Risk Management: Use of Access Controls to Protect Assets
- Module 1: Document, Implement, and Maintain Functional Security Controls
- In this module we are going to start looking at the pieces that make up a security program. Now that we have examined the process of risk management, we have the information needed to justify the controls and other actions taken to secure and protect the assets of the organization. The core principle of information security must be remembered, which is that security exists solely for the purpose of supporting and enabling the business mission. Our goal as security professionals is not just to be secure but rather to secure the business. Our organizations do not hire us because they are really interested in security; they hire us because management realizes that security is necessary in order for the business to survive.
Senior managers and leaders within the organization focus on achieving efficient use of every resource they have available to them, so that they can maximize the organization’s effectiveness within the marketplaces it serves. Whether it is a for-profit business, a nonprofit organization, or a government agency, the organization (in the words of the motto of the UK’s Royal Air Force Police) has to survive to operate. It has to control the losses due to inefficient business processes, bad weather or criminal attacks. Simply put, information security that minimizes losses and protects high-value assets, processes, goals, and objectives pays for itself, and thus commands support and resources from senior management. Security efforts that do not directly support defending those priorities won’t.
The explosive growth in cyber fraud activities during the pandemic of 2020-2021 and the increase in ransomware and other attacks alike demonstrates how the attackers are learning faster than the defenders. Let’s turn that around, starting with how we think about turning security needs and requirements into effective control strategies.
- Module 2: Access Controls Models
- It could be argued that access controls are the heart of an information security program. Earlier in this course we have looked at the foundation of security through risk management and policy, and the leadership of information security through management involvement and strategic planning, but in the end, security all comes down to “who can get access to our assets (buildings, data, systems, etc.) and what can they do when they get access?”
Access controls are not just about restricting access, but also about allowing access. It is about granting the correct level of access to authorized personnel and processes but denying access to unauthorized functions or individuals.
- Module 3: Identity Management Lifecycle
- This part of the course examines the process of identity management. Identity management (IM) is often described using the IAAA model (sometimes called the AAA model). This represents the steps of identification, authentication, authorization, and accounting (sometimes incorrectly called audit; we’ll see why as we go along). Identity management includes establishing, maintaining, and removing identities on our systems. Access control focuses on the real-time tasks necessary to validate that an attempt to access a resource is being done by a recognized, accepted entity using an identity known to the system, and that the attempt is seeking to use privileges that are appropriate and valid for that entity, that resource, and current circumstances.
Prior to the widespread use of web pages that allow site visitors to create an account (an identity) on that host system, most security professionals and organizational managers thought of IM and AAA as happening on two very different time scales, or as driven by two very different types of events:
IM activities were viewed as being driven by large-scale events, such as joining the organization, going through a major change in roles or job responsibilities, and then leaving the organization.
AAA activities then occur on a real-time basis with every connection (sign-on) attempt and every access request to resources made by any one of the accounts and user IDs created for that person.
As the concept of identity management has had to expand to include nonhuman users and entities, this view of IM and AAA time horizons has changed in related ways. A company hires human users and acquires endpoints or server devices. It signs partnership agreements with other organizations to set up federated access control mechanisms so that both can share information assets in controlled, secure ways. Each of these are IM activities that happen once (or a few times) in the lifecycle of that entity’s relationship with the organization. And just as a human user might go through a thousand resource access attempts during a single workday (or even in a short session), so too might a nonhuman entity performing its assigned or allowed tasks.
- Module 4: Implement and Maintain Authentication Methods
- The implementation of access management contains its own challenges. Audits in many organizations often reveal that the identity management processes used are flawed, resulting in many users who have access permissions that they have accumulated over the years that are not aligned with their current business needs. This is a problem where privacy regulations require accountability and tracking of access permissions, and it can lead to financial penalties, security breaches, and embarrassment for the organization. The idea of an identity and access management (IAM) system is to automate the process and reduce the administrative overhead, while improving reporting and the ability to monitor the access levels granted to users. Some of the features of IAM systems include an automated process for users to request and be granted access to systems, a streamlined process for new users and for password resets.
- Module 5: Chapter 2 Review
- It’s not an exaggeration to say that access control is the heart of the information systems security problem. Everything we do as security professionals drives down to this problem set; risk management sets requirements for access control to achieve, and the design, configuration, and operation of the information infrastructures the organization uses must reflect the access control decisions that have been made.
Access control technologies may very well represent the most hotly contested “real estate” in the battle between cyber defenders and cyberattackers.
This chapter has provided you with a rich, detailed, and in-depth orientation and introduction to many aspects of the access control need and problem, while it has also shown you ways to solve that problem and address that need.