For a user to be able to access a resource, he must first prove that he is who he claims to be, has the necessary credentials, and has been given the necessary rights or privileges to perform the actions he is requesting.
Identification describes a method of ensuring that a subject (user, program, or process) is the entity it claims to be. Identification can be provided with the use of a username or account number.
To be properly authenticated, the subject is usually required to provide a second piece to the credential set (a password, a cryptographic key, personal identification number (PIN), ….).
If identification and authentication credentials match the stored information, the subject is authenticated.
Once the subject is authenticated, the system it is trying to access needs to determine if this subject has been given the necessary rights and privileges to carry out the requested actions.
If the system determines that the subject may access the resource, it authorizes the subject. These mechanisms are enforced through AAA (Authentication, Authorization and Auditing) tools.
Access controls tools are used for identification, authentication, authorization, and auditability. They are software components that enforce access control measures for systems, programs, processes, and information.
They can be embedded within operating systems, applications, add-on security packages, or database and telecommunication management systems.
They can be offered as outsourced services by trusted third parties.
It can be challenging to synchronize all access controls and ensure that all vulnerabilities are covered without producing overlaps of functionality.
Once a person has been identified, through the user ID, he must be authenticated;
He must prove he is who he says he is.
There are three general factors that can be used for authentication:
- something a person knows (a password, PIN, …);
- something a person has (a key, an access card, a badge);
- something a person is (physical attributes).
Authenticating a person by something that he knows is usually the least expensive to implement, but it is less secure, too. Another person may easily acquire this knowledge and gain unauthorized access to a system.
Something a person has is a very common mechanism but the token’s life-cycle needs to be managed, they can be lost or stolen, which could result in unauthorized access.
Authenticating a person’s identity based on a unique physical attribute is referred to as biometrics.
Strong authentication contains two out of these three methods: something a person knows, has, or is (two-factors authentication).
When issuing identification values to users, the following should be in place:
- Each value should be unique, for user accountability.
- A standard naming scheme should be followed.
- The value should be non-descriptive of the user’s position or tasks.
- The value should not be shared between users.
Identity management is a broad term that encompasses the use of different products to identify, authenticate, and authorize users through automated means.
The continual increase in complexity and diversity of networked environments only increases the complexity of keeping track of who can access what and when.
Users usually access several different types of systems throughout their daily tasks, which makes controlling access and providing the necessary level of protection on different data types difficult and full of obstacles.
This complexity usually results in unforeseen and unidentified holes in asset protection, overlapping and contradictory controls, and policy and regulation noncompliance.
It is the goal of identity management technologies to simplify the administration of these tasks and bring sanity to chaos.
The following are many of the common problems that enterprises deal with today in controlling access to assets:
- Various types of users need different levels of access: internal users, contractors, outsiders, partners, etc.
- Resources have different classification levels: confidential, internal use only, private, public, etc.
- Diverse identity data must be kept on different types of users: credentials, personal data, contact information, work-related data, digital certificates, cognitive passwords, etc.
- The corporate environment is continually changing: business environment needs, resource access needs, employee roles, current employees, etc.
The traditional identity management process has been manual, using directory services with permissions and profiles.
This approach has proven incapable of keeping up with complex demands and thus has been replaced with the use of newly arrived automated applications that are rich in functionality, including enterprise-wide products and single sign-on solutions.
The following are some of the services that these types of products supply:
- User provisioning
- Password synchronization and resetting
- Self service for users on specific types of activities
- Delegation of administrative tasks
- Centralized auditing and reporting
- Integrated workflow and increase in business productivity
- Decrease in network access points
- Regulatory compliance
- Palm Scan
- Hand Geometry
- Retina Scan
- Iris Scan
- Signature Dynamics
- Keyboard Dynamics
- Voice Print
- Facial Scan
- Hand Topography
If an attacker is after a password, he can try different techniques:
- Electronic monitoring Listening to network traffic to capture information, especially when a user is sending her password to an authentication server. The password can be copied and reused by the attacker at another time, which is called a replay attack.
- Access the password file Usually done on the authentication server. The password file contains many users’ passwords and, if compromised, can be the source of a lot of damage. This file should be protected with access control mechanisms and encryption.
- Brute force attacks Performed with tools that cycle through many possible character, number, and symbol combinations to uncover a password.
- Dictionary attacks Files of thousands of words are used to compare to the user’s password until a match is found.
- Social engineering An attacker falsely convinces an individual that she has the necessary authorization to access specific resources.
- Synchronous token device,
- Asynchronous token device;
After successful authentication, the system must establish whether the user is authorized to access the particular resource and what actions he is permitted to perform on that resource.
Authorization is a core component of every operating system, but applications, security add-on packages, and resources themselves can also provide this functionality.
The decision of whether or not to allow users to access some resource was based on access criteria.
Access criteria is the crux of authentication.
This subject can get very granular in its level of detail when it comes to dictating what a subject can or cannot do to an object or resource.
This is a good thing for network administrators and security professionals, because they want to have as much control as possible over the resources they have been put in charge of protecting, and a fine level of detail enables them to give individuals just the precise level of access that they need.
It would be frustrating if access control permissions were based only on full control or no access. These choices are very limiting, and an administrator would end up giving everyone full control, which would provide no protection.
There are different ways of limiting access to resources and, if they are understood and used properly, they can give just the right level of access desired.
Granting access rights to subjects should be based on the level of trust a company has in a subject and the subject’s need to know. Just because a company completely trusts Alice with its files and resources does not mean she fulfills the need-to-know criteria to access the company’s tax returns and profit margins.
These issues need to be identified and integrated into the access criteria.
The different access criteria can be broken up into different types:
- transaction types.
As employees work at a company over time and move from one department to another, they often are assigned more and more access rights and permissions.
This is commonly referred to as authorization creep. It can be a large risk for a company, because too many users have too much privileged access to company assets.
Users’ access needs and rights should be periodically reviewed to ensure that the principle of least privilege is being properly enforced.
It is important to understand that it is management’s job to determine the security requirements of individuals and how access is authorized.
The security administrator configures the security mechanisms to fulfill these requirements, but it is not her job to determine security requirements of users.
An access control model is a framework that dictates how subjects access objects. It uses access control technologies and security mechanisms to enforce the rules and objectives of the model.
There are three main types of access control models:
- Discretionary (DAC),
- Mandatory (MAC),
- Nondiscretionary (also called role-based RBAC).
Each model type uses different methods to control how subjects access objects.
For every access attempt, before a subject can communicate with an object, the security monitor reviews the rules of the access control model to determine whether the request is allowed.
If a user creates a file, he is the owner of that file. An identifier for this user is placed in the file header.
A system that uses discretionary access control (DAC) enables the owner of the resource to specify which subjects can access specific resources.
This model is called discretionary because the control of access is based on the discretion of the owner.
The most common implementation of DAC is through ACLs, which are dictated and set by the owners and enforced by the operating system.
Most of the operating systems are based on DAC models, such as all Windows, Linux, and Macintosh systems and most flavors of Unix.
When you look at the properties of a file or directory and you see the choices that allow you to control which users can have access to this resource and to what degree, you are witnessing an instance of ACLs enforcing a DAC model.
DACs can be applied to both the directory tree structure and the files it contains.
The PC world has access permissions of No Access, Read (r), Write (w), Execute (x), Delete (d), Change (c), and Full Control.
Identity-Based Access Control
In a mandatory access control (MAC) model, users and data owners cannot determine who can access files.
This model is much more structured and strict and is based on a security label system. Users are given a security clearance (secret, top secret, confidential, and so on), and data is classified in the same way. The clearance and classification data is stored in the security labels, which are bound to the specific subjects and objects.
When the system makes a decision about fulfilling a request to access an object, it is based on the clearance of the subject, the classification of the object, and the security policy of the system.
The rules for how subjects access objects are made by the security officer, configured by the administrator, enforced by the operating system, and supported by security technologies.
Each organization has unique security requirements, many of which are difficult to meet using traditional DAC and MAC controls.
DAC is an access control mechanisms that permits system users to allow or disallow other users access to objects under their control without the intercession of a system administrator.
In many organizations, the end users do not “own” the information for which they are allowed access; the actual “owner” is the corporation -> control has to be based on employee functions rather than data ownership.
A user has access to an object based on the assigned role.
Roles are defined based on job functions.
Permissions are defined based on job authority and responsibilities within a job function.
Operations on an object are invocated based on the permissions.
The object is concerned with the user’s role and not the user.
11. Network security