Skip to content

Page232

Introduction

Identity and Access Management (also known as access control) is the basis for all security disciplines, not just IT security. The purpose of access management is to allow authorized users access to appropriate data and deny access to unauthorized users. Seems simple, right? It would be easy to completely lock a system down to allow just predefined actions with no room for leeway. In fact, many organizations, including the US military, are doing just that; restricting the access users have to systems to a very small functional capability.

However, with increasing dependence on the Internet to perform work, systems must be flexible enough to be able to run a wide variety of software that is not centrally controlled.

Another concern that impacts access control is the dependence on antiquated (also known as “legacy”) software applications. Large IT infrastructures (such as the US military) may run mission-dependent applications that are over 10 years old! The cost of replacing these legacy applications is often too high for the organization to complete in one funding cycle. IT professionals must often manage security while running insecure legacy applications that introduce access control risks.

One thing is certain: with the dependence on IT as a means of doing business, and Identity and Access Management as one of the first lines of defense, understanding how to properly implement access management has become vital in the quest for secure communications.

Access controls protect against threats such as unauthorized access, inappropriate modification of data, and loss of confidentiality. Access control is performed by implementing strong technical, physical, and administrative measures. This chapter focuses on the technical and administrative aspects of access control; we discussed physical security in Chapter 4 (Domain 3: Security Architecture and Engineering). Remember that physical security is implicit in most other security controls, including access control.

Authentication Methods

A key concept for implementing any type of access control is controlling the proper authentication of subjects within the IT system. A subject first identifies himself or herself; this identification cannot be trusted by itself. The subject then authenticates by providing an assurance that the claimed identity is valid. A credential set is the term used for the combination of both the identification and authentication of a user.

There are three basic authentication methods: Type 1 (something you know), Type 2 (something you have), and Type 3 (something you are). A fourth type of authentication is some place you are.

Type 1 Authentication: Something You Know

Type 1 Authentication (something you know) requires testing the subject with some sort of challenge and response where the subject must respond with a knowledgeable answer. The subject is granted access on the basis of something they know, such as a password or PIN (Personal Identification Number—a number-based password). This is the easiest, and often weakest, form of authentication.