IDENTITY AND ACCESS MANAGEMENT

CHAPTER 4 - PART 1 - SECTION A

SYSTEM ACCESS PERMISSION AND PHYSICAL
TOPICS COVERED
ACCESS CONTROLS:
● Introduction
● System Access Permission
SYSTEM ACCESS PERMISSION
● Mandatory and Discretionary Access Controls
● Logical Access ● Prerogative to act on a computer resource
○ Usually refers to a technical privilege, such
INTRODUCTION as the ability to read, create, modify or
delete a file or data; execute a program; or
open or use an external connection.
IDENTIFICATION AND AUTHENTICATION (I&A) ● System access at the physical and/or logical
● is a critical building block of computer level
security because: ○ System access to computerized
○ it is needed for most types of access information resources is established,
controls and; managed and controlled at the physical
○ is necessary for establishing user and/or logical level.
accountability.
● I&A is the first line of defense
○ It prevents unauthorized access (or Examples of System Access
unauthorized processes) to a computer Permission/Technical Privilege
system or an information asset. a) the ability to read, create, modify or delete
a file or data
LOGICAL ACCESS b) execute a program
● Can be implemented in various ways c) open or use an external connection
● IS auditor: should be aware of the strengths
and weaknesses of various architectures as Examples of Types of Physical Access Controls
well as risk associated with the different 1) badges (or IDs)
architectures and how they may be addressed. 2) memory cards
● Logical access controls: used to manage and 3) guard keys
protect information assets 4) true floor-to-ceiling wall construction fences
● Logical security: often determined based on 5) locks
the job function of users. 6) biometrics
● Success linked to the strength of the
authentication method
PHYSICAL ACCESS CONTROLS
○ The success of logical access controls is
● Restrict the entry and exit of personnel to an
tied to the strength of the authentication
method. area such as an office building, suite, data
center or room containing information
● Appropriate authorization and access
processing equipment such as a LAN server.
matching to role are necessary
○ All users' access to systems and data
should be appropriately authorized and RECITATION QUESTION #1:
commensurate with the role of the
individual. QUESTION: Give type of physical access controls
● Authorization in the form of signatures Answer:
○ Authorization: generally takes the form of ● badges
signatures (physical or electronic) of ● memory cards
relevant management. ● guard keys
● Strength = Quality ● true floor-to-ceiling wall construction
○ The strength of the authentication is fences
proportional to the quality of the method ● locks
used. ● biometrics

SYSTEM ACCESS PERMISSION LOGICAL SYSTEM ACCESS CONTROLS

● Logical system access controls: restrict the
logical resources of the system (transactions,

1
 Chapter 4: Identity and Access Management Part 1 - Section A

data, programs, applications) and are applied ● Organizations should establish such basic
when the subject resource is needed. criteria for assigning technical access to
● How to determine if access is to be allowed specific data, programs, devices and resources,
(i.e., the information that users can access, the including who will have access and what level
programs or transactions that they can run, of access they will
and the modifications that they can make): ● Example: access to information in the daily
a) Based on the identification and calendar of meetings
authentication of the user that requires a ○ It may be desirable for everyone in the
given resource organization to have access to specific
b) Analyzing the security profile of the user information on the system such as the
and resource data displayed on an organization’s daily
● Such controls may be built into the operating calendar of meetings.
system (OS), invoked through separate ● The program that formats and displays the
access control software and incorporated calendar might be modifiable by only a few
into application programs, database, network system administrators, while the OS
control devices and utilities (e.g., real-time controlling that program might be directly
performance Logical system access controls: accessible by still fewer.
built into the OS, invoked through access
control software, incorporated into programs,
FOUR LAYERS OF IT ASSETS UNDER
databases, network control devices and utilities
LOGICAL SECURITY
(e.g., real-time performance monitors).
1. Networks
2. Platforms
Logical Resources of the System 3. Databases
1) transactions 4. Applications
2) data
3) programs ● Layered security: provides greater scope and
4) applications granularity of control to information
resources.
Examples of Access Requests to System ● Example: Network and platform layers:
a) access on the information that users can Provide pervasive general systems control
access over users authenticating into systems,
b) access on the programs or transactions that system software and application
users can run configurations, data sets, load libraries, and
c) access on the modifications that users can any production data set libraries.
make ● Database and application controls: provide
a greater degree of control over user activity
PHYSICAL AND LOGICAL SYSTEM ACCESS within a particular business process by
● Physical or logical system access (to any controlling access to records, specific data
computerized information): should be on a fields and transactions.
documented need-to-know basis; least
privilege RECITATION QUESTION #2:
○ Need-to-know basis: often referred to as Question: What are the layers of logical security
role-based where there is a legitimate over the IT assets? (provide at least one answer)
business requirement based on least Answer:
privilege. ● Network layer
● Other considerations for granting access: ● Platform layer
accountability (e.g., unique user ID) and ● Database layer
traceability (e.g., logs) ● Application layer
● IS auditor to evaluate appropriateness of
criteria
○ These principles should be used by IS INFORMATION OWNER OR MANAGER
auditors when they evaluate the ● is responsible for the accurate use and
appropriateness of criteria for defining reporting of information
permissions and granting security
privileges.

2
 Chapter 4: Identity and Access Management Part 1 - Section A

● should provide written authorization for
users or defined roles to gain access to
information resources under their control.
● Manager: should handover this
documentation directly to the security
administrator to ensure that mishandling or
alteration of the authorization does not occur.
LOGICAL ACCESS CAPABILITIES
● Logical access capabilities: are implemented
by security administration in a set of access
rules that stipulate which users (or groups of
users) are authorized to access a resource at
a particular level (e.g., read-, update- or
execute-only) and under which conditions
(e.g., time of the day or a subset of computer
terminals).
● Security administrator: invokes the
appropriate system access control mechanism
upon receipt of a proper authorization request
from the information owner or manager to
grant a specified user the rights for access to,
or use of, a protected resource.
● IS auditor: should be aware that access is
granted to the organization’s information
systems using the principles of need-to-know,
least privilege and SoD.
Relevant Principles on Logical Access to
System
a) need-to-know (role-based)
b) principle of least privilege (POLP)
c) segregation of duties
Principle of Least Privilege (POLP)
● Limiting access rights to minimum
permissions (needed to do work/task)
● Least amount of privilege necessary
REVIEW OF ACCESS AUTHORIZATION
● Should be evaluated regularly to ensure that
they are still valid.
● Personnel and departmental changes,
malicious efforts, and just plain
carelessness: result in authorization creep
and can impact the effectiveness of access
controls.
● Increase in risk when access is not removed
whenever a personnel leaves the organization
○ Many times, access is not removed when
personnel leave an organization, thus
increasing the risk of unauthorized access.
● Need for periodic review of access control
based on authorization matrix
○ Information asset owners: should review
access controls periodically with a
predetermined authorization matrix
that defines the least-privileged access
level and authority for an individual/role
with reference to his/her job roles and
responsibilities.
● Need to update access, if there is excess
access
○ Any access exceeding the access
philosophy in authorized matrix or in
actual access levels granted on a system
should be updated and changed
accordingly.
● One of the good practices: to integrate the
review of access rights with human resource
processes.
● When an employee transfers to a different
function (i.e., promotions, lateral transfers or
demotions), access rights are adjusted at
the same time.
● Development of a security-conscious culture
increases the effectiveness of access controls.
Causes/Reasons for Access Authorization
Problems (which can impact effectiveness of
access controls)
1) personnel and departmental changes
2) malicious efforts
3) plain carelessness
NONEMPLOYEES
● Nonemployees with access to corporate IS
resources should also be held responsible for
security compliance and be accountable for
security breaches.
RECITATION QUESTION #3:
Question: When should the security
administrator invoke the appropriate system
access control mechanism?
Answer: Upon the receipt of a proper
authorization request from the information
owner or manager
WHO ARE THE NON-EMPLOYEES?
● include contract employees, vendor
programmers/analysts, maintenance
personnel, clients, auditors, visitors and
consultants.
● It should be understood that nonemployees
are also accountable to the organization’s
security requirements.

3
 Chapter 4: Identity and Access Management Part 1 - Section A
MANDATORY AND DISCRETIONARY ACCESS
CONTROLS
MANDATORY ACCESS CONTROLS (MACS)
● are logical access control filters used to
validate access credentials that cannot be
controlled or modified by normal users or
data owners; they act by default.
● good choice to enforce a ground level of
critical security without possible exception, if
this is required by corporate security policies
or other security rules.
● could be carried out by comparing the
sensitivity of the information resources,
such as files, data or storage devices, kept on
a user-unmodifiable tag attached to the
INTRODUCTION
security object with the security clearance of
the accessing entity such as a user or an
application.
● Only administrators make decisions
○ Only an administrator may change the
category of a resource, and no one may
grant a right of access that is explicitly
forbidden in the access control policy.
● Prohibitive; anything that is not expressly
permitted is forbidden.
DISCRETIONARY ACCESS CONTROLS (DACS)
● controls that may be configured/modified by
users or data owners
● are a protection that may be activated or
modified at the discretion of the data owner.
● data owner-defined sharing of information
resources: where the data owner may select
who will be enabled to access his/her
resource and the security level of this access.
● Cannot override MACs
● act as an additional filter, prohibiting still
more access with the same exclusionary
principle.
RECITATION QUESTION #4:
Question: What characteristic of MACs states
that anything that is not expressly permitted is
forbidden?
Answer: prohibitive
❖ When information systems enforce MAC
policies, the systems must distinguish
between MAC and the discretionary policies
that offer more flexibility.
➢ This distinction must be ensured during
object creation, classification
downgrading and labeling.
Mandatory Access Control (MAC)
● access control only managed by the
administrator;
● cannot be changed/modified by normal
users
Discretionary Access Control (DAC)
● access control which user has complete
control over the program he/she owns;
● called as a “need-to-know” access model
LOGICAL ACCESS
● Logical access: ability to interact with
computer resources granted using
identification, authentication and
authorization.
● Logical access controls: primary means used
to manage and protect information assets.
○ Enact and substantiate
management-designed policies and
procedures intended to protect these
assets and the controls are designed to
reduce risk to a level acceptable to an
organization.
● IS auditor: need to understand the
relationship and should be able to analyze
and evaluate the effectiveness of a logical
access control in accomplishing information
security objectives and avoiding losses
resulting from exposures.
● Exposures can result in minor inconveniences
to a total shutdown of computer functions.
RECITATION QUESTION #5:
Question: Discretionary access controls (DACs)
are a protection that may be activated or
modified at the discretion of the _________.
Answer: data owners
Logical access controls enact and substantiate:
a) management-designed policies and
procedures intended to protect these assets
b) the controls that are designed to reduce
risk to a level acceptable to an organization
IS auditors should be able to analyze and
evaluate the effectiveness of a logical access
4
 Chapter 4: Identity and Access Management Part 1 - Section A
control in:
1) accomplishing information security
objectives
2) avoiding losses resulting from exposures
LOGICAL ACCESS EXPOSURES
● Technical exposures: are one type of
exposure that exists due to accidental or
intentional exploitation of logical access
control weaknesses.
● Intentional exploitation of technical
exposures might lead to computer crime.
● Not all computer crimes exploit technical
exposures.
● Technical exposures: are the unauthorized
activities interfering with normal processing,
such as:
○ implementation or modification of data
and software
○ locking or misusing user services
○ destroying data
○ compromising system usability
○ distracting processing resources, or
○ spying data flow or users’ activities at
either the network, platform (OS),
database or application level.
TECHNICAL EXPOSURES INCLUDE
A. DATA LEAKAGE
● Siphoning or leaking information out of
computer; leaves original copy hence may go
undetected
● This can involve dumping files to paper or can
be as simple as stealing computer reports and
tapes.
Siphoning - the process of transferring over a
period of time, especially illegally or unfairly
B. COMPUTER SHUTDOWN
● Initiated through terminals or personal
computers connected directly (online) or
remotely (via the Internet) to the computer.
● Only individuals who know a high-level logon
ID usually can initiate the shutdown process,
but this security measure is effective only if
proper security access controls are in place for
the high-level logon ID and the
telecommunications connections into the
computer.
● Some systems have proven to be vulnerable
to shutting themselves down under certain
conditions of overload.
FAMILIARIZATION WITH THE ENTERPRISE’S
IT ENVIRONMENT
● IT auditors should gain first understanding of
the IT environment
○ The purpose of this is to determine which
areas from a risk standpoint warrant IS
auditing attention for planning current and
future work.
● Understanding includes review of the network,
OS platform, database, and application
security layers associated with the
organization’s IT information systems
architecture.
RECITATION QUESTION #6:
Question: Who can usually initiate the shutdown
process?
Answer: individuals who know a high-level logon
ID
PATHS OF LOGICAL ACCESS - INTRODUCTION
● Access points can be gained through several
avenues.
○ Each avenue is subject to appropriate
levels of access security.
● Direct path of access (such as a PC terminal
user tying directly into a mainframe): under
direct control of main system; users are locally
known, with well-defined access profiles
● Direct access to LAN: more complex; IS
resources have different access path/levels,
normally mediated through LAN connectivity,
and the network itself is considered an
important IS resource at a higher access level.
● Most common configuration: combination of
direct, local network and remote access paths
is the most common configuration
● Increase in complexity: by several
intermediate devices that act as security
doors among the various environments
● Access path through common nodes:
back-end or front-end interconnected network
of systems for internally or externally based
users.
● Front-end systems: network-based system
that connects an organization to outside,
untrusted networks, such as corporate
websites, where a customer can access the
website externally to initiate transactions that
connect to a proxy server application which in
5
 Chapter 4: Identity and Access Management Part 1 - Section A
turn connects to a back-end database system
to update a customer database.
○ can also be internally based to automate
business, paperless processes that tie into
back-end systems in a similar manner
Complexity is increased by several intermediate
devices that act as security doors among the
various environments.
The need of crossing low-security or totally
open IT spaces, such as the Internet, also
necessitates increased complexity.
Front-end systems are network-based systems
connecting an organization to outside, untrusted
networks, such as corporate websites, where a
customer can access the website externally to
initiate transactions that connect to a proxy
server application which in turn connects to a
back-end database system to update a customer
database.
In computer networking, a proxy server is a
system or router that gives a gateway between
users and the internet.
● Therefore, it assists in preventing cyber
attackers from entering a private network.
● It is a server, referred to as an
“intermediary” (between the the clients or
requester looking/requesting for resources
and the servers that provide those
resources) because it goes in-between the
end-users and the web pages they visit
online.
● A proxy server thus functions on behalf of
the client when requesting service,
potentially hiding the true origin of the
request to the resource server.
Back-end systems are related with databases
and data processing elements.
Hence, the purpose of a back-end system is to
start the operating system's programs to
respond to front-end system requests and
operations.
● To put it in another way, the back-end
system executes actions or responses to
what the front end has started or initiated.
PATHS OF LOGICAL ACCESS - GENERAL POINTS
OF ENTRY
● General points of entry control the access
from an organization’s infrastructure to its
information resources
● Based on client-server model
● A large organization can have thousands of
interconnected network servers.
● Connectivity should be controlled through a
smaller set of primary domain controllers
(servers), which enable a user to obtain access
to specific secondary points of entry (e.g.,
application servers and databases).
RECITATION QUESTION #7:
Question: What is the most common
configurations of paths of logical access?
Answer: A combination of direct access path,
local network access path and remote access
path
Examples of Information Resources
a) applications
b) databases
c) facilities
d) networks
The client-server model illustrates how a server
gives resources and services to one or more
clients. Examples of servers consist of mail
servers, web servers, and file servers.
Each of the servers provides resources to client
devices, such as laptops, desktop computers,
smartphones and tablets. Most of the servers
have a one-to-many relationship with clients,
which means a single server can provide
6
 Chapter 4: Identity and Access Management Part 1 - Section A
resources to many clients at one time.
Connectivity in this client-server environment
needs to be controlled through a smaller set of
primary domain controllers (servers), which
enable a user to obtain access to specific
secondary points of entry (e.g., application
servers and databases).
GENERAL MODES OF ACCESS OCCUR THROUGH:
1) NETWORK CONNECTIVITY
● Linking PC to an organization’s network
infrastructure, either through a physical or a
wireless connection.
● Access requires user identification and
authentication to a domain-controlling server.
● More specific access requires more particular
authentication
● Other modes of access through network
management devices, such as routers and
firewalls, which should be strictly controlled.
At a minimum, access requires user identification
and authentication to a domain-controlling
server. More specific access to a particular
application or database may also require the
users to identify and authenticate themselves to
that particular server (secondary point of entry).
Domain-controlling server or domain
controller:
Application and database servers:
2) REMOTE ACCESS
● Requires authentication to the server to
perform functions remotely
○ A user connects remotely to an
organization’s server, which generally
requires the user to identify and
authenticate him/herself to the server
for access to specific functions that can
be performed remotely (e.g., email, File
Transfer Protocol [FTP] or some
application-specific function).
● Complete access requires virtual private
network (VPN), which allows a secure
authentication and connection into those
resources where privileges have been granted.
● Can be extensive and should be centrally
controlled
Examples of Specific Functions that Can be
Done Remotely
1) email function
2) file transfer protocol (FTP) function
3) application-specific function
File Transfer Protocol (FTP) is a client/server
protocol or rule used for transferring files to or
from a host computer. FTP can be authenticated
with usernames and passwords.
Complete access to view all network resources
usually requires a virtual private network (VPN),
which allows a secure authentication and
connection into those resources where privileges
have been granted.
Virtual private network (VPN) is an encrypted
connection over a public infrastructure, like the
Internet, from a device to a network. The
encrypted connection helps in ensuring that
sensitive or confidential data is transmitted safely.
It stops unauthorized people from eavesdropping
or spying on the traffic and permits the user to
7
 Chapter 4: Identity and Access Management Part 1 - Section A

perform work remotely. VPN technology is

commonly used in corporate environments.

● Organization should know all the points of

entry into the information resource
infrastructure which, in many organizations,
will not be a trivial task (e.g., thousands of
remote access users).
● Not controlled point of entry can compromise
security of an organization’s sensitive and
critical information resources.
● IS auditors should determine if all points of
entry are known and should support
management’s effort to identify all access
paths

RECITATION QUESTION #8:

Question: What is an example of network
management devices?
Answer:
1) Routers
2) Firewalls

When performing detailed network

assessments and access control reviews, IS
auditors:
1) should determine whether all points of entry
are known;
2) should support management’s effort in
obtaining the resources to identify and
manage all access paths