ITS 421 - Tactical Perimeter Defense
Chapter 11, Access Control Implementations
This lesson discusses adapting policies into useful rules, and applying
those rules in your environment. Objectives important to this lesson:
- Turning policies and standards into procedures and guidelines
- Getting acceptable standards
- Multilayer access controls
- Tighter security
Turning Policies and Standards into Procedures and Guidelines
The chapter begins with some remarks about access controls that make
me wonder if the author of this chapter read any of the preceding ones.
Let's assume that is the problem, then the chapter will make more sense.
Turning to page 236, the text lists the four components that this section
is about, with a slightly different slant than we have seen in other classes.
- Policy - The rules and requirements that the
company must follow are stated. This is a general statement about purposes
- Standard - This time, the text is talking about the topics
and details that the rule must contain, as set forth by some
authority. More on that in a minute.
- Guideline - Recommendations that will be made about
- Procedure - The particular steps that are required to
accomplish the goals of the policy.
This is the order of the bullet points in the chapter, but we will see
in an example that it makes more sense to do the guidelines last. They
are not rules, so they should follow everything that is a rule.
Getting Acceptable Standards
The main difference in this set of ideas is what the text is telling
us about standards. Previously, we have been told that standards
are general requirements, halfway between the general principle
of a policy, and the specific detail of a procedure. This time,
the text is recommending that we should look to established authorities
who have experience creating standards, and that we choose to follow their
recipe for standards.
- IEEE - The engineering professional organization that has created
over 1100 standards.
- NIST - A US federal agency that creates standards for other
- FISMA - This is not an agency, it is a law. It
requires federal agencies to have information security policies that
meet the requirements at the top of page 239.
- ISO - The creator of the largest body of international standards,
about 18000 of them. They are not all about information technology.
- IETF - The Internet Engineering Task Force creates standards
around protocols used on the Internet.
- PCI Security Standards Council - This is the body that created
the Payment Card Industry Data Security Standard (PCI DSS), used by
entities who take payment by credit and debit cards. Some of its requirements
are on the bottom of page 240.
- Center for Internet Security - Another professional organization
that promotes standards, this time for configuration settings for commonly
used devices and brands.
The text applies this concept on the next two pages. It presents an example
of an organization that is creating a password policy, following
the standards of the NIST.
- The process begins by stating that the policy will define the kind
of passwords that will be used on desktops, laptops, and servers. In
our present environment, we would expand that list to include tablets
and other devices.
- This organization has chosen to follow NIST
Special Publication 800-53. That link does not go to the the
document. It goes to a summary of the topics in it. Note that the actual
document is over 460 pages long. As a set of standards, the document
is overwhelming, so I am not assigning it. We will trust the summary
of features on pages 242 and 243.
- Procedures and guidelines are not addressed in detail in the text
example. Note, however, the plan under Procedures to identify all systems
that require passwords. Most applications and database systems can be
configured to require passwords, but they do not all have the same feature
set that the network operating system has. This may require some reprogramming
on the part of agency IT staff, or it may require an additional standard
for those interfaces that cannot be made to comply with the general
After creating the policy, standards, and procedures, the text considers
guidelines. The material on page 244 may puzzle the reader. The bullet
points on that page are not guidelines, because they can and should
be required. Guidelines are not requirements, they are recommendations.
Why have guidelines at all? There are two reasons you should know about.
One is that we should recognize that you cannot control every
behavior. We can recommend that users take measures to prevent shoulder
surfing, but we cannot manage that with access controls. We have to tell
people what the best choices are, where they have choices, and hope them
make good ones. Another reason is that we can use guidelines as pilot
concepts. We may not have support from upper management for a particular
idea, but we can present that idea in a guideline, gather data from people
who carry it out and people who do not, and present our findings to management.
This may lead to a new standard being adopted, or it may show that the
new idea is not worth using as a standard.
Multilayer Access Controls
Let's move to page 247, which discusses placing your access controls
at several points. Several concepts are reviewed:
- Grant permissions to users as needed, but use roles
and groups where possible to make granting rights easier to manage.
- The text addresses software installation rights on page 248, which
are usually tightly managed in enterprise environments. The examples
shown on that page and the next are restrictions that should be applied
to the group most users belong to, but not the group your administrator
and technicians belong to. Note that Active Directory, in these examples,
is being set to allow DLL downloads. You may have seen more information
about this concept in a Microsoft class. If not, follow this
link to a Microsoft document about Software Restriction Policies.
Note that the instructions in the document for workstations have not
been updated to show the changes in Windows 10, but they should match
your Windows 7 computers in the classroom.
- The text also describes rights to general files and files in databases.
Three database related roles are listed on page 251.
- Access controls for general employees are considered for a couple
of pages, followed by more painful material. Let's stop here for a while.