Blog

Organizational and Industrial Assignment

Authentication, Authorization and Access Control

On your computer monitor, you read the meeting topic: “HR Data Access.” You think, “This might be a tricky one.”

You remember a discussion with John, the CTO, about conflict caused by the sharing of information between two departments. Grabbing your laptop, you head to the meeting.

In the conference room, John is already waiting. He says, “We will be joined by the VP of HR and the managers of the Payroll and Training departments. Our focus will be on access to data that is housed in the HR database.”

The door opens and the other three attendees walk in.

Amy Jones, the vice president of HR, begins: “The database that we use contains all employee data, ranging from payroll and benefits information to training and performance results. The issue that we are facing, and that I hope you can help us alleviate, is that all departments within Human Resources have full access to all of the data within the database.

“Recently, it was brought to my attention that the training department has access to payroll data.”

The two managers glance at one another.

John says, “I believe we can come up with a solution. As a matter of fact, this could be an opportunity to also evaluate the risk level that the HR database has from outside threats.”

John turns to you: “I would like you to prepare a presentation for HR management.

“In this presentation, you will suggest how we might limit access to specific types of data and protect vulnerable data from outside threats. Since we will be presenting to non-technical managers, you will need to explain the difference between authentication, authorization, and access control in plain language. The presentation will be scheduled in three weeks.”

After the meeting, you realize that while you might understand the problems of data access, other employees may not be aware of the issues involving information access in an organization. Your presentation will have to be understood by employees who do not have an information technology background.

Organizations have two concerns surrounding access to data: They must limit access to data from outside the organization as well as control which people have access to what data within the organization. In this project, you will explain to management the difference between authentication, authorization, and access control, and suggest how to keep outsiders from getting in and keep insiders from getting data they shouldn’t.

This is the second of four sequential projects. During this project, you will research the models for authentication, authorization, and access control. You will also communicate the recommended solution to a nontechnical audience.

There are 13 steps in this project. Begin by reviewing the project scenario and then proceed to Step 1.

Competencies

Your work will be evaluated using the competencies listed below.

• 5.3: Support policy decisions with the application      of specific cybersecurity technologies and standards.
• 6.2: Create an information security program and      strategy, and maintain alignment of the two.
• 6.3: Integrate the human aspect of cybersecurity      into an organization’s cybersecurity policy.
• 9.3: Risk Assessment: Assess policies, processes,      and technologies that are used to create a balanced approach to      identifying and assessing risks and to manage mitigation strategies that      achieve the security needed.

Step 1: Explore the Basics of Authentication

In order to build a presentation with the most current information available, you will gather information by reaching out to a group of your peers working in various industries. In the next three steps, you will prepare background information for this discussion.

• You’ll      need to have a basic understanding of authentication. Define      authentication and identify the core principles and key tenets of authentication as listed below. Review the      following topics: computer networks, network devices and cables, and network protocols.
• Identify      the ways in which someone can be authenticated (e.g., userIDs, passwords).
• Describe      how authentication has evolved over time and identify stressors that have      resulted in changes to authentication.
• Identify      the different types of authentication (e.g., layered or two-factor),      compare and contrast their attributes, and give examples of each.
• Compare      and contrast single-factor and multifactor authentication.

In the next step, you will continue with your exploration of data access models with a look at authorization.

Step 2: Explore the Basics of Authorization

Another topic you’ll need to be prepared to discuss is authorization. Define authorization and differentiate it from authentication (similarities and differences). You will use the notes compiled in this step in your upcoming peer discussion. Complete each of the items listed below.

• Define authorization      and identify examples of authorization schemes.
• Determine      how access policies are used to express authorization rule sets. Identify      key principles of access policies.
• Identify      the challenges that can arise when policies are used to maintain authorization      rules. Identify solutions to mitigate these challenges.

In the next step, you’ll complete your exploration of data access models with a look at access control.

Step 3: Explore the Basics of Access Control

One last topic to prepare for the upcoming discussion is access control: Define access control and then differentiate between access control, authentication, and authorization. You will use the notes compiled in this step in your upcoming peer discussion. You should describe the different access control models and how they are used, including, but not limited to, the list below.

Again, review the following topics if needed: systems, utilities, and application software, interaction of software, and creating a program.

• RBAC: role-based      access control
• MAC: mandatory      access control
• ABAC:      attribute-based access control
• IBAC: identity-based      access control

After completing this step, you are ready for the next step, in which you will compile a report on the psychological aspects of cybersecurity.

Step 4: Write a Social Psychology Report

In the previous steps, you explored the basics of authentication, authorization, and access control and common models of implementing them. Your next task in preparing for the discussion with your peers is to consider the impact that human factors, such as ethics, legal issues, and psychology have on cybersecurity.

To synthesize your research on these factors, you will write a report on the psychological aspects of cybersecurity. This report will be used to formulate recommendations later in the project and be included as an appendix to the final presentation in the last step of this project.

In this report, do the following:

• Explore      the typical intrusion motives/hacker psychology. Classify the types      of hackers and threat actors and give an example of a      potential incident.
• Define a      cybersecurity policy as it relates to employees and employment. For      example, how would an organization apply a security policy to employees      and employment in relation to network-related programming or other      cyber-related positions?
• Define      the separation of duties policy and give an example.
• Define redundancy and diversity and explain how they relate      to cybersecurity access control. Give an example of a policy integrating      the concepts of redundancy and diversity to reduce risk.
• Summarize      how the implementation of the access control mechanisms mentioned in this      section may have a positive or negative consequence on employee      productivity.
• Suggested      length is four to six pages.

Submit the report for feedback.

Step 5: Compose a Privacy Awareness Report

Following the report on the impact of social psychology on cybersecurity, you will compose a report on privacy awareness and the implications on cybersecurity policy to further prepare for the discussion with your peers. This report will be used to formulate recommendations later in the project and be included as an appendix to the final presentation in the last step of this project.

In this report, complete the following:

• Define ECPA (Electronic Communications Privacy Act)      and explain how it affects cybersecurity today. Give an example of how it      might come into play at your organization. Suggest how policy at your      organization could support ECPA compliance.
• Define FISA (Foreign Intelligence Surveillance Act)      and explain how it affects cybersecurity today. Give an example of how it      might come into play at your organization. Suggest how policy at your      organization could support FISA compliance.
• Identify any other privacy law that may affect your      assigned organization. Give a brief summary of what the law does, how it      affects your organization, and how policy could support compliance.

Submit the report for feedback.

Submission for Privacy Awareness Report

Step 6: Compile an Anonymity Report

To go along with the reports on the impact of social psychology on cybersecurity and the impact of privacy awareness on cybersecurity policy, you will now report on the implication anonymity has on cybersecurity by giving a brief one-paragraph summary on each of the items within the bulleted list below.

• Each summary should include a definition, and      explanation of how the term relates to the organization, and an      explanation of how you will integrate it into the policy recommendations.      This report will be used to formulate recommendations in Step 10 and be      included as an appendix to the final presentation in Step 12. Review introduction to the internet, a closer look at the World Wide Web, web markup languages, and web and internet services for basic information.
• pseudonymity
• IP spoofing (IP spoofing and packet sniffing at the      network layer)
• email protocols
• web filters
• types of encryption
• remailers

Submit this report for feedback.

Step 7: Create a Concept Map

You have explored and reported on the human aspects of cybersecurity. Chief information security officers frequently make security decisions in high-pressure environments and deal with individuals whose actions may violate certain standards of behavior and ethics. In this step, you will review several scholarly sources that discuss issues and concerns that a CIO and CIO staff may be faced with in the normal course of duties.

After you have reviewed these materials, create a concept map of important issues, concerns, and best practices or model solutions to common problems. Your goal in creating this map is to develop a visual aid which can help decision makers identify important aspects of a cybersecurity issue revolving around human behavior as they seek to resolve the issues in a manner that is in keeping with an organization’s ethical standards and practices.