ITS 4210 - Access Control, Authentication, and PKI

Chapter 3, Business Drivers for Access Control

Objectives:

This lesson concerns two chapters, so it is a little long. Objectives important to this lesson:

  1. Business requirements for asset protection
  2. How information is classified
  3. Using information competitively
  4. Business drivers for access control
  5. How controlling access protects value
  6. Example of access control

Concepts:

Chapter 3

Business Requirements

The chapter begins with a short discussion about protecting assets and the importance of good policies. Policies are where we start, because they name the assets we are protecting, they tell us why we are protecting them, and they usually tells us what to do. They should be clearly written, so they can be followed without confusion. The text also points out that controls, procedures that support policies, should be put in place to require compliant behavior by employees.

The text also mentions that senior management should act as role models. Make that all levels of management, because a policy need support from all levels. The example used in the text is requiring each person who enters a secure site to be admitted only after their ID badge has been properly scanned. The text warns us that this procedure is often circumvented by people who hold doors open for others, whether the others are known or not.

This is a hard control to implement, because people do not like it. I have seen a successful control implemented that works for this policy. Let the doors to the site open to turnstiles. To pass through, employees must scan their ID badges on an ID scanner incorporated into each turnstile. This makes each individual scan their own badge without closing a door in someone's face. It also speeds up the entry process, because there is more than one scanner at each door. A nearby security guard processes admission for people who need help.

Information Classification

The next topic is about classifying information in terms of sensitivity or secrecy. If your documents, files, and other information types are tagged with a security level indicator, your staff may be tagged as well, as being allowed to access information at or below a particular level. A common term for an access level is clearance.

Two classification systems are mentioned. The link in the previous sentence will take you to an article that has more breadth. It describes the systems used by a number of countries.

  • National Security Classification (US government)
    Note that although it has four levels, the adjectives used in the three levels of sensitivity are not defined, so it would be impossible to classify information under this system without more guidance. There is more guidance in Executive Order 13526.
    • Unclassified - information that is available for general release
    • Confidential - information whose disclosure would cause damage to national security
    • Secret - information whose disclosure would cause serious damage to national security
    • Top Secret - information whose disclosure would cause exceptionally grave damage to national security
  • Common Corporate Security Classification
    • Public - information that may be given to the public
    • Internal - information not given to the public, but disclosure would not damage the company
    • Sensitive - information whose disclosure would cause serious damage to the company
    • Highly Sensitive - information whose disclosure would cause extreme damage to the company

Classified material should be examined before it is classified, and it should be reexamined periodically to consider changing its classification category. The text lists four ways a document classified by the US government may be declassified:

  • Automatic declassification - classified documents that are 25 years old may be automatically declassified and placed in the national archives; there are exceptions to this rule, established by the Department of Justice
  • Systematic declassification - documents less than 25 years old may be reviewed for historical importance, and may be declassified
  • Mandatory declassification review - if an authorized holder requests that a document be declassified, the owning agency must review the request and respond that the request is approved, the request is denied, or that the agency cannot confirm or deny the existence of the document; denials may be appealed
  • Freedom of Information Act (FOIA) request - anyone in the general public may request that a document be declassified by filing a FOIA request; as the video below explains, there are limits to the kinds of requests that can be made.


The text explains that personally identifiable information (PII) is the most sensitive information most companies have. When this kind of information about customers is stolen, customers lose confidence even if they don't lose money or their identities to the thieves. In the worst cases, customers lose all of those things, and the companies may be liable for the losses. The most important types of PII are social security numbers and credit card numbers, paired with customer names.

The text emphasizes the importance of PII in the context of the Health Insurance Portability and Accountability Act (HIPAA) on page 47.  It lists various penalties for disclosure of health related information to parties who do not have a legitimate right to know. Note that the penalties increase dramatically if the intent of the offender is more criminal, and if proper steps to stop further disclosures are not taken.

The text presents some business related reasons for using access control:

  • Confidential business information and trade secrets must be protected because they lose their value if they are known by the public or a competitor. See, for example, the formula for Coca-Cola. According to the Coca-Cola company, only two people know their formula at any given time. This may not be true, but it makes a good story, and it raises interest in the product. It also makes it harder for a customer to mix up their own version.



  • A strictly enforced access control program might avoid the risk of exposing customer PII to thieves. Of course, such defense needs to be checked, tested, and improved over time.
  • In the context of risk assessment, the text reminds us that we will generate a list of assets, a list of vulnerabilities for each asset, and a list of potential exploits for each vulnerability. The question is asked, "How do we prioritize?" Do we protect the most valuable asset first? The most vulnerable asset? The "most likely to be attacked" asset? The answer to that question will tell you something about your organization. Maybe the most common vulnerability needs to be addressed first, partly because it affects more assets, but also because it may be the quickest problem to resolve. That matters, too. Quick solutions are valuable, because they protect something right away, and because that gives you more time to address something else.

The text move on to discuss some examples of access rights, but the first one falls apart. Who cares if the newsletter is stuffy or funny? Well, the people reading it do, but that has nothing to do with access rights. The only part of the story on page 50 that matters is that everyone in the company can read the newsletter, but only a few are allowed to edit or change it. Not much of a surprise, right? The author tries a few more stories, but the points are elusive.

A Warning about Risk Assessment

Skipping ahead to pages 55 and 56, we seem to be returning to risk assessment. The author elaborates on some of the phases, from the perspective an an attacker:

  • Full asset inventory - The asset inventory becomes a target for an attacker. It can be used to find assets, to prioritize them, and to make a list for Santa.
  • Vulnerability assessment - If the asset inventory is a target for an attacker, the vulnerability assessment becomes a guidebook to your assets as the attacker takes a tour of all their weak spots.
  • Threat assessment - This becomes a lesson in what not to do for the attacker. The attacker needs to look in his bag of tricks and find an exploit that your defense experts did not anticipate being used.
  • Mitigation plans - The mitigation plans are the defense plans for your network. Typically, there will be a prioritization to them, which will tell the attacker where he is wasting his time, and where he should be attacking the richest or easiest targets.
  • Risk assessment policies - The author suggests that this will include a schedule for conducting risk assessments, which will tell the attacker the age of the plans he has stolen. What is the point? That things change, and an assessment that was done long ago may not reflect the current state of the network. Hmm. Was this set of plans actually a honey pot?

So, it should be obvious that if we conduct all the security studies we should, we need to hide the output of those studies even more than the assets themselves.

Access Control Recommendations

The chapter ends with some thoughts about access controls that work, and some that don't.

  • The text has recommended that we should always follow the policies of least privilege and need to know. Don't assign more access than a person needs, and not for longer than they need it.
  • The first story on page 60 follows this advice. The staff are assigned to groups based on their job function, and those groups are given access only to those assets they need, and only for the duration of that need.
  • In the second story on page 60, the trade secrets and a prototype left a company due to an open door and an executive assistant who wanted to sell secrets to a competitor. A lock, a guard, and maybe some security on the actual secrets of the company in question would have been a good idea.

Assignments for Chapter 3

  1. Continue the reading assignments for the course.
  2. Complete the assignments and class discussion made in this module.