WEBVTT

1
00:00:00.090 --> 00:00:01.260
In this lesson,

2
00:00:01.260 --> 00:00:04.530
we will learn about access control policies.

3
00:00:04.530 --> 00:00:08.400
Access control policies define the rules and criteria

4
00:00:08.400 --> 00:00:11.670
for granting or denying access to resources,

5
00:00:11.670 --> 00:00:15.780
ensuring that only authorized users can perform actions

6
00:00:15.780 --> 00:00:18.120
based on their identity and role.

7
00:00:18.120 --> 00:00:22.770
Access control policy concepts include conditional access

8
00:00:22.770 --> 00:00:26.520
as well as policy decision and enforcement points.

9
00:00:26.520 --> 00:00:30.210
Let's learn more about these access control policies.

10
00:00:30.210 --> 00:00:32.880
First, we have conditional access.

11
00:00:32.880 --> 00:00:35.340
Conditional access is an advanced way

12
00:00:35.340 --> 00:00:37.260
of managing access control

13
00:00:37.260 --> 00:00:38.940
by enforcing policies

14
00:00:38.940 --> 00:00:42.090
based on specific conditions or criteria.

15
00:00:42.090 --> 00:00:45.870
Instead of relying only on a user's identity or role,

16
00:00:45.870 --> 00:00:48.750
conditional access also considers factors

17
00:00:48.750 --> 00:00:51.810
like the user's location, the device they are using,

18
00:00:51.810 --> 00:00:55.050
or the time of day they are accessing the network.

19
00:00:55.050 --> 00:00:58.230
For example, an organization might restrict access

20
00:00:58.230 --> 00:01:00.150
to sensitive financial data

21
00:01:00.150 --> 00:01:03.090
for users who are either on the corporate network

22
00:01:03.090 --> 00:01:06.000
or using a secure managed device.

23
00:01:06.000 --> 00:01:08.190
If someone tries to access that data

24
00:01:08.190 --> 00:01:11.250
from a personal device or a different location,

25
00:01:11.250 --> 00:01:13.320
the system might block access

26
00:01:13.320 --> 00:01:15.660
or require extra security steps

27
00:01:15.660 --> 00:01:18.180
like multi-factor authentication.

28
00:01:18.180 --> 00:01:21.450
This makes sure access to important resources

29
00:01:21.450 --> 00:01:24.570
is controlled based on real-time conditions,

30
00:01:24.570 --> 00:01:26.490
which improves security.

31
00:01:26.490 --> 00:01:30.120
Microsoft Azure Active Directory Conditional Access

32
00:01:30.120 --> 00:01:32.970
is a popular tool that can control access

33
00:01:32.970 --> 00:01:36.180
based on factors like user identity, location,

34
00:01:36.180 --> 00:01:37.500
and device type.

35
00:01:37.500 --> 00:01:40.800
Second, we have policy decision points.

36
00:01:40.800 --> 00:01:44.160
Policy decision points are where the system decides

37
00:01:44.160 --> 00:01:46.200
if a user's access request

38
00:01:46.200 --> 00:01:49.500
follows a set access control policy.

39
00:01:49.500 --> 00:01:52.200
When a user tries to access a resource,

40
00:01:52.200 --> 00:01:55.290
the policy decision point checks the conditions,

41
00:01:55.290 --> 00:01:59.880
like the user's role, location, device, or time of access

42
00:01:59.880 --> 00:02:03.210
against the organization's security policies.

43
00:02:03.210 --> 00:02:05.250
If everything meets the policy,

44
00:02:05.250 --> 00:02:08.640
the policy decision point will allow the request,

45
00:02:08.640 --> 00:02:09.780
but if it does not,

46
00:02:09.780 --> 00:02:13.230
the policy decision point will deny the request.

47
00:02:13.230 --> 00:02:16.950
For instance, if a user tries to access work email

48
00:02:16.950 --> 00:02:18.630
outside of work hours,

49
00:02:18.630 --> 00:02:21.210
the policy decision point might see this

50
00:02:21.210 --> 00:02:25.440
as a violation of a policy and deny access.

51
00:02:25.440 --> 00:02:27.810
Essentially, the policy decision point

52
00:02:27.810 --> 00:02:30.240
is the system's decision-making tool,

53
00:02:30.240 --> 00:02:33.240
making sure policies are applied correctly.

54
00:02:33.240 --> 00:02:37.950
Amazon Web Services, or AWS Identity and Access Management,

55
00:02:37.950 --> 00:02:42.030
is another tool that can be used as a policy decision point,

56
00:02:42.030 --> 00:02:44.070
evaluating access requests

57
00:02:44.070 --> 00:02:47.190
based on user roles and conditions.

58
00:02:47.190 --> 00:02:51.450
Third and finally, we have policy enforcement points.

59
00:02:51.450 --> 00:02:55.050
Once a policy decision point makes a decision,

60
00:02:55.050 --> 00:02:58.200
the policy enforcement point acts on that decision.

61
00:02:58.200 --> 00:03:01.800
The policy enforcement point is in charge of either allowing

62
00:03:01.800 --> 00:03:03.780
or blocking the user's access

63
00:03:03.780 --> 00:03:07.410
based on what the policy decision point has decided.

64
00:03:07.410 --> 00:03:10.230
For example, after the policy decision point

65
00:03:10.230 --> 00:03:11.370
checks a request

66
00:03:11.370 --> 00:03:13.950
and decides that access should be denied

67
00:03:13.950 --> 00:03:15.750
due to the user's location,

68
00:03:15.750 --> 00:03:18.960
the policy enforcement point will block the user

69
00:03:18.960 --> 00:03:21.750
from getting access to that resource.

70
00:03:21.750 --> 00:03:22.770
On the other hand,

71
00:03:22.770 --> 00:03:26.190
if the policy decision point allows the request,

72
00:03:26.190 --> 00:03:29.730
the policy enforcement point will grant access.

73
00:03:29.730 --> 00:03:32.610
In this way, the policy enforcement point

74
00:03:32.610 --> 00:03:34.290
works as a gatekeeper,

75
00:03:34.290 --> 00:03:35.940
ensuring that the decisions

76
00:03:35.940 --> 00:03:39.450
made by the policy decision point are enforced.

77
00:03:39.450 --> 00:03:42.930
Palo Alto Networks Next-Generation Firewall

78
00:03:42.930 --> 00:03:46.650
is a tool that can serve as a policy enforcement point,

79
00:03:46.650 --> 00:03:48.900
enforcing security policies

80
00:03:48.900 --> 00:03:52.890
based on decisions made by policy decision points.

81
00:03:52.890 --> 00:03:56.040
So remember, access control policies

82
00:03:56.040 --> 00:03:57.840
are the rules that determine

83
00:03:57.840 --> 00:04:00.930
whether users can access certain resources

84
00:04:00.930 --> 00:04:03.180
based on their identity and role.

85
00:04:03.180 --> 00:04:07.320
These policies ensure that only authorized individuals

86
00:04:07.320 --> 00:04:11.190
can perform specific actions within a system.

87
00:04:11.190 --> 00:04:14.160
Conditional access, policy decision points,

88
00:04:14.160 --> 00:04:16.110
and policy enforcement points

89
00:04:16.110 --> 00:04:19.440
are key elements in enforcing these policies.

90
00:04:19.440 --> 00:04:22.830
Conditional access adds extra layers of security

91
00:04:22.830 --> 00:04:25.140
by evaluating additional factors

92
00:04:25.140 --> 00:04:29.820
like location or device type before granting access.

93
00:04:29.820 --> 00:04:34.500
Policy decision points make decisions about access requests.

94
00:04:34.500 --> 00:04:38.400
Then, policy enforcement points act on those decisions

95
00:04:38.400 --> 00:04:41.340
by either granting or denying access

96
00:04:41.340 --> 00:04:43.923
based on established policies.