Data, Database, Data Access Control,

Password Policy and Authentication

Methods

Md. Foysal Hasan

Assistant Professor
Bangladesh Institute of Bank Management
The Difficulties of Managing Data
• Amount of data increases exponentially with time
• Data are scattered throughout organizations, and they are collected by
many individuals using various methods and devices.
• Data are generated from multiple sources
• Data are also subject to data rot. Data rot refers primarily to problems
with the media on which the data are stored.
• Data security, quality, and integrity are critical, yet they are easily
jeopardized
• Companies are drowning in data, much of which is unstructured.
Database and DBMS
• A database is a well-designed, organized, and carefully
managed collection of data. Like other components of an
information system, a database should help an organization
achieve its goals.
• A database management system (DBMS) consists of a
group of programs that manipulate the database and provide
an interface between the database and its users and other
application programs.
 Some Popular DBMS

1. ORACLE

2. SQL Server

3. IBM DB2

4. My SQL

5. Teradata

6. Informix
4
 Database users and user interfaces

Users

Applications Sophisticated Database

Naive User
Programmer User Administrator
ACID Properties at a Glance
Controlling Access to Assets
• Controlling access to assets is one of the central themes of security,
and you’ll find that many different security controls work together to
provide access control. Note that assets can be tangible or intangible.
• In addition to personnel, assets can be information, systems, devices,
facilities, or applications.

7
The generic model of access control
Controlling Physical and Logical Access
• Physical security controls protect systems, devices, and facilities by
controlling access and controlling the environment.
• A physical security control is one you can touch, such as perimeter
security controls (fences, gates, guards, and turnstiles) and
environmental controls such as heating, ventilation, and air-
conditioning (HVAC) systems and fire suppression.
• Logical access controls are the technical controls used to protect
access to information, systems, devices, and applications. They
include authentication, authorization, and permissions.
The CIA Triad and Access Controls
One of the primary reasons an organization implements access control
mechanisms is to prevent losses. There are three categories of IT loss:
loss of confidentiality, integrity, and availability (CIA).
Managing Identification and Authentication
• Identification and authentication occur together as a single two-step
process. Providing an identity is the first step, and providing the
authentication information is the second step. Without both, a subject
cannot gain access to a system.
• Authorization indicates who is trusted to perform specific operations.
If the action is allowed, the subject is authorized; if disallowed, the
subject is not authorized.
• Auditing, logging, and monitoring provide accountability by ensuring
that subjects can be held accountable for their actions.
Authentication Factors Overview
There are three primary authentication factors:
• Something You Know--password
• Something You Have– DSI device
• Something You Are -
Access Control Models
• Discretionary Access Control
• Role-Based Access Control
• Rule-Based Access Control
• Attribute-Based Access Control
• Mandatory Access Control
• Risk-Based Access Control
User Identity and Access Management
(Guideline on ICT Security V4, Chapter 8, Sub 8.1)

• The Organization shall define, approve and implement the identity and access
management procedure to ensure the segregation of duties, including responsibilities
and accountabilities.
• The Organization shall review periodically to evaluate the effectiveness of the identity
and access management procedure.
• Access rights and system privileges shall be granted according to the roles and
responsibilities of the official, staff, contractors and service providers.
• The Organization shall establish a user access management process to provision,
change and revoke access rights to information assets. Access rights shall be authorized
and approved by an appropriate authority, such as the information asset owner.
• For accountability, the Organization shall ensure user access and management activities
are uniquely identified and preserve logs for audit and investigation purposes.
Credential Management (Guideline on ICT Security V4, Chapter 8, Sub 8.2)
• The Organization shall establish a strong password policy and a process to enforce
password controls for users’ access to IT systems.
• The Organization shall implement authentication based on the “what you know,” “what
you have,” or “who you are” principle for users with access to sensitive systems to
safeguard the critical systems and data from unauthorized access.
• The Organization shall ensure that information asset owners perform periodic user
access reviews to justify privileges granted to users.
• Users shall only be granted access rights on a need-to-have basis. Access rights no
longer required, such as a change in a user's job responsibilities or employment status
(e.g., transfer or termination of employment), shall be revoked or disabled immediately.
• User access shall be locked for unsuccessful login attempts.
• Password controls shall include a change of password upon the first login.
Credential Management (Guideline on ICT Security V4, Chapter 8, Sub 8.2)
• Password length shall be kept at least eleven characters (In case MFA is not used)
with the combination of at least three stated criteria like uppercase, lowercase,
special characters and numbers.
• The password's maximum validity period shall not exceed the number of days
permitted in the Organization's Policy (maximum 90 days cycle for internal
users). For customers, an organization shall setup the validity period per
organizational policy.
• The Organization may use CAPTCHA or a similar method to prevent repeated
login attempts by an intruder.
• Administrative passwords of the Operating System, Database and Business
Applications shall be kept in safe custody with a sealed envelope if Privileges
Access Management (PAM) solution is not used.
Privileged Access Management (Guideline on ICT Security V4, Chapter 8,
Sub 8.3)

• Implement strong authentication mechanisms

• Implement strong controls over remote access
• Restrict the number of privileged users
• Grant privileged access on a “need-to-have” basis
• Review privileged users’ activities on a timely basis
• Prohibit sharing of privileged accounts
• Disallow vendors from gaining privileged access to systems without close supervision
and monitoring
Input Control (Guideline on ICT Security V4, Chapter 8, Sub 8.5)

• The session time-out period for users shall be set following the
Organization's Policy.
• An audit trail with a User ID and date-time stamp shall be maintained
for data insertion, deletion and modification.
• Software shall not allow the same user to be both maker and checker
of the same transaction unless otherwise permitted by an appropriate
authority.
• Management approval shall be in place for delegation of authority.
• Sensitive data and fields of applications shall be restricted from being
accessed.