Least and Highest Privilege Access - Need to Know

Slides:



Advertisements
Similar presentations
Service Manager for MSPs
Advertisements

Module 6: Configuring Windows XP Professional to Operate in a Microsoft Network.
By Rashid Khan Lesson 8-Crowd Control: Controlling Access to Resources Using Groups.
7-Access Control Fundamentals Dr. John P. Abraham Professor UTPA.
Chapter 7 WORKING WITH GROUPS.
May 30 th – 31 st, 2006 Sheraton Ottawa. Microsoft Certificate Lifecycle Manager Saleem Kanji Technology Solutions Professional - Windows Server Microsoft.
Chapter 10: Authentication Guide to Computer Network Security.
SMART Agency Tipsheet Staff List This document focuses on setting up and maintaining program staff. Total Pages: 14 Staff Profile Staff Address Staff Assignment.
1 Group Account Administration Introduction to Groups Planning a Group Strategy Creating Groups Understanding Default Groups Groups for Administrators.
Module 4: Add Client Computers and Devices to the Network.
Component 4: Introduction to Information and Computer Science Unit 8: Security Lecture 2 This material was developed by Oregon Health & Science University,
IOS110 Introduction to Operating Systems using Windows Session 8 1.
11 MANAGING AND DISTRIBUTING SOFTWARE BY USING GROUP POLICY Chapter 5.
Security Planning and Administrative Delegation Lesson 6.
DIT314 ~ Client Operating System & Administration CHAPTER 5 MANAGING USER ACCOUNTS AND GROUPS Prepared By : Suraya Alias.
Project Server 2003: DC340: Security (Part 1 of 2): How to securely deploy Project Server in an enterprise environment Pradeep GanapathyRaj (PM), Karthik.
Active Directory Administration Lesson 5. Skills Matrix Technology SkillObjective DomainObjective # Creating Users, Computers, and Groups Automate creation.
© Wiley Inc All Rights Reserved. MCSE: Windows Server 2003 Active Directory Planning, Implementation, and Maintenance Study Guide, Second Edition.
Module 7: Managing the User Environment by Using Group Policy.
User Management: Understanding Roles and Permissions for Schoolnet Schoolnet II Training – September 2014.
1 Administering Shared Folders Understanding Shared Folders Planning Shared Folders Sharing Folders Combining Shared Folder Permissions and NTFS Permissions.
Module 3 Configuring File Access and Printers on Windows ® 7 Clients.
Module 3 Configuring File Access and Printers on Windows 7 Clients.
Module 3: Configuring File Access and Printers on Windows 7 Clients
Security Planning and Administrative Delegation Lesson 6.
Core 3: Communication Systems. Network software includes the Network Operating Software (NOS) and also network based applications such as those running.
Frontline Enterprise Security
MA194Using WindowsNT1 Topics for the day… WindowsNT Security WindowsNT File System (NTFS) Viewing/Setting Document and Folder Permissions Access Control.
Privilege Management Chapter 22.
VPN. CONFIDENTIAL Agenda Introduction Types of VPN What are VPN Tokens Types of VPN Tokens RSA How tokens Work How does a user login to VPN using VPN.
11 SECURITY PLANNING AND ADMINISTRATIVE DELEGATION Chapter 6.
Unit 7 ITT TECHNICAL INSTITUTE NT1330 Client-Server Networking II Date: 2/3/2016 Instructor: Williams Obinkyereh.
Computer Security Sample security policy Dr Alexei Vernitski.
Criticality of Monitoring in Digital World Ananth Kumar Mysore Subbarao 24 July 2016 presentation at 19 th Conference of ISACA Bangalore
Implementing and Managing Azure Multi-factor Authentication
Identity and Access Management
Secure Connected Infrastructure
eIRB Training IRB Committee Members
To Encrypt or Not Encrypt
What Do You Mean My Password Isn’t Enough?!?
Tactic 1: Adopt Least Privilege
Identity Management (IdM)
Goodbye to Passwords.
SECURITY PLANNING AND ADMINISTRATIVE DELEGATION
Data and Applications Security Developments and Directions
QlikView Licensing.
Active Directory Administration
CompTIA Security+ Study Guide (SY0-401)
Active Orders Supplier Administrator Training Getting Started Activities This training presentation describes the Getting Started activities that will.
Unit 27: Network Operating Systems
Unit 7 NT1330 Client-Server Networking II Date: 7/26/2016
Office 365 Identity Management
Getting Started with Security
Microsoft Graph- Permissions and Consent
IIA District Conference Seminar Presenter David Cole, CPA, CISA, CRISC
The present Whether you are using paper and pen to currently gather and store information either clinical or administrative the transition into an Electronic.
Using the Cloud App Marketplace Monitoring cloud app migrations
BACHELOR’S THESIS DEFENSE
BACHELOR’S THESIS DEFENSE
Managing the IT Function
BACHELOR’S THESIS DEFENSE
LO3 – Understand Business IT Systems
Azure Multi-Factor Authentication (MFA)
Administrator’s Manual
Security Principles and Policies CS 236 On-Line MS Program Networks and Systems Security Peter Reiher.
Security Planning and Administrative Delegation
HR Portal: What’s New? What’s Next?
Jerry Wynne, CISA, CISSP, CIRSC Vice President of Security, CISO
Oh no! They hacked my password!!!
Preparing for the Windows 8. 1 MCSA Module 6: Securing Windows 8
Presentation transcript:

Least and Highest Privilege Access - Need to Know Jerry Wynne, CISA, CISSP, CIRSC Vice President of Security, CISO

Disclaimer This document and any oral presentation accompanying it are not intended/should not be taken as necessarily representing the policies, opinions, and/or views of Noridian Mutual Insurance Company, Blue Cross Blue Shield of North Dakota, Noridian Healthcare Solutions, any of their component services, or any other affiliated companies. This document and any oral presentation accompanying it has been prepared in good faith. However, no express or implied warranty is given as to the accuracy or completeness of the information in this document or the accompanying presentation

Who am I? Currently employed by Noridian Mutual Insurance Company DBA: Blue Cross Blue Shield of North Dakota an independent licensee of the Blue Cross Blue Shield Association DBA: Noridian Healthcare Solutions Assisting: Three other Healthcare plans with Security Vice President of Security, Chief Information Security Officer (CISO) Responsible for both Electronic and Physical Security 3200 employees, 15+ locations coast to coast Staff of 70+, physical and electronic security professionals Certifications include: Certified Information Systems Auditor (CISA) Certified Information System Security Professional (CISSP) Certified in Risk and Information System Control (CRISC) Over twenty years experience in Electronic Security, with over fifteen years of leadership in Electronic Security

Agenda Definition and Overview of Least Privilege vs High Privilege

Definition Least Privilege is a visitor with no access High Privilege is a System Administrator

Questions? Jerry.a.Wynne@gmail.com

Ok Ok Onto the presentation!

Agenda Definitions ID vs User So if my password is not enough… Lots to level set ID vs User So if my password is not enough… Least Privilege How do we get there?

Definition of Privilege ˈpriv(ə)lij/ noun noun: privilege; plural noun: privileges 1. a special right, advantage, or immunity granted or available only to a particular person or group of people.

Definition of Access Rights Definition of: access rights. access rights. The permissions that are granted to a user, or to an application, to read, write and erase files in the computer. Access rights can be tied to a particular client or server, to folders within that machine or to specific programs and data files.

Definition of Privilege Privilege within an Information Technology (IT) environment refers to what rights and abilities a user has within the environment These rights SHOULD BE based upon based upon what is needed by the individual to perform their job Rights and Abilities refer to many different aspects of their jobs

Definition Levels All Information Technology Shops should have clearly defined levels of access defined for different types of users. Users include (but are not limited to): Visitors Vendors Users Power Users Super Users Administrators

Definition Visitors Visitors are just that visitors to the building who should not be credentialed nor given access to the building Contract Needed: No Badge / Building access: No Network ID No Advanced access No GSSP Access No Administrator No Multi-factor No

Definition Vendors Vendors are people providing a service who do not need network access and who just need physical access to the building Contract Needed: Yes Badge / Building access: Yes Network ID No Advanced access No GSSP Access No Administrator No Multi-factor No

Definition Users Users are day to day users who perform no special functions and are involved in day to day operations Contract Needed: Yes – IF contract employee Badge / Building access: Yes Network ID Yes Advanced access No GSSP Access Yes Administrator No Multi-factor Possibly

Definition Power Users Power Users are day to day users who perform SOME special functions and are involved in day to day operations. Special functions could include adding printers or adding users to network shares or performing advanced duties in COTS Contract Needed: Yes – IF contract employee Badge / Building access: Yes Network ID Yes Advanced access Yes GSSP Access Yes Administrator No Multi-factor Possibly

Definition Super Users Power Users are day to day users who perform SOME special functions and are involved in day to day operations. Special functions could include adding printers or adding users to network shares or performing advanced duties in COTS (typically same as Power Users) Contract Needed: Yes – IF contract employee Badge / Building access: Yes Network ID Yes Advanced access Yes GSSP Access Yes Administrator No Multi-factor Possibly

Definition Administrator Administrator IDs are the IDs who run and configure the IT systems that run the enterprise. Contract Needed: Yes – IF contract employee Badge / Building access: No Network ID No Advanced access Yes GSSP Access No Administrator Yes Multi-factor REALLY SHOULD BE

There was a BIG Difference on the last slide Who caught it?

ID vs User In the definition of an administrator the word ID was used instead of a user. In the world of privilege, The more advanced server and administrator rights of the person with the ID the less GSSP access they should have So if the ID has administrator access they SHOULD NOT have access to the internet, email, or other GSSP systems

An ID does not always have an assigned user ID vs User A user while have an ID BUT An ID does not always have an assigned user

ID vs User Discussion

How should privilege be secured? There are several options for securing privilege

So if my password is not enough… Definition: Multi-factor authentication (MFA) is a method of computer access control in which a user is granted access only after successfully presenting several separate pieces of evidence to an authentication mechanism – typically at least two of the following categories: knowledge (something they know), possession (something they have), and inherence (something they are). Two-factor authentication (also known as 2FA) is a method of confirming a user's claimed identity by utilizing a combination of two different components. Two-factor authentication is a type of multi- factor authentication.

So if my password is not enough… Some options for multifactor authentication include but are not limited to: Hard Tokens Soft Tokens Biometrics PINs Passwords User IDs Smart Cards

So if my password is not enough… How many factors should you use? The number of factors should be appropriate to risk Three factors is now a default minimum Factors should be from different categories Remote Access: User ID, Password, PIN, and Token generated security number

Least Privilege Least privilege is giving the User the most basic rights they possibly need to accomplish their job BUT never

Least Privilege Users should be given access to what they use 99% of the time, there is always an exception and proper Identity and Access Management (IAM) policies and philosophy state that the exception SHOULD NOT dictate the access

Least Privilege If the policy is to give the users 100% of what they MAY need then this falls apart. Scenario: A user needs to perform their day to day function but once every two years they have to add a printer which can only be done via administrator rights on the PC. To save time the IT department gives the user full admin rights

Least Privilege If the policy is to give the users 100% of what they MAY need then this falls apart. Scenario: An administrator wants to check their email without logging in and out as administrator so they give themselves access to the internet and email systems

How do we get there? At some point the IT or security team should have created a User access chart In the left column it should list job functions (NEVER NAMES) Across the top row it should list access rights

How do we get there? Email A/P System A/R System Internet File System Admin rights General User X Payables Receivables Auditor Administrator Finance Clerk Manager

How do we get there? Utilizing this chart the IAM function should have created an access list for each job function Each job function access must be periodically reviewed to look for access “creep”

This is also known as RBAC RBAC is Role Based Access Controls This is an ideal that every IAM should aim for

Questions? Jerry.a.Wynne@gmail.com

References Slide 9 - https://www.dictionary.com

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com. Inc. All rights reserved.