WEBVTT

00:00:00.830 --> 00:00:04.180
Let's take a look at Access Controls Concepts,

00:00:04.190 --> 00:00:09.200
the terminology and how we look at access and define access controls.

00:00:10.170 --> 00:00:13.000
Access is based on a relationship.

00:00:13.230 --> 00:00:14.620
We have an entity,

00:00:14.620 --> 00:00:19.640
we could call it a subject which could be a person or even a process,

00:00:19.930 --> 00:00:21.810
and we have an object,

00:00:22.010 --> 00:00:28.110
the entity that is attempting to be reached, or we could say this very often,

00:00:28.110 --> 00:00:31.520
it could be something like a file, a database,

00:00:31.520 --> 00:00:35.050
a system, a network, a building, memory.

00:00:35.290 --> 00:00:38.730
All of these are objects that some subject for some

00:00:38.730 --> 00:00:40.950
reason wants to be able to access.

00:00:41.660 --> 00:00:48.870
So we have to set aside what are the rules we would use to allow that access.

00:00:49.940 --> 00:00:54.170
We put in some type of mediation device to determine whether or

00:00:54.170 --> 00:00:57.780
not that access is appropriate and should be allowed, should that

00:00:57.780 --> 00:01:00.510
person be allowed in this building, for example.

00:01:01.850 --> 00:01:06.920
The determination of whether or not the person should be granted access is

00:01:06.920 --> 00:01:10.990
really the determination and decision of the asset owner,

00:01:11.300 --> 00:01:14.650
the person who owns the system, the application,

00:01:14.780 --> 00:01:19.370
the network or the building, whatever the object is.

00:01:20.100 --> 00:01:23.300
The asset owner determines the access rules.

00:01:23.340 --> 00:01:27.150
We could put these in, for example, an access control list,

00:01:27.290 --> 00:01:31.400
a list that says what access should be granted to various

00:01:31.400 --> 00:01:35.220
subjects or entities requiring or requesting access.

00:01:37.150 --> 00:01:42.280
The mediation device will then refer to those rules to determine

00:01:42.290 --> 00:01:47.570
whether or not those subjects should be allowed that access and

00:01:47.570 --> 00:01:51.310
enforce the decision of the asset owner.

00:01:52.200 --> 00:01:54.440
It would also log that event,

00:01:54.450 --> 00:01:58.490
so we have a record of who requested access and whether or

00:01:58.490 --> 00:02:01.940
not that access was granted and perhaps what the person

00:02:01.940 --> 00:02:04.350
even did once they had access.

00:02:06.080 --> 00:02:11.810
So the key concepts looking at access control start with separation of duties.

00:02:12.410 --> 00:02:16.240
We want a person to be able to execute various tasks,

00:02:16.420 --> 00:02:19.520
but we also want to prevent problems like fraud,

00:02:19.520 --> 00:02:21.610
for example, or mistakes.

00:02:22.210 --> 00:02:23.340
So very often,

00:02:23.340 --> 00:02:29.680
we'll have a series of different steps for this transaction to go through and

00:02:29.680 --> 00:02:33.410
each of those steps should be executed by a different person.

00:02:34.170 --> 00:02:38.290
For example, a person can submit an expense form.

00:02:38.740 --> 00:02:42.430
Hey, I incurred this expense on behalf of the organization.

00:02:42.920 --> 00:02:47.170
They submit that, but somebody else has to approve it,

00:02:47.420 --> 00:02:49.160
that's separation of duties,

00:02:49.510 --> 00:02:53.770
and separation of duties allows us to try to catch any

00:02:53.770 --> 00:02:55.400
mistakes that could have been made.

00:02:56.430 --> 00:02:59.360
Least privilege is an important concept.

00:02:59.620 --> 00:03:02.830
That says we'll only give a person the level of access

00:03:02.830 --> 00:03:05.730
they need in order to do their job.

00:03:05.870 --> 00:03:11.990
We won't grant them a high level of access when really all they

00:03:11.990 --> 00:03:14.800
needed to be able to do was read the information,

00:03:14.930 --> 00:03:17.940
not modify it, create, or delete it.

00:03:18.980 --> 00:03:23.350
We also have a similar concept very much related to least privilege,

00:03:23.350 --> 00:03:26.100
but not the same, known as need to know.

00:03:26.530 --> 00:03:30.260
Need to know says will we even let a person be aware

00:03:30.260 --> 00:03:32.190
of a certain piece of information?

00:03:32.620 --> 00:03:35.660
We could hide, for example, a credit card number.

00:03:35.660 --> 00:03:37.070
We see this all the time.

00:03:37.490 --> 00:03:39.860
We'll only show the last four digits,

00:03:39.860 --> 00:03:45.290
the least significant part of the credit card number because the average person

00:03:45.290 --> 00:03:48.750
doesn't need to see what the entire credit card number is.

00:03:48.950 --> 00:03:51.710
And by hiding that credit card number,

00:03:51.880 --> 00:03:55.340
that means that person who can't see it could not

00:03:55.340 --> 00:03:57.690
misuse that information either.

00:03:58.280 --> 00:04:00.310
So when we look at access control,

00:04:00.310 --> 00:04:03.740
these are three core concepts we want to review.

00:04:05.120 --> 00:04:10.150
In the case of separation of duties, also known as segregation of duties,

00:04:10.390 --> 00:04:14.000
we can enforce this through things like mutual exclusivity.

00:04:14.490 --> 00:04:18.510
Going back to our example of submitting an expense form. If

00:04:18.510 --> 00:04:21.589
you submit the expense form, you can't approve it,

00:04:22.010 --> 00:04:26.280
but you may have the right to approve expenses for somebody else,

00:04:26.330 --> 00:04:27.800
but not for your own.

00:04:27.940 --> 00:04:32.730
Those two tasks of submission and approval are mutually exclusive,

00:04:32.730 --> 00:04:34.690
or we often call it mutex.

00:04:36.250 --> 00:04:38.850
We also have the idea of dual control.

00:04:38.950 --> 00:04:42.710
It takes two people to perform a certain task.

00:04:42.990 --> 00:04:47.090
Maybe the safe in the bank has two combination locks.

00:04:47.320 --> 00:04:50.950
Some people know the top combination, other people know the bottom,

00:04:51.230 --> 00:04:55.600
and both of them have to work in order for that safe to be opened.

00:04:56.540 --> 00:04:58.340
We set up roles.

00:04:58.350 --> 00:05:02.700
One person has this role and they can do certain tasks,

00:05:02.710 --> 00:05:07.440
but somebody else is the one who then would do the subsequent task.

00:05:07.700 --> 00:05:10.360
Nobody controls the entire process.

00:05:11.600 --> 00:05:13.900
The problem is if people work together.

00:05:14.320 --> 00:05:16.590
This is something we would call collusion.

00:05:17.010 --> 00:05:19.470
Even though we had separation of duties,

00:05:19.580 --> 00:05:23.980
the person who has approved the expenses colluded with the

00:05:23.980 --> 00:05:27.720
person submitting the expenses and allowed a fraudulent

00:05:27.720 --> 00:05:29.360
expense form to go through.

00:05:30.990 --> 00:05:34.850
One of the ways we can break that up is something we call job rotation.

00:05:35.230 --> 00:05:38.060
That means that when I submit expenses,

00:05:38.060 --> 00:05:42.150
I don't necessarily know who will be the person approving them today.

00:05:42.720 --> 00:05:45.480
That could be somebody different at different times,

00:05:45.580 --> 00:05:49.810
so that tries to break up that collusion that could otherwise happen.

00:05:50.780 --> 00:05:54.470
We also see this very much in the financial sector.

00:05:54.860 --> 00:05:59.990
If I'm a loans officer at a bank or a manager of a branch,

00:06:01.340 --> 00:06:05.860
I'm required in many countries to take what's called a mandatory vacation.

00:06:06.450 --> 00:06:10.050
For several weeks every year, I must go on vacation,

00:06:10.240 --> 00:06:12.590
and during that time period,

00:06:12.700 --> 00:06:17.330
I'm not able to access anything at that bank either

00:06:17.330 --> 00:06:20.550
electronically or physically, except my own account.

00:06:21.120 --> 00:06:25.440
So somebody else will handle my work for those two weeks and maybe they will

00:06:25.440 --> 00:06:29.160
find if there is something that was fraudulent in my activity.

00:06:31.330 --> 00:06:34.100
This all starts with identification,

00:06:34.100 --> 00:06:37.950
identifying the entities that are trying to get access

00:06:37.950 --> 00:06:40.080
to that system, network, or building,

00:06:40.680 --> 00:06:44.160
and we say that people should have a unique identifier.

00:06:44.300 --> 00:06:49.080
We shouldn't all be using the account called administrator, for example.

00:06:49.770 --> 00:06:54.450
And very often, we use unique identifiers such as an account number,

00:06:54.680 --> 00:07:01.240
an employee number, a customer number, some type of government issued identifier,

00:07:01.240 --> 00:07:03.380
a passport number for example,

00:07:03.730 --> 00:07:07.700
or an email address is used by many systems today because

00:07:07.700 --> 00:07:09.920
these are all unique to an individual,

00:07:09.920 --> 00:07:13.340
whereas something like a name is often not unique.

00:07:13.340 --> 00:07:16.540
There could be a number of people that actually have the same name.

00:07:18.510 --> 00:07:23.750
Another thing we often do is we use things then like a user identifier or we

00:07:23.750 --> 00:07:29.280
call it a user ID or a process ID as a unique identifier for,

00:07:29.280 --> 00:07:30.330
for example,

00:07:30.330 --> 00:07:33.420
a person trying to do something or a process that

00:07:33.420 --> 00:07:35.490
is trying to write to a system.

00:07:36.680 --> 00:07:40.430
The idea of proofing or validating that you are the

00:07:40.430 --> 00:07:43.790
rightful owner of that identity is important.

00:07:44.270 --> 00:07:46.640
Maybe this is through a secret question.

00:07:46.700 --> 00:07:49.780
We've seen this very often with things like a password

00:07:49.780 --> 00:07:52.290
or what's your mother's maiden name.

00:07:52.470 --> 00:07:57.370
Those are what we often call cognitive or knowledge‑based passwords.

00:07:58.290 --> 00:08:00.890
The challenge, of course, is when a person forgets their

00:08:00.890 --> 00:08:03.190
password and it needs to be reset.

00:08:03.300 --> 00:08:05.920
We want to make sure that we only reset it for the

00:08:05.920 --> 00:08:09.230
correct owner of that identity.

00:08:10.740 --> 00:08:14.710
A person sometimes is able to modify their permissions.

00:08:15.020 --> 00:08:18.910
They're able to ask for something and the system will automatically say yes.

00:08:19.100 --> 00:08:21.150
You should be entitled to have that.

00:08:21.530 --> 00:08:25.610
But before I give it to you, please enter in your password.

00:08:25.610 --> 00:08:28.430
You see this quite often on a computer system.

00:08:29.420 --> 00:08:31.840
You try to download some new software,

00:08:31.970 --> 00:08:37.190
it comes back and says you're trying to change the configuration of the system,

00:08:37.330 --> 00:08:42.010
I need you to enter in an administrator‑level password in order to do that.

00:08:42.240 --> 00:08:46.910
They prove that you are the rightful person to be able to make that change.

00:08:48.840 --> 00:08:52.010
Identification should be, as we said, unique.

00:08:52.020 --> 00:08:52.840
Why?

00:08:53.040 --> 00:08:55.110
So that we know who did something.

00:08:55.210 --> 00:08:59.270
It's not that one person of a group, but we have accountability.

00:08:59.780 --> 00:09:01.360
It should not be shared,

00:09:01.490 --> 00:09:05.810
especially with high level types of identifiers, but we should

00:09:05.810 --> 00:09:09.120
ensure that we have a secure registration process.

00:09:09.450 --> 00:09:12.740
Not just anybody should be able to create a high‑level

00:09:12.740 --> 00:09:15.540
account or a privileged account on our system.

00:09:16.670 --> 00:09:19.640
This is where you've often seen when you go to a website,

00:09:19.640 --> 00:09:24.100
you have this CAPTCHA or you have some type of other way to

00:09:24.100 --> 00:09:28.570
recognize that you're not some type of a robot or some type of a

00:09:28.570 --> 00:09:31.500
script that's running to try to create accounts.

00:09:33.300 --> 00:09:37.930
Very often if I want to have an employee account or even a privileged account,

00:09:38.140 --> 00:09:41.800
it must be approved by a manager who says yes,

00:09:41.800 --> 00:09:44.070
this person should have that access.