ITS 421 - Tactical Perimeter Defense

Chapter 11, Access Control Implementations

Objectives:

This lesson discusses adapting policies into useful rules, and applying those rules in your environment. Objectives important to this lesson:

  1. Turning policies and standards into procedures and guidelines
  2. Getting acceptable standards
  3. Multilayer access controls
  4. Tighter security

Concepts:

Chapter 11

Turning Policies and Standards into Procedures and Guidelines

The chapter begins with some remarks about access controls that make me wonder if the author of this chapter read any of the preceding ones. Let's assume that is the problem, then the chapter will make more sense.

Turning to page 236, the text lists the four components that this section is about, with a slightly different slant than we have seen in other classes.

  • Policy - The rules and requirements that the company must follow are stated. This is a general statement about purposes and goals.
  • Standard - This time, the text is talking about the topics and details that the rule must contain, as set forth by some authority. More on that in a minute.
  • Guideline - Recommendations that will be made about the policy.
  • Procedure - The particular steps that are required to accomplish the goals of the policy.

This is the order of the bullet points in the chapter, but we will see in an example that it makes more sense to do the guidelines last. They are not rules, so they should follow everything that is a rule.

Getting Acceptable Standards

The main difference in this set of ideas is what the text is telling us about standards. Previously, we have been told that standards are general requirements, halfway between the general principle of a policy, and the specific detail of a procedure. This time, the text is recommending that we should look to established authorities who have experience creating standards, and that we choose to follow their recipe for standards.

  • IEEE - The engineering professional organization that has created over 1100 standards.
  • NIST - A US federal agency that creates standards for other federal agencies.
  • FISMA - This is not an agency, it is a law. It requires federal agencies to have information security policies that meet the requirements at the top of page 239.
  • ISO - The creator of the largest body of international standards, about 18000 of them. They are not all about information technology.
  • IETF - The Internet Engineering Task Force creates standards around protocols used on the Internet.
  • PCI Security Standards Council - This is the body that created the Payment Card Industry Data Security Standard (PCI DSS), used by entities who take payment by credit and debit cards. Some of its requirements are on the bottom of page 240.
  • Center for Internet Security - Another professional organization that promotes standards, this time for configuration settings for commonly used devices and brands.

The text applies this concept on the next two pages. It presents an example of an organization that is creating a password policy, following the standards of the NIST.

  • The process begins by stating that the policy will define the kind of passwords that will be used on desktops, laptops, and servers. In our present environment, we would expand that list to include tablets and other devices.
  • This organization has chosen to follow NIST Special Publication 800-53. That link does not go to the the document. It goes to a summary of the topics in it. Note that the actual document is over 460 pages long. As a set of standards, the document is overwhelming, so I am not assigning it. We will trust the summary of features on pages 242 and 243.
  • Procedures and guidelines are not addressed in detail in the text example. Note, however, the plan under Procedures to identify all systems that require passwords. Most applications and database systems can be configured to require passwords, but they do not all have the same feature set that the network operating system has. This may require some reprogramming on the part of agency IT staff, or it may require an additional standard for those interfaces that cannot be made to comply with the general standard.

After creating the policy, standards, and procedures, the text considers guidelines. The material on page 244 may puzzle the reader. The bullet points on that page are not guidelines, because they can and should be required. Guidelines are not requirements, they are recommendations. Why have guidelines at all? There are two reasons you should know about. One is that we should recognize that you cannot control every behavior. We can recommend that users take measures to prevent shoulder surfing, but we cannot manage that with access controls. We have to tell people what the best choices are, where they have choices, and hope them make good ones. Another reason is that we can use guidelines as pilot concepts. We may not have support from upper management for a particular idea, but we can present that idea in a guideline, gather data from people who carry it out and people who do not, and present our findings to management. This may lead to a new standard being adopted, or it may show that the new idea is not worth using as a standard.

Multilayer Access Controls

Let's move to page 247, which discusses placing your access controls at several points. Several concepts are reviewed:

  • Grant permissions to users as needed, but use roles and groups where possible to make granting rights easier to manage.
  • The text addresses software installation rights on page 248, which are usually tightly managed in enterprise environments. The examples shown on that page and the next are restrictions that should be applied to the group most users belong to, but not the group your administrator and technicians belong to. Note that Active Directory, in these examples, is being set to allow DLL downloads. You may have seen more information about this concept in a Microsoft class. If not, follow this link to a Microsoft document about Software Restriction Policies. Note that the instructions in the document for workstations have not been updated to show the changes in Windows 10, but they should match your Windows 7 computers in the classroom.
  • The text also describes rights to general files and files in databases. Three database related roles are listed on page 251.
  • Access controls for general employees are considered for a couple of pages, followed by more painful material. Let's stop here for a while.

 

Assignments for Chapter 11

  1. Complete the Review Questions posted for this chapter in the Review for Test 3, from number 15 through number 21.
  2. Pick one of the case studies at the end of either chapter. Briefly explain what you see as right and wrong about the situation and the solution proposed by the authors. Is there another recommendation you would make?