WEBVTT

1
00:00:00.000 --> 00:00:01.260
In this lesson,

2
00:00:01.260 --> 00:00:04.110
we will learn about access management.

3
00:00:04.110 --> 00:00:07.980
Access management is used to continuously verify

4
00:00:07.980 --> 00:00:12.720
and control user and device access to resources based

5
00:00:12.720 --> 00:00:15.900
on policies and contextual factors.

6
00:00:15.900 --> 00:00:20.130
This is more secure than systems that assume trust based

7
00:00:20.130 --> 00:00:21.960
on a network location.

8
00:00:21.960 --> 00:00:24.450
Access management concepts include,

9
00:00:24.450 --> 00:00:28.890
subject-object relationships, continuous authorization,

10
00:00:28.890 --> 00:00:32.130
and context-based reauthentication.

11
00:00:32.130 --> 00:00:36.030
Let's learn more about these access management concepts.

12
00:00:36.030 --> 00:00:40.230
First, we have subject-object relationships.

13
00:00:40.230 --> 00:00:42.860
Defining subject-object relationships

14
00:00:42.860 --> 00:00:45.630
is the foundation of access management,

15
00:00:45.630 --> 00:00:47.970
because it establishes clear boundaries

16
00:00:47.970 --> 00:00:52.260
for who or what can access specific resources.

17
00:00:52.260 --> 00:00:55.260
Defining subject-object relationships

18
00:00:55.260 --> 00:00:59.220
involves setting up rules that determine how subjects,

19
00:00:59.220 --> 00:01:02.910
such as users, devices, or applications,

20
00:01:02.910 --> 00:01:07.620
can interact with objects like data, files, or systems.

21
00:01:07.620 --> 00:01:11.310
These rules are based on permissions, roles,

22
00:01:11.310 --> 00:01:16.310
and access levels defined within an access control system.

23
00:01:16.530 --> 00:01:18.120
This approach ensures

24
00:01:18.120 --> 00:01:21.840
that access is both appropriate and secure.

25
00:01:21.840 --> 00:01:24.630
For example, imagine a library

26
00:01:24.630 --> 00:01:28.920
where books are the objects and readers are the subjects.

27
00:01:28.920 --> 00:01:32.880
In this scenario, access management means specifying

28
00:01:32.880 --> 00:01:35.460
who can check out which books based

29
00:01:35.460 --> 00:01:38.250
on established rules and permissions.

30
00:01:38.250 --> 00:01:42.930
A librarian with higher permissions can access all books,

31
00:01:42.930 --> 00:01:46.350
including restricted or rare collections.

32
00:01:46.350 --> 00:01:48.990
In contrast, a regular reader

33
00:01:48.990 --> 00:01:51.600
might only be allowed to access general

34
00:01:51.600 --> 00:01:53.670
or publicly available books,

35
00:01:53.670 --> 00:01:57.630
such as fiction or non-restricted non-fiction.

36
00:01:57.630 --> 00:01:59.370
This clear definition

37
00:01:59.370 --> 00:02:02.460
of subject-object relationships ensures

38
00:02:02.460 --> 00:02:05.580
that each subject can only interact

39
00:02:05.580 --> 00:02:08.850
with objects they are authorized to access,

40
00:02:08.850 --> 00:02:12.960
maintaining security and control over the resources.

41
00:02:12.960 --> 00:02:16.830
Second, we have continuous authorization.

42
00:02:16.830 --> 00:02:21.300
Continuous authorization involves the ongoing evaluation

43
00:02:21.300 --> 00:02:24.960
of access permissions throughout a user's session,

44
00:02:24.960 --> 00:02:28.410
rather than checking access rights only once.

45
00:02:28.410 --> 00:02:33.360
Then, continuous monitoring can adapt to changes in context

46
00:02:33.360 --> 00:02:37.860
or security posture, enforcing policies dynamically

47
00:02:37.860 --> 00:02:41.250
as user behavior or circumstances shift.

48
00:02:41.250 --> 00:02:44.820
In a Windows domain, continuous authorization

49
00:02:44.820 --> 00:02:48.600
is implemented using tools like Group Policy

50
00:02:48.600 --> 00:02:50.160
and Active Directory,

51
00:02:50.160 --> 00:02:53.850
which continuously evaluate user permissions,

52
00:02:53.850 --> 00:02:58.850
monitors activities, and enforces access rules in real time.

53
00:02:59.040 --> 00:03:03.660
For example, in a workplace with continuous authorization,

54
00:03:03.660 --> 00:03:04.740
we can imagine

55
00:03:04.740 --> 00:03:08.940
a finance team member accessing financial reports

56
00:03:08.940 --> 00:03:11.430
as part of their normal permissions.

57
00:03:11.430 --> 00:03:13.800
If this person suddenly attempts

58
00:03:13.800 --> 00:03:17.220
to access unrelated or restricted files,

59
00:03:17.220 --> 00:03:19.770
such as human resources records

60
00:03:19.770 --> 00:03:22.500
or executive-level financial data,

61
00:03:22.500 --> 00:03:26.190
the system which continuously evaluates their actions

62
00:03:26.190 --> 00:03:29.790
will detect this deviation from expected behavior.

63
00:03:29.790 --> 00:03:33.360
In response, the system might dynamically adjust

64
00:03:33.360 --> 00:03:35.280
the user's access permissions,

65
00:03:35.280 --> 00:03:38.460
restricting their ability to view sensitive data

66
00:03:38.460 --> 00:03:42.570
or temporarily limit access to specific resources.

67
00:03:42.570 --> 00:03:45.870
The system can also log suspicious activity

68
00:03:45.870 --> 00:03:48.480
and notify security administrators,

69
00:03:48.480 --> 00:03:51.210
allowing them to investigate further.

70
00:03:51.210 --> 00:03:54.300
This ongoing evaluation ensures

71
00:03:54.300 --> 00:03:57.570
that access rights are continually adapted

72
00:03:57.570 --> 00:04:01.020
to the user's behavior, maintaining security

73
00:04:01.020 --> 00:04:05.010
and ensuring that access remains appropriate based

74
00:04:05.010 --> 00:04:08.340
on the user's role and current actions.

75
00:04:08.340 --> 00:04:13.340
Third and finally, we have context-based reauthentication.

76
00:04:13.860 --> 00:04:18.690
Context-based reauthentication enhances access management

77
00:04:18.690 --> 00:04:21.540
by adding an extra layer of security

78
00:04:21.540 --> 00:04:24.660
when certain contextual factors change.

79
00:04:24.660 --> 00:04:28.260
It involves prompting users to reauthenticate

80
00:04:28.260 --> 00:04:31.650
when certain conditions or changes are detected,

81
00:04:31.650 --> 00:04:35.970
such as location shifts or altered security settings.

82
00:04:35.970 --> 00:04:38.190
This helps maintain security

83
00:04:38.190 --> 00:04:40.560
by verifying that the right person

84
00:04:40.560 --> 00:04:43.230
is still accessing the resources.

85
00:04:43.230 --> 00:04:47.670
In a Windows environment, context-based reauthentication

86
00:04:47.670 --> 00:04:50.070
can be implemented using tools

87
00:04:50.070 --> 00:04:52.620
like Conditional Access policies

88
00:04:52.620 --> 00:04:57.240
in Azure Active Directory and Microsoft Endpoint Manager.

89
00:04:57.240 --> 00:04:59.700
These tools allow administrators

90
00:04:59.700 --> 00:05:03.540
to set rules that trigger reauthentication based

91
00:05:03.540 --> 00:05:06.300
on various contextual factors,

92
00:05:06.300 --> 00:05:11.280
such as accessing resources from a new geographical location

93
00:05:11.280 --> 00:05:15.630
or switching from a secure to an insecure connection.

94
00:05:15.630 --> 00:05:19.230
For example, if an employee is working in the office

95
00:05:19.230 --> 00:05:21.300
and then moves to a coffee shop,

96
00:05:21.300 --> 00:05:25.140
the system detects this change in location and network.

97
00:05:25.140 --> 00:05:28.950
Since accessing company resources from a public place

98
00:05:28.950 --> 00:05:30.390
is more vulnerable,

99
00:05:30.390 --> 00:05:33.990
the system might ask the employee to log on again

100
00:05:33.990 --> 00:05:35.940
just to confirm their identity.

101
00:05:35.940 --> 00:05:38.310
This adaptive approach ensures

102
00:05:38.310 --> 00:05:41.550
that access remains appropriate and secure,

103
00:05:41.550 --> 00:05:45.720
especially in new or potentially risky situations.

104
00:05:45.720 --> 00:05:50.720
So remember, access management is a security approach

105
00:05:50.880 --> 00:05:54.360
that continuously verifies and controls access

106
00:05:54.360 --> 00:05:59.010
to resources based on policies and contextual factors,

107
00:05:59.010 --> 00:06:00.750
making it more secure

108
00:06:00.750 --> 00:06:04.080
than simply trusting access by location.

109
00:06:04.080 --> 00:06:06.150
Access management includes,

110
00:06:06.150 --> 00:06:09.090
defining subject-object relationships,

111
00:06:09.090 --> 00:06:13.080
which set clear rules about how users and devices

112
00:06:13.080 --> 00:06:17.280
can interact with resources, while continuous authorization

113
00:06:17.280 --> 00:06:21.120
keeps evaluating access permissions throughout a session,

114
00:06:21.120 --> 00:06:24.480
adapting to changes in behavior or context

115
00:06:24.480 --> 00:06:26.280
to maintain security.

116
00:06:26.280 --> 00:06:29.910
Finally, context-based reauthentication

117
00:06:29.910 --> 00:06:33.900
may require users to confirm their identity again

118
00:06:33.900 --> 00:06:36.300
when specific conditions change,

119
00:06:36.300 --> 00:06:39.870
such as location or security settings.

120
00:06:39.870 --> 00:06:43.950
Together, these concepts ensure access remains secure,

121
00:06:43.950 --> 00:06:48.183
dynamic, and appropriate for any given situation.