Download presentation
Presentation is loading. Please wait.
Published byWilfred Green Modified over 9 years ago
1
1 Data Access Control, Password Policy and Authentication Methods for Online Bank Md. Mahbubur Rahman Alam B. Sc. (Statistics) Dhaka University M. Sc. (Statistics, Major in Econometrics) Dhaka University PGD(ICT)BUET M. Sc. (ICT) BUET Assistant Professor, BIBM, Mirpur, Dhaka. Cell: 01556323244, Mail: alam_mr@yahoo.com Website: mralam.net
2
2 Kiosk Branch Internet Customer POST PSTN ATM Branch Other Bank Mobile Call Center
3
3 Md. Mahbubur Rahman Alam, Assistant Professor (ICT), BIBM. Mail: alam_mr@yahoo.com
4
4 Data access typically refers to software and activities related to storing, retrieving, or acting on data housed in a database or other repository. Data Access is simply the authorization you have to access different data files. Data Access Control Md. Mahbubur Rahman Alam, Assistant Professor (ICT), BIBM. Mail: alam_mr@yahoo.com
5
5 Access Controls Access Controls should provide reasonable assurance that data and applications are protected against unauthorized modifications, disclosure, loss or impairment. Such controls include physical controls, such as keeping a computer in a locked room to limit physical access, and logical controls such as security software programs designed to prevent or detect unauthorized access to sensitive files. Md. Mahbubur Rahman Alam, Assistant Professor (ICT), BIBM. Mail: alam_mr@yahoo.com
6
6 Implement Separation of duties (SOD) a preventive control. Establish test and production environments which are preventive control. Restrict user account and Database administrator access which is a preventive control. Restricting Access Md. Mahbubur Rahman Alam, Assistant Professor (ICT), BIBM. Mail: alam_mr@yahoo.com
7
7 Elements to restrict include: Data access (Successful/Failed Selects) Data Changes (Insert, Update, Delete) System Access (Successful/Failed Logins); User/Role/Permissions/Password changes Privileged User Activity (All) Schema Changes (Create/Drop/Alter Tables, Columns, Fields) Identification, Authentication and Process Md. Mahbubur Rahman Alam, Assistant Professor (ICT), BIBM. Mail: alam_mr@yahoo.com
8
8 Authentication Methods We can authenticate an identity in three ways: Something the user knows (such as a password or personal identification number) Something the user has (a security token or smart card) Something the user is (a physical characteristic, such as a fingerprint, called a biometric). Md. Mahbubur Rahman Alam, Assistant Professor (ICT), BIBM. Mail: alam_mr@yahoo.com
9
9 Fingerprint Recognition Hand or Palm Geometry Md. Mahbubur Rahman Alam, Assistant Professor (ICT), BIBM. Mail: alam_mr@yahoo.com
10
10 Facial Recognition Md. Mahbubur Rahman Alam, Assistant Professor (ICT), BIBM. Mail: alam_mr@yahoo.com
11
11 Eye Scans Md. Mahbubur Rahman Alam, Assistant Professor (ICT), BIBM. Mail: alam_mr@yahoo.com
12
12 USB Security Token or One Time Password RSA stands for Ron Rivest, Adi Shamir and Leonard Adleman RSA Security LLC Md. Mahbubur Rahman Alam, Assistant Professor (ICT), BIBM. Mail: alam_mr@yahoo.com
13
Login Authentication AUTHENTICATION Database Server Verifies Trusted Connection Database Server Verifies Name and Password OR Database Server Windows 2000 Group or User Windows 2000 Group or User Windows 2000 Database Server Login Account
14
Database User Accounts and Roles Database Server Assigns Logins to User Accounts and Roles Database User Database Role Windows 2000 Group User Database Server Login Account Database Server Verifies Trusted Connection Database Server Verifies Name and Password Database Server Windows 2000 OR
15
Database Server Checks Permissions Permission Validation Permissions OK; Performs Command Permissions not OK; Returns Error 2233 SELECT * FROM Members Database User Executes Command 11
16
Granting Permissions to Allow Access User/RoleUser/RoleSELECTSELECT Eva Ivan David public INSERTINSERT UPDATEUPDATE DELETEDELETE
17
Denying Permissions to Prevent Access User/RoleUser/RoleSELECTSELECT Eva Ivan David public INSERTINSERT UPDATEUPDATE DELETEDELETE
18
Revoking Granted and Denied Permissions User/RoleUser/RoleSELECTSELECT Eva Ivan David public INSERTINSERT UPDATEUPDATE DELETEDELETE
19
19 Password Policy Use of both upper- and lower-case letters (case sensitivity) Inclusion of one or more numerical digits Inclusion of special characters, e.g. @, #, $ etc. Prohibition of words found in a dictionary or the user's personal information Prohibition of passwords that match the format of calendar dates, license plate numbers, telephone numbers, or other common numbers Prohibition of use of company name or an abbreviation Md. Mahbubur Rahman Alam, Assistant Professor (ICT), BIBM. Mail: alam_mr@yahoo.com
20
20 Password Duration Some policies require users to change passwords periodically, e.g. every 90 or 180 days. The benefit of password expiration, however, is debatable. Systems that implement such policies sometimes prevent users from picking a password too close to a previous selection. Md. Mahbubur Rahman Alam, Assistant Professor (ICT), BIBM. Mail: alam_mr@yahoo.com
21
21 Common Password Practice Never share a computer account Never use the same password for more than one account Never tell a password to anyone, including people who claim to be from customer service or security Never write down a password Never communicate a password by telephone, e-mail or instant messaging Md. Mahbubur Rahman Alam, Assistant Professor (ICT), BIBM. Mail: alam_mr@yahoo.com
22
22 Common Password Practice Being careful to log off before leaving a computer unattended Changing passwords whenever there is suspicion they may have been compromised Operating system password and application passwords are different Password should be alpha-numeric Never use online password generation tools Md. Mahbubur Rahman Alam, Assistant Professor (ICT), BIBM. Mail: alam_mr@yahoo.com
23
23 Password strength is a measure of the effectiveness of a password in resisting guessing and brute-force attacks. In its usual form, it estimates how many trials an attacker who does not have direct access to the password would need, on average, to guess it correctly. The strength of a password is a function of length, complexity, and unpredictability. Password Strength Md. Mahbubur Rahman Alam, Assistant Professor (ICT), BIBM. Mail: alam_mr@yahoo.com
24
24 MFA, two-factor authentication, TFA, T-FA or 2FA is an approach to authentication which requires the presentation of two or more of the three authentication factors: a knowledge factor ("something only the user knows"), a possession factor ("something only the user has"), and an inherence factor ("something only the user is"). After presentation, each factor must be validated by the other party for authentication to occur. Multi-factor Authentication (MFA) Md. Mahbubur Rahman Alam, Assistant Professor (ICT), BIBM. Mail: alam_mr@yahoo.com
25
25 Something only the user knows (e.g., password, PIN, pattern); Something only the user has (e.g., ATM card, smart card, mobile phone); Something only the user is (e.g., biometric characteristic, such as a fingerprint). Multi-factor Authentication (MFA) Md. Mahbubur Rahman Alam, Assistant Professor (ICT), BIBM. Mail: alam_mr@yahoo.com
26
26 Questions are Welcome Thank You
Similar presentations
© 2025 SlidePlayer.com. Inc.
All rights reserved.