ITS 4210 - Access Control, Authentication, and PKI
Chapter 15, Access Control Assurance
Objectives:
This lesson discusses conceptual labels and analysis.
Objectives important
to this lesson:
- Information assurance (IA)
- IA in controls
- Using controls to assure CIA
Concepts:
Chapter 15
This chapter reviews material from previous chapters,
repackaging it with new names, but not really introducing anything new.
Information Assurance
The text introduces a new concept on page 339. First, you
should know from other courses that Information
Systems Security (ISS) is concerned with protecting all
of our organization's information. We are also told that Information
Assurance (IA) is a subset of ISS. IA is
concerned with protecting information that is being
processed or being used. Why do we care about that subset?
The text makes it a bit clearer by listing the "five pillars of the IA
model". You will recognize most of them:
- Confidentiality - a concern of ISS and IA
- Integrity - a concern of ISS and IA
- Availability - a concern of ISS and IA
- Authentication - a concern of IA
- Nonrepudiation - a concern of IA
This makes no sense, because we have already been told that
IA
is part of ISS. There seems to be agreement on lots of web sites,
including the Department
of Defense, that IA does embrace these five concepts. So, what
about the two new ones?
- Authentication - making sure of a user's identity
- Nonrepudiation - keeping records of what users do
on
the system
The two concepts, when taken together, mean that we have confidence
about who we have allowed into our system, and we are tracking what
they do, so there is no denying (repudiating) their actions.
The text continues with a longer discussion on each of the five points.
- Confidentiality - the text uses the phrase "need
to
know" as a measure of this concept; we do not allow access to any
resource unless there is a reason for that access
- Integrity - making sure that no one changes data
who
has not been authorized to do so; this may be done by imposing limits
on access, or by limiting the kinds or level of changes a user is
allowed to make, such as restricting a user's view to data they
actually own
- Availability - data must be available to
authorized
users when they need it
- Authentication - the security needs of the system
must be matched by the level of confidence we have in a user's
identity, perhaps requiring multi factor and biometric ID in some cases
- Nonrepudiation - tracking of events and files must
prove that a particular user took action, authorized access or payment,
or simply was on the system; this can include digital signatures being
placed on everything a user processes
The
text continues with a discussion of the McCumber cube, which is a
confusing construct at best. It throws in the Parkerian hexad, which
proves the point that lots of analysts try to make a name for
themselves in the security business. Bottom line: protect the data. How
you define what you are doing doesn't matter as much as actually doing
it.
Controls must be tested and monitored. Testing takes place on the entire environment. We
determine whether the controls are serving the big picture
goals (business requirements, strategic goals) of the organization. The
system is assessed and audited several ways:
- Self-assessment - usually performed by internal
quality assurance and quality control staff
- Internal Audit - people inside the
organization perform the audit and report to a controlling body
or committee
- External Audit - an outside entity performs
the audit, concentrating on organizational aspects that require an independent
agent's view
- Regulator Audit - done when aspects of the
organization fall under government regulation or legal
requirements