WEBVTT

1
00:00:00.000 --> 00:00:01.460
In this section of the course,

2
00:00:01.460 --> 00:00:05.670
we are going to discuss Access, Authentication,

3
00:00:05.670 --> 00:00:07.560
and Authorization.

4
00:00:07.560 --> 00:00:10.710
The Access, Authentication, and Authorization section

5
00:00:10.710 --> 00:00:15.240
of the course focuses on Domain 2: Security Architecture,

6
00:00:15.240 --> 00:00:18.360
specifically objective 2.4,

7
00:00:18.360 --> 00:00:20.940
which states that given a scenario,

8
00:00:20.940 --> 00:00:23.190
you must be able to apply security

9
00:00:23.190 --> 00:00:26.280
to the design of access, authentication,

10
00:00:26.280 --> 00:00:28.350
and authorization system.

11
00:00:28.350 --> 00:00:30.210
To keep systems and data safe,

12
00:00:30.210 --> 00:00:32.130
it's important to carefully manage

13
00:00:32.130 --> 00:00:35.190
who can access different parts of the system.

14
00:00:35.190 --> 00:00:36.630
This involves ensuring

15
00:00:36.630 --> 00:00:39.030
that users are assigned privileges

16
00:00:39.030 --> 00:00:42.030
based on their role within the organization,

17
00:00:42.030 --> 00:00:44.880
following a verification of their identity.

18
00:00:44.880 --> 00:00:47.340
Additionally, regularly monitoring

19
00:00:47.340 --> 00:00:49.590
and overseeing access activities

20
00:00:49.590 --> 00:00:52.440
ensures sensitive information remains protected,

21
00:00:52.440 --> 00:00:54.630
and that access remains in accordance

22
00:00:54.630 --> 00:00:57.390
with organizational security policies.

23
00:00:57.390 --> 00:00:59.070
As we go through this section,

24
00:00:59.070 --> 00:01:02.820
we will cover many topics related to Access, Authentication,

25
00:01:02.820 --> 00:01:04.230
and Authorization,

26
00:01:04.230 --> 00:01:07.020
including Access Control Systems,

27
00:01:07.020 --> 00:01:08.490
Access Provision,

28
00:01:08.490 --> 00:01:10.710
Rule-based Access Control,

29
00:01:10.710 --> 00:01:14.310
Role-based Access Control or RBAC,

30
00:01:14.310 --> 00:01:18.480
Identity and Authentication, Access Control Policies,

31
00:01:18.480 --> 00:01:20.850
and Monitoring and Oversight.

32
00:01:20.850 --> 00:01:23.700
First, we will look at Access Control Systems.

33
00:01:23.700 --> 00:01:27.060
Access control systems are mechanisms designed to ensure

34
00:01:27.060 --> 00:01:30.990
that only authorized individuals can access resources

35
00:01:30.990 --> 00:01:34.410
and information based on their identity and permissions.

36
00:01:34.410 --> 00:01:38.310
Access control systems may be classified as either physical

37
00:01:38.310 --> 00:01:40.380
or logical control systems.

38
00:01:40.380 --> 00:01:43.680
Physical access control systems manage the entry

39
00:01:43.680 --> 00:01:47.550
to physical locations, such as buildings or a server room,

40
00:01:47.550 --> 00:01:51.420
using methods such as Radio Frequency Identification,

41
00:01:51.420 --> 00:01:53.430
or RFID key cards,

42
00:01:53.430 --> 00:01:55.320
or biometric scanners.

43
00:01:55.320 --> 00:01:58.980
Logical access control systems manage digital access

44
00:01:58.980 --> 00:02:02.040
to enterprise networks using passwords

45
00:02:02.040 --> 00:02:06.090
or multifactor authentication to verify user identity

46
00:02:06.090 --> 00:02:09.870
and enforce permissions for access to network resources.

47
00:02:09.870 --> 00:02:13.170
Next, we will explore Access Provision.

48
00:02:13.170 --> 00:02:15.630
Access provision is the process of granting

49
00:02:15.630 --> 00:02:20.190
or revoking access rights to resources based on user roles

50
00:02:20.190 --> 00:02:22.710
and their associated permissions.

51
00:02:22.710 --> 00:02:26.490
Access provision concepts include provisioning,

52
00:02:26.490 --> 00:02:31.170
deprovisioning, self-provisioning, and credential issuance.

53
00:02:31.170 --> 00:02:33.390
Provisioning is assigning access rights

54
00:02:33.390 --> 00:02:36.360
and credentials to users based on their roles.

55
00:02:36.360 --> 00:02:38.700
Provisioning assignment may be automated

56
00:02:38.700 --> 00:02:42.180
through self-provisioning systems where users request access

57
00:02:42.180 --> 00:02:44.970
and receive it upon administrator approval.

58
00:02:44.970 --> 00:02:47.910
Deprovisioning involves removing access rights

59
00:02:47.910 --> 00:02:49.680
when they are no longer needed,

60
00:02:49.680 --> 00:02:52.620
such as when an employee leaves the organization.

61
00:02:52.620 --> 00:02:55.290
Credential issuance is the process of creating

62
00:02:55.290 --> 00:02:57.990
and distributing authentication credentials,

63
00:02:57.990 --> 00:03:00.750
such as passwords or security tokens,

64
00:03:00.750 --> 00:03:03.600
which can be used in user authentication.

65
00:03:03.600 --> 00:03:04.650
For example,

66
00:03:04.650 --> 00:03:07.770
a new employee might use a self-provisioning portal

67
00:03:07.770 --> 00:03:10.710
to request access to company systems,

68
00:03:10.710 --> 00:03:13.920
receive credentials through the credential issuance process,

69
00:03:13.920 --> 00:03:16.740
and at the end of their employment with that organization,

70
00:03:16.740 --> 00:03:20.580
have their access revoked via a deprovisioning process.

71
00:03:20.580 --> 00:03:24.150
After that, we will look at Rule-based Access Control.

72
00:03:24.150 --> 00:03:27.630
Rule-based access control is used to manage user access

73
00:03:27.630 --> 00:03:31.230
to resources based on predefined rules and conditions.

74
00:03:31.230 --> 00:03:34.110
An example of a rule-based access control model

75
00:03:34.110 --> 00:03:37.890
is Mandatory Access Control or MAC.

76
00:03:37.890 --> 00:03:41.940
Mandatory access control enforces strict access policies

77
00:03:41.940 --> 00:03:45.000
based on predefined security classifications.

78
00:03:45.000 --> 00:03:46.590
This limits user access

79
00:03:46.590 --> 00:03:49.260
based on the classification of information,

80
00:03:49.260 --> 00:03:51.300
and the user's clearance level.

81
00:03:51.300 --> 00:03:52.920
Other access control models

82
00:03:52.920 --> 00:03:56.640
include Discretionary Access Control or DAC,

83
00:03:56.640 --> 00:04:01.080
and Attribute-based Access Control or ABAC.

84
00:04:01.080 --> 00:04:03.090
Discretionary Access Control

85
00:04:03.090 --> 00:04:07.020
allows resource owners full control of resource access,

86
00:04:07.020 --> 00:04:11.040
enabling them to grant or deny access to their resources.

87
00:04:11.040 --> 00:04:14.970
Attribute-based Access Control uses attributes of users,

88
00:04:14.970 --> 00:04:17.010
resources, and the environment

89
00:04:17.010 --> 00:04:19.980
to determine access permissions dynamically.

90
00:04:19.980 --> 00:04:22.770
For example, in a healthcare setting,

91
00:04:22.770 --> 00:04:26.250
Attribute-based Access Control may provide access

92
00:04:26.250 --> 00:04:30.420
to patient records based on attributes like the user's role,

93
00:04:30.420 --> 00:04:32.640
such as a doctor or a nurse.

94
00:04:32.640 --> 00:04:35.040
It can also grant access based on the type

95
00:04:35.040 --> 00:04:36.870
of patient data requested,

96
00:04:36.870 --> 00:04:40.230
and contextual factors like the time of day.

97
00:04:40.230 --> 00:04:43.920
In this situation, a nurse might access basic information

98
00:04:43.920 --> 00:04:45.750
during regular working hours,

99
00:04:45.750 --> 00:04:48.090
while a doctor may view sensitive data

100
00:04:48.090 --> 00:04:51.960
if it's during their shift, regardless of the time of day.

101
00:04:51.960 --> 00:04:54.668
Next, we will explore Role-based

102
00:04:54.668 --> 00:04:57.651
Access Control or RBAC.

103
00:04:57.651 --> 00:05:00.690
Role-based Access Control manages user access

104
00:05:00.690 --> 00:05:02.040
by assigning permissions

105
00:05:02.040 --> 00:05:05.130
based on the user's role within the organization.

106
00:05:05.130 --> 00:05:07.410
Role-based Access Control is implemented

107
00:05:07.410 --> 00:05:10.170
by defining roles within an organization,

108
00:05:10.170 --> 00:05:13.350
and associating specific permissions with each role.

109
00:05:13.350 --> 00:05:15.720
Users are then assigned to roles,

110
00:05:15.720 --> 00:05:17.610
and their access rights are inherited

111
00:05:17.610 --> 00:05:19.680
from the role they are assigned to.

112
00:05:19.680 --> 00:05:23.070
Following that, we will look at identity and authentication.

113
00:05:23.070 --> 00:05:24.480
Identity and authentication

114
00:05:24.480 --> 00:05:27.120
involves verifying a user's identity

115
00:05:27.120 --> 00:05:29.940
to ensure they're authorized to access resources

116
00:05:29.940 --> 00:05:31.590
and perform actions.

117
00:05:31.590 --> 00:05:35.370
Identity and authentication controls include attestations,

118
00:05:35.370 --> 00:05:39.180
single sign-on, federation, identity providers,

119
00:05:39.180 --> 00:05:40.950
and service providers.

120
00:05:40.950 --> 00:05:43.830
Let's take a moment to explore each of these concepts.

121
00:05:43.830 --> 00:05:46.050
Attestations confirm that a user

122
00:05:46.050 --> 00:05:48.630
or system meets certain security requirements

123
00:05:48.630 --> 00:05:51.960
or policies before access is granted.

124
00:05:51.960 --> 00:05:55.020
Single Sign-on or SSO, allows users

125
00:05:55.020 --> 00:05:56.580
to authenticate one time

126
00:05:56.580 --> 00:05:59.250
and gain access to multiple resources

127
00:05:59.250 --> 00:06:02.490
and services without having to re-authenticate.

128
00:06:02.490 --> 00:06:05.220
Federation enables different organizations

129
00:06:05.220 --> 00:06:08.280
or domains to share authentication information

130
00:06:08.280 --> 00:06:10.920
and trust each other's identity assertions.

131
00:06:10.920 --> 00:06:15.090
It often uses an Identity Provider to authenticate users

132
00:06:15.090 --> 00:06:16.560
to a service provider

133
00:06:16.560 --> 00:06:19.320
to grant access based on that authentication.

134
00:06:19.320 --> 00:06:23.040
For example, when signing into a third-party application,

135
00:06:23.040 --> 00:06:26.580
like a project management tool using a Google account,

136
00:06:26.580 --> 00:06:28.500
federation allows the application

137
00:06:28.500 --> 00:06:31.320
to trust Google's authentication process.

138
00:06:31.320 --> 00:06:33.870
Google then acts as the identity provider

139
00:06:33.870 --> 00:06:35.130
to verify credentials

140
00:06:35.130 --> 00:06:38.580
and provide an attestation through a secure token

141
00:06:38.580 --> 00:06:39.960
to the application,

142
00:06:39.960 --> 00:06:43.650
which then grants access based on the verified identity.

143
00:06:43.650 --> 00:06:47.250
Next, we will explore Access Control Policies.

144
00:06:47.250 --> 00:06:49.680
Access control policies define the rules

145
00:06:49.680 --> 00:06:51.630
and criteria for granting

146
00:06:51.630 --> 00:06:54.150
or denying access to resources,

147
00:06:54.150 --> 00:06:57.870
ensuring that only authorized users can perform actions

148
00:06:57.870 --> 00:07:00.090
based on their identity and role.

149
00:07:00.090 --> 00:07:04.080
Access control policy concepts include conditional accesses,

150
00:07:04.080 --> 00:07:07.350
as well as policy decision and enforcement points.

151
00:07:07.350 --> 00:07:10.290
Let's take a moment to dive further into these concepts.

152
00:07:10.290 --> 00:07:13.440
Conditional Access involves enforcing access policies

153
00:07:13.440 --> 00:07:17.370
based on specific conditions, such as the user's location,

154
00:07:17.370 --> 00:07:20.220
device type, or time of access.

155
00:07:20.220 --> 00:07:21.900
Policy Decision Points

156
00:07:21.900 --> 00:07:26.220
evaluate whether access requests meet defined policies,

157
00:07:26.220 --> 00:07:28.290
while Policy Enforcement Points

158
00:07:28.290 --> 00:07:31.920
enforce policy decision point decisions by granting

159
00:07:31.920 --> 00:07:33.720
or denying access.

160
00:07:33.720 --> 00:07:36.780
For example, a company might use conditional access

161
00:07:36.780 --> 00:07:38.130
to restrict access

162
00:07:38.130 --> 00:07:40.200
to sensitive financial systems

163
00:07:40.200 --> 00:07:42.390
based on whether users are connecting

164
00:07:42.390 --> 00:07:44.370
from within the corporate network

165
00:07:44.370 --> 00:07:46.860
or using a remote secure device.

166
00:07:46.860 --> 00:07:48.060
In this scenario,

167
00:07:48.060 --> 00:07:51.810
policy decision points evaluate the access request,

168
00:07:51.810 --> 00:07:54.930
and policy enforcement points implement the decision

169
00:07:54.930 --> 00:07:58.500
by granting or blocking access based on the assessment

170
00:07:58.500 --> 00:08:00.150
of policy condition.

171
00:08:00.150 --> 00:08:03.150
Finally, we will look at Monitoring and Oversight.

172
00:08:03.150 --> 00:08:06.240
Monitoring and oversight is continuously tracking

173
00:08:06.240 --> 00:08:09.270
and reviewing access, authentication,

174
00:08:09.270 --> 00:08:12.390
and authorization activities to ensure compliance

175
00:08:12.390 --> 00:08:14.010
with security policies

176
00:08:14.010 --> 00:08:18.210
and to detect any unauthorized or anomalous behavior.

177
00:08:18.210 --> 00:08:21.300
Monitoring and oversight concepts include logging

178
00:08:21.300 --> 00:08:22.650
and auditing.

179
00:08:22.650 --> 00:08:25.530
Logging captures detailed records of access

180
00:08:25.530 --> 00:08:27.180
and authentication events,

181
00:08:27.180 --> 00:08:30.480
such as successful logins or access attempts.

182
00:08:30.480 --> 00:08:33.390
The logs are then used to track user activities,

183
00:08:33.390 --> 00:08:34.740
and for troubleshooting.

184
00:08:34.740 --> 00:08:38.100
Auditing involves analyzing logs to assess compliance

185
00:08:38.100 --> 00:08:39.600
with security policies,

186
00:08:39.600 --> 00:08:42.240
and identify potential security breaches

187
00:08:42.240 --> 00:08:44.190
or policy violations.

188
00:08:44.190 --> 00:08:47.940
For example, a company might log all user access

189
00:08:47.940 --> 00:08:49.440
to sensitive systems,

190
00:08:49.440 --> 00:08:51.030
and audit logs to ensure

191
00:08:51.030 --> 00:08:54.660
that access is only granted according to approved policies.

192
00:08:54.660 --> 00:08:57.450
This type of auditing would allow the organization

193
00:08:57.450 --> 00:09:00.060
to detect suspicious activities.

194
00:09:00.060 --> 00:09:02.670
To finish things off, we'll take a short quiz

195
00:09:02.670 --> 00:09:05.580
to see what you learned during this section of the course,

196
00:09:05.580 --> 00:09:08.280
and we will review each of those quiz questions

197
00:09:08.280 --> 00:09:10.200
to fully ensure you can explain

198
00:09:10.200 --> 00:09:12.060
why the right answers were right

199
00:09:12.060 --> 00:09:13.890
and the wrong answers were wrong.

200
00:09:13.890 --> 00:09:17.430
So, let's get ready to dive into Access, Authentication,

201
00:09:17.430 --> 00:09:20.313
and Authorization in this section of the course!