# Logical Access Control
Four main categories of access control are:
Mandatory access control (MACs) - Cannot be controlled or modified by normal users or data owners
Discretionary access control (DACs) - Activated or modified by the data owners at their discretion
Role-based access control
Rule-based access control
- MACs are better choice in terms of data security as compared to DACs.
Steps for implementing logical access controls:
- Inventory of IS resources.
- Classification of IS resources.
- Grouping/labelling of IS resources.
- Creation of an access control list.
# First step in data classification is to identify the owner of the data/application.
# Automated password management tool works as best preventive control and ensures compliance with password management policy.
# Preference to be given to preventive controls as compared to detective or deterrent controls.
# Preference to be given to automated controls as compared to manual controls.
# Prime objective of review of logical access control is to ensure access have been assigned as per organisation’s authorization.
# Logical steps for data classification:
- Inventory of Information Assets.
- Establish ownership.
- Classification of IS resources.
- Labelling of IS resources.
- Creation of access control list.
# Data owner/system owner is ultimately responsible for defining the access rules.
# Accountability for the maintenance of proper security controls over information assets resides with the data owner/system owner.
# Greatest benefit of well defined data classification policy is decreased cost of control.
# Objective of data protection/ classification of information assets:
- Ensure integrity/confidentiality of data
- Establish appropriate access control guidelines.
- Reduction in cost of protecting assets.
# Data classification must take into account following requirements:
-Legal/Regulatory/Contractual
-Confidentiality
-Integrity
-Availability
# Asymmetric Encryption
- For confidentiality, message has to be encrypted using receiver’s public key.
- For authentication, HASH of the message has to be created and HASH to be encrypted using sender’s private key. Hash is also known as message digest.
- For integrity, HASH of the message has to be created and HASH to be encrypted using sender’s private key.
# To ensure ‘confidentiality & authentication’:
-Hash of the message to be encrypted using sender’s private key (to ensure authentication/non-repudiation)
-Message to be encrypted using receiver’s public key (to ensure confidentiality)
# To ensure ‘confidentiality & authentication & integrity’:
-Message to be encrypted using receiver’s public key (to ensure confidentiality)
-Hash of the message to be encrypted using sender’s private key (to ensure authentication/non-repudiation and integrity)
# Sender's private key will not ensure confidentiality
A public key infrastructure (PKI) - A set of hardware,software,people,policies, and procedures needed to create, manage, distribute, use, store, and revoke digital certificates.
Use of PKI (Public Key Infrastructure) :
Step 1: Encrypt the message by symmetric key
Step 2: Encrypt the above symmetric key using public key of receiver.
Step 3: Send 'encrypted message' and 'encrypted symmetric key' to receiver.
Step 4: Receiver will decrypt 'symmetric key' using private key of receiver.
Step 5: With the help of above 'symmetric Key' receiver can decrypt the message.
# Encryption of symmetric session key is considered as an efficient use of PKI
# Symmetric key Cryptographic system - Most common is Data Encryption Standard (DES)
DES - A key of 56 bits is used for encrypt/decrypt and 8 bit is used for parity checking
AES - DES being replaced with AES, a public algorithm that supports keys from 128 bits to 256 bits in size.
# Elements of PKI
Certifying authority (CA) is solely responsible for issuance of digital certificate and managing the certificate throughout its life cycle.
Registration authority (RA) is responsible for identifying and authenticating subscribers, but does not sign or issue certificates.
Digital certificate - Composed of public key and information about the owner of public key.
# Time gap between update of CRL (certificate revocation list) is critical and is also posses risk in certification verification.
# Process involved in PKI:
- Applicant will apply for digital certificate from Certifying Authority (CA).
- Certifying Authority (CA) delegates the process for verification of information (as supplied by applicant) to Registration Authority (RA).
- Registration Authority (RA) validates the information and if information is correct, tells Certifying Authority (CA) to issue the certificate.
- Certifying Authority issues the certificate and manages the same through its life cycle.
- Certifying Authority (CA) maintains a list of certificates which have been revoked/terminated before its expiry date. This list is known as certificate revocation list (CRL).
- Certifying Authority (CA) will also have Certification Practice Statement (CPS) in which standard operating procedure (SOP) for issuance of certificate and other relevant details are documented.
Four main categories of access control are:
Mandatory access control (MACs) - Cannot be controlled or modified by normal users or data owners
Discretionary access control (DACs) - Activated or modified by the data owners at their discretion
Role-based access control
Rule-based access control
- MACs are better choice in terms of data security as compared to DACs.
Steps for implementing logical access controls:
- Inventory of IS resources.
- Classification of IS resources.
- Grouping/labelling of IS resources.
- Creation of an access control list.
# First step in data classification is to identify the owner of the data/application.
# Automated password management tool works as best preventive control and ensures compliance with password management policy.
# Preference to be given to preventive controls as compared to detective or deterrent controls.
# Preference to be given to automated controls as compared to manual controls.
# Prime objective of review of logical access control is to ensure access have been assigned as per organisation’s authorization.
# Logical steps for data classification:
- Inventory of Information Assets.
- Establish ownership.
- Classification of IS resources.
- Labelling of IS resources.
- Creation of access control list.
# Data owner/system owner is ultimately responsible for defining the access rules.
# Accountability for the maintenance of proper security controls over information assets resides with the data owner/system owner.
# Greatest benefit of well defined data classification policy is decreased cost of control.
# Objective of data protection/ classification of information assets:
- Ensure integrity/confidentiality of data
- Establish appropriate access control guidelines.
- Reduction in cost of protecting assets.
# Data classification must take into account following requirements:
-Legal/Regulatory/Contractual
-Confidentiality
-Integrity
-Availability
# Asymmetric Encryption
- For confidentiality, message has to be encrypted using receiver’s public key.
- For authentication, HASH of the message has to be created and HASH to be encrypted using sender’s private key. Hash is also known as message digest.
- For integrity, HASH of the message has to be created and HASH to be encrypted using sender’s private key.
# To ensure ‘confidentiality & authentication’:
-Hash of the message to be encrypted using sender’s private key (to ensure authentication/non-repudiation)
-Message to be encrypted using receiver’s public key (to ensure confidentiality)
# To ensure ‘confidentiality & authentication & integrity’:
-Message to be encrypted using receiver’s public key (to ensure confidentiality)
-Hash of the message to be encrypted using sender’s private key (to ensure authentication/non-repudiation and integrity)
# Sender's private key will not ensure confidentiality
A public key infrastructure (PKI) - A set of hardware,software,people,policies, and procedures needed to create, manage, distribute, use, store, and revoke digital certificates.
Use of PKI (Public Key Infrastructure) :
Step 1: Encrypt the message by symmetric key
Step 2: Encrypt the above symmetric key using public key of receiver.
Step 3: Send 'encrypted message' and 'encrypted symmetric key' to receiver.
Step 4: Receiver will decrypt 'symmetric key' using private key of receiver.
Step 5: With the help of above 'symmetric Key' receiver can decrypt the message.
# Encryption of symmetric session key is considered as an efficient use of PKI
# Symmetric key Cryptographic system - Most common is Data Encryption Standard (DES)
DES - A key of 56 bits is used for encrypt/decrypt and 8 bit is used for parity checking
AES - DES being replaced with AES, a public algorithm that supports keys from 128 bits to 256 bits in size.
# Elements of PKI
Certifying authority (CA) is solely responsible for issuance of digital certificate and managing the certificate throughout its life cycle.
Registration authority (RA) is responsible for identifying and authenticating subscribers, but does not sign or issue certificates.
Digital certificate - Composed of public key and information about the owner of public key.
# Time gap between update of CRL (certificate revocation list) is critical and is also posses risk in certification verification.
# Process involved in PKI:
- Applicant will apply for digital certificate from Certifying Authority (CA).
- Certifying Authority (CA) delegates the process for verification of information (as supplied by applicant) to Registration Authority (RA).
- Registration Authority (RA) validates the information and if information is correct, tells Certifying Authority (CA) to issue the certificate.
- Certifying Authority issues the certificate and manages the same through its life cycle.
- Certifying Authority (CA) maintains a list of certificates which have been revoked/terminated before its expiry date. This list is known as certificate revocation list (CRL).
- Certifying Authority (CA) will also have Certification Practice Statement (CPS) in which standard operating procedure (SOP) for issuance of certificate and other relevant details are documented.
No comments :
Post a Comment