separated among departments. I understand there may be a need for this based on the situation, but it made it difficult to ensure there was a comprehensive program of access control. In my opinion, the physical controls area is the foundation because you can have the best logical access controls in place but if the physical access controls are ineffective, then the logical controls will be useless in many cases. I also think you make a good point about organizations taking a better stance with password policies and the use of enterprise password managers. I’m not sure why more organizations do not support the use of password managers more broadly.
Megan Hall says
The key takeaway I had from this reading was the three functions of access controls, which are authentication, authorization, and auditing. The section I was least familiar with before reading this was the one about Biometric Authentication. I thought the discussion on which is worse – false acceptance or false rejection – to be interesting. I had not thought about this before; the book made a great point that it depends on the context as to which one is worse. I also found the discussion on the strength of the different biometric methods to be interesting. The iris recognition is the gold standard but more complex and expensive than other methods.
Charlie Corrao says
One important point from this reading is the section on addressing loss and theft. No matter the security measures put in place, it is always possible that a device could be lost or stolen, or a password could be compromised. Physical device cancellation ability is one of the best tools to combat this. If a stolen phone, for example, is lost, the company can turn it off. One important consideration is the amount of time that should pass before a device is turned off. A shorter cancellation time may lead to the discovery that the device was not actually stolen, but just misplaced. But, waiting too long gives a criminal more time to access the stolen device.
Jonathan Mettus says
I’ve come across that situation before where somebody thought they lost their company laptop. They did what they should have, and notified IT right away. Because this person had given a presentation, then gone to lunch at a restaurant, and returned without their laptop in their briefcase, everyone assumed it was gone forever. IT remotely wiped the laptop. Probably an hour later, the laptop was found in the conference room where this employee had given his presentation. He never actually took it with him when he went to lunch. There ended up being a lot recovery for a laptop that wasn’t actually lost.
Christa Giordano says
There is so much focus today on logical security, that sometimes organizations either do not think about physical security and/or the correlation between physical security and logical security. Not only can you learn cyber hacking techniques from online videos but there are viral videos available teaching individuals how to pick locks and develop tools to assist in gaining physical access to restricted areas or buildings which can be used to steal equipment or perhaps take pictures of classified information with a cell phone. I found the section on ISO/IEC Security clause 9: Physical and Environmental Security to be most interesting particularly section 9.1 Secure Areas, which focused on securing physical areas, including entire buildings, equipment room, logging physical entry/exits to the room or building, etc. This chapter made me recognize the importance of not only the defense in depth concept (logical) we learned in chapter 6 but also the defense of the physical perimeter including but not limited to entrances and exits (including fire escapes and emergency exits), loading docks and delivery areas, rules for working in secured areas, and security guards. So I think it’s fair to say that while the concept of the logical defense of the perimeter is not the best choice for implementing countermeasures, maintaining the physical security of the perimeter is critical.
To-Yin Cheng says
Industries need to control the access of resources by using physical and electronic methods. There are AAA protections, which indicate authentication, authorization, and auditing. The most interesting part for me is biometric authentication. It is not only base on the users’ fingerprint, iris pattern, face, voice, or hand geometry. It is also included something users do, like write, type, and walk. The purpose of biometric authentication is to make reusable passwords obsolete. It sets up a users’ template by scan and extracts key features for identifying or verify users in the future. Even biometrics seems relatively secure because it is unique to every individual; however, it is still having an error rate. Sometimes, it might allow attackers into the system by using false acceptance, or simply an inconvenience by using the false rejection. Also. Some people might not have well-defined fingerprints for different reasons. Fingerprint authentication may not be useful for them.
Jonathan Mettus says
In my opinion, access control should be a major emphasis in any audit or risk assessment. It’s something that every company does, but not every company gets right. Role-based access control increases effectiveness and reduces management costs. But in my experience I’ve seen older companies that are stuck in their ways that don’t feel the need to change from their methods of individually assigning access. Additionally, everyone is focused on authentication and authorization, but accounting (auditing) should not take a back seat. Logs of actions are crucial in any forensics investigations. As for the idea of passwords being phased out, I’m generally in favor of it, but my fear is that access tokens will all be migrated onto someone’s smartphone and then if an attacker steals your phone they essentially have access to all of your accounts.
Lakshmi Surujnauth says
An interesting takeaway from this reading is identity management, described as the centralized policy-based management of identifying; maintaining; using; deprovisioning and authenticating, users’ identities. The benefits of identity management includes: cost reduction associated with redundant work for example, provisioning & deprovisioning access rights, password resets; single change to add, change or remove users’ access privileges on all servers in the organizations; centralized auditing of users’ access privileges; SSO & compliance.
Xiduo Liu says
A number of good industry standard practices are covered in the text. RBAC, or Role-Based Access Control, has a number of advantages. It is easy to manage, reduces chances of errors, and it is easy to remove access. Two-factor authentication or even multifactor authentication provides organizations with defense in depth. Physical security and physical access control are also covered in the text, however, as highlighted in the text, humans are still the weakest link in security, as humans create opportunities to bypass even the strongest technology.
Michael Doherty says
Xiduo,
I agree with your comments. You made several good points about RBAC, 2FA and physical security. This chapter did seem to place some time on physical security and physical access controls which are valuable ideas to help mitigate the risk.
Wei Liu says
Access Control is essential for sensitive resource. It is interesting to know that password is one of weakest level of authentication. we all are familiar to password function and it is built into every kind of computer operating system. If attackers crack the root account password, they will “own” the machine and server. To reduce the risk, firms need strong password policies to ensure that passwords are long and complex. They specifically should not be common words or slight variations on common words. The company also needs to develop a password reset system for lost passwords.
Elias Harake says
Hi Wei. Thank you for bring up the point that access control is fundamental for the protection of sensitive information. I agree passwords are the weakest level of authentication. This is why implementing multi-factor authorization is essential in order to protect data. With multi-factor authorization a user needs to provide something they know, something they have and/or a biometric identity.
Elias Harake says
An important takeaway that interested me from Chapter 5 Access Control was that Access controls have 3 functions known as authentication, authorization, and auditing. According to the textbook, access control is the policy-driven control of access to systems, data, and dialogues. Authentication is the process of accessing the identity of the user claiming to have the permission of usage. On the other hand, authorization is the specific permissions that a particular authenticated user should have, given his or her authenticated identity. A method to protect and verify authentication is by using two-factor authentication. According to the book a Trojan Horse and man-in-the-middle is able to negate two-factor authentication. Individual and Role-Based Access Control implements rules based on access rules on individual accounts. I also thought that it was important to note that discretionary access control provides departmental ability to alter access control rules set by higher authorities where mandatory access control gives no departmental ability to alter access control rules set by authorities.
Quynh Nguyen says
Access controls have 3 functions, the AAA. Authentification, authorization, and auditing. Authentication is verifying the individual requesting access is who they say they are. They are called the supplicant, and the person providing is the verifier. The supplicant authenticates themselves with a password, fingerprint scan, facial recognition, two-factor authentification, etc. Authorization is specific permission that a specific authenticated user has. For example, the admin should have permission to download, update, or change a program on the computer, but a regular employee will not be able to download, alter, or uninstall software. This is authorization based on authentification. Auditing is looking into an individual’s activity log and analyzing it in real-time or using it for later analysis. Auditing helps keep authentication and authorization policies to be followed.
Panayiotis Laskaridis says
Access Control and Identity Management has always been my favorite IT Risk Control. It is very straightforward, yet very nuanced. As auditors, IT or otherwise, we are in a unique position because we are typically granted access to systems that do not fall within our line of business. This even translates into physical security as well like access to physical locations or parts of an office building that closed off (pre-covid stuff). It is important that access is being granted for business needs only and being erased when there is no longer a business need. If an employee transfers to a different LOB within the same organization, it is important that they are stripped of access to their former LOB. This gets a little trickier when you’re an auditor and conduct periodic audits of a LOB. Having to request access to a system every time you audit it could potentially be bad for business.
Mitchell Dulaney says
Federated identity management is an important concept from this chapter. Digital identity management is now essentially universal, and organizations must rely on vendors for a variety of business processes. By necessity, an organization’s identity management system must be able to interface with its vendors’ identity management systems to maintain security in those business processes. Federated identity management serves this purpose. First, a vendor recognizes the organization as “trusted”, opening its system to communications from the organization’s systems in the form of assertions. After a user in the organization authenticates in their identity management system, an assertion is sent to the vendor’s system which includes a variety of information including who has authenticated, what their roles in the vendor system are, and the attributes of those roles. The vendor identity management system can translate that assertion and authenticate the user for access to the information systems needed to complete the business process.
Michael Doherty says
The password policy section was interesting to me. Although, this may seem like common sense, a password policy should be in place, Pages 278-279 discusses using a password management program, password duration policies (like 90 days), and disabling no longer used passwords. These are all great ideas to help the company reduce the risk of a password attack, Considering, the password is contingent on a user to create, a password policy, although potentially annoying to the employee is in the companys best interest.
Panayiotis Laskaridis says
This is the most annoying control for me personally. Mainly because I hate having to change my password every few months. That being said, a duration policy only makes sense if the password requirements are complex enough that it’d take X amount of days to crack it. Or else it doesn’t matter essentially.
Ashleigh Williams says
This reading gave an overview of access controls. Some of the topics covered where passwords, physical access, biometrictric authentication, and directory servers. This reading was particularly interesting to me because, as an auditor, access controls are among my favorite controls to test. This is where we see a lot of client typically have exceptions in their audits. Many organizations take for granted the importance of regularly reviewing who access to systems and whether that access is appropriate as well as insuring that access is approved by appropriate parties before access is granted.
Christopher Clayton says
What stood out to me from this reading is the Authentication function from access control. Nowadays, single factor authentication is almost obsolete to rid the unwanted intrusion. The two-factor authentication has more security, but may not get away from intrusions such as trojans and man-in-the-middle incidents. That is where the multi-factor authentication steps in granting access to the user after receiving more than 2 forms of authenticity (validity) of the user.