4.3 Explain the importance of data security
Data loss prevention (DLP) : These are systems are designed to protect data by way of content inspection. They are meant to stop the leakage of confidential data, often concentrating on communications. There are three types of DLP systems:
Full Disk Encryption : This works by automatically converting data on a hard drive into a form that cannot be understood by anyone who doesn’t have the key to "undo" the conversion. Without the proper authentication key, even if the hard drive is removed and placed in another machine, the data remains inaccessible
Database Encryption : This allows securing the data as it is inserted to, or retrieved from the database. The encryption strategy can thus be part of the database design and can be related with data sensitivity and/or user privileges. Selective encryption is possible and can be done at various granularities, such as tables, columns, rows
Data encryption. Encryption protects the confidentiality of data on servers just as it can protect the confidentiality of data on mobile devices. It’s possible to selectively encrypt individual files or entire disk volumes.
Mantrap and cipher lock. These are examples of physical security and they can be used to restrict access to a server room.
Proximity lock. This secures the Server by locking it when the sensor (say a blue-tooth device worn by the administrator) is not within a specified distance from the server.
Firewall. Software-based firewalls are commonly used on servers but are extremely rare on mobile devices.
TPM and HSM. Trusted Platform Modules (TPMs) and Hardware Security Modules (HSMs) are hardware encryption devices.
5. Access Control and Identity Management
5.1 Explain the function and purpose of authentication services
Remote Authentication Dial-In User Service (RADIUS) : It provides centralized administration of dial-up, VPN, and wireless authentication and can be used with EAP and 802.1X.
Terminal Access Controller Access-Control System (TACACS ) : It is remote authentication protocol used more often in UNIX networks. In UNIX, the TACACS service is known as the TACACS daemon. The newer and more commonly used implementation of TACACS is called TACACS+. It is not backward compatible with TACACS. TACACS+, and its predecessor XTACACS, were developed by Cisco. TACACS+ uses inbound port 49. TACACS and XTACACS are not commonly seen anymore. The two common protocols used today are RADIUS and TACACS+.
Kerberos : Kerberos is basically an authentication protocol that uses secret-key cryptography for secure authentication. In Kerberos, all authentication takes place between clients and servers. The name Kerberos comes from Greek mythology; it is the three-headed dog that guarded the entrance to Hades. It was developed by the Massachusetts Institute of Technology, USA
Kerberos require that the time sources are approximately in synchronization (with in 5 minutes) with each other. However, with recent revisions of Kerberos software, this rule has become flexible.
Some of the features of Kerberos authentication system:
Uses client-server based architecture.
Kerberos server, referred to as KDC (Key Distribution Ceter) implements the Authentication Service (AS) and the Ticket Granting Service (TGS).
The term "application server" generally refers to Kerberized programs that clients communicate with using Kerberos tickets for authentication purpose. For example, the Kerberos telnet daemon (telnetd) is an example of an application server.
When the user wants to talk to a Kerberized service, he uses the TGT to talk to the Ticket Granting Service (TGS, also runs on the KDC). The TGS verifies the user's identity using the TGT and issues a ticket for the desired service.
The TGT ensures that a user doesn't have to enter in their password every time they wish to connect to a Kerberized service. The TGT usually expires after eight hours. If the Ticket Granting Ticket is compromised, an attacker can only masquerade as a user until the ticket expires.
The following are the important properties of Kerberos:
LDAP (Lightweight Directory Access Protocol) : It contains the directory for a network and allows for a single point of user management of that directory.
5.2 Explain the fundamental concepts and best practices related to authentication, authorization and access control
Computer based access controls prescribe not only who or what process may have access to a given resource, but also the type of access that is permitted. These controls may be implemented in the computer system or in external devices. Different types of access control are:
Mandatory Access Control (MAC) secures information by assigning sensitivity labels on objects (resources) and comparing this to the level of sensitivity a subject (user) is operating at. MAC ensures that all users only have access to that data for which they have matching or greater security label (or security clearance). In general, MAC access control mechanisms are more secure than DAC. MAC is usually appropriate for extremely secure systems including multilevel secure military applications or mission critical data applications.
Discretionary Access Control (DAC): Discretionary Access Control (DAC) is a means of restricting access to information based on the identity of users and/or membership in certain groups. Access decisions are typically based on the authorizations granted to a user based on the credentials he presented at the time of authentication (user name, password, hardware/software token, etc.). In most typical DAC models, the owner of information or any resource is able to change its permissions at his discretion. DAC has the drawback of the administrators not being able to centrally manage these permissions on files/information stored on the web server.
Role Based Access Control (RBAC): In Role-Based Access Control (RBAC), access decisions are based on an individual's roles and responsibilities within the organization. For instance, in a corporation, the different roles of users may include those such as chief executive, manager, executive, and clerk. Obviously, these members require different levels of access in order to perform their functions, but also the types of web transactions and their allowed context vary greatly depending on the security policy. In Role Based Access Control, the administrator sets the roles. Therefore, this type of access control is sometimes considered as a subset of MAC.
Rule Based Access Control (RBAC): The access to a resource in Rule Based Access Control is based a set of rules. ACLs (Access Control Lists) are used for this type of access control. In Rule Based Access Control, the administrator sets the rules. Therefore, this type of access control is sometimes considered as a subset of MAC.