Research Paper

 Considering the importance of data in organization, it is absolutely essential to secure the data present in the database. What are the strategic and technical security measures for good database security? Be sure to discuss at least one security model to properly develop databases for organizational security. Create a diagram of a security model for your research paper.

Your paper should meet the following requirements:

• Be approximately four to six pages in length, not including the required cover page and reference page.
• Follow APA7 guidelines. Your paper should include an introduction, a body with fully developed content, and a conclusion.
• Support your answers with the readings from the course and at least two scholarly journal articles to support your positions, claims, and observations, in addition to your textbook. The UC Library is a great place to find resources.
• Be clearly and well-written, concise, and logical, using excellent grammar and style techniques. You are being graded in part on the quality of your writing.

4 pages needed, More than 2 references (recent articles)

Chapter 14
Controlling and Monitoring Access

Comparing Access Control Models

Comparing

Permissions

,

Rights

, and

Privileges

Understanding Authorization Mechanisms

Defining Requirements with a Security Policy

Implementing Defense in Depth

Summarizing Access Control Models

Discretionary Access Controls

Nondiscretionary Access Controls

overview

Comparing Permissions, Rights, and Privileges
Permissions

Access granted for an object

Rights

Ability to take action on an object

Privileges

Combination of rights and permissions

Understanding Authorization Mechanisms

Implicit deny

Access control matrix

Capability tables

Constrained interface

Content-dependent control

Context-dependent control

Need to know

Least privilege

Separation of duties and responsibilities

Defining Requirements with a Security Policy

Clarifies requirements

Shows senior leadership support

Sets guidelines and parameters

Implementing Defense in Depth
Protects against single-focused attacks
Document in security policy
Personnel are key
Uses combined
solution
approach

Summarizing
Access Control Models
Discretionary Access Control (DAC)
Role Based Access Control (RBAC)
Rule-based access control (rule BAC)
Attribute Based Access Control (ABAC)
Mandatory Access Control (MAC)

Discretionary Access Controls
Owner, create, custodian define access
Based on identity
Uses ACLs on each object
Not centrally managed
Supports change

Nondiscretionary Access Controls
Centrally administered
Changes affect entire environment
Not based on identity, instead uses rules
Less flexible

Role Based Access Control
Based on subject’s role or assigned tasks
Enforces principle of least privilege
Related to job descriptions and work functions
Useful in dynamic environments
Often implemented using groups (via DAC)
Task based access control (TBAC)

Rule-Based Access Controls
Rules, restrictions, filters
Global rules apply to all subjects
Firewall and router rules/filters

Attribute Based Access Controls
Characteristics are used to determine rule applications
Can relate to users, groups, network, or devices

Mandatory Access Control
Based on classifications
Top Secret, Secret, Confidential
Confidential/Proprietary, Private, Sensitive, Public
Need to know
Prohibitive rather than permissive
Hierarchical
Compartmentalization
Hybrid

Understanding Access Control Attacks
Risk Elements
Identifying Assets
Identifying Threats
Threat Modeling Approaches
Identifying Vulnerabilities
Common Access Control Attacks
Summary of Protection Methods
overview

Risk Elements
Risk
Assets
Threat
Vulnerability
Risk Management

Identifying Assets
Asset valuation
Tangible value
Intangible value
Cost-benefit analysis

Identifying Threats
Threat modeling
Secure by Design, Secure by Default, Secure in Deployment and Communication (SD3+C)
Goals:
Reduce number of defects
Reduce severity of remaining defects
Advanced Persistent Threat (APT)

Threat Modeling Approaches
Focused on assets
Focused on attackers
Focused on software

Identifying Vulnerabilities
Vulnerability analysis
Weakness to threat
Technical and administrative
Vulnerability scans

Common Access Control
Attacks 1/2
Impersonation
Access aggregation
Password
Dictionary
Brute force
Birthday
Rainbow table
Sniffer

Common Access Control
Attacks 2/2
Spoofing
Social engineering
Phishing
Drive-by download
Spear phishing
Whaling
Vishing
Smartcard
Side-channel attack

Summary of Protection Methods
Control physical access and electronic access
Create a strong password policy
Hash and salt passwords
Use password masking
Deploy multifactor authentication
Use account lockout controls
Use last logon notification
Educate users about security

Conclusion
Read the Exam Essentials
Review the chapter
Perform the Written Labs
Answer the Review Questions

Chapter 13
Managing Identity and Authentication

Controlling Access to Assets

Assets:

Information, systems, devices, facilities, personnel

Comparing Subjects and Objects

The CIA Triad

Types of Access Control

Preventative Detective

Corrective Deterrent

Recovery Directive

Compensating

Administrative, logical/technical, physical

Comparing

Identification and Authentication

1/5

Identification and Authentication

Registration and Proofing of Identity

Authorization and Accountability

Authentication Factors

Type 1: Something you know

Type 2: Something you have

Type 3: Something you are

Somewhere you are

Context-aware authentication

Comparing Identification and Authentication 2/5

Passwords

Strong passwords

Age, complexity, length, history

Passphrases

Cognitive

Smartcards

Common Access Card (CAC)

Personal Identity Verification (PIV) card

Comparing Identification and Authentication 3/5

Tokens

One-time passwords

Synchronous Dynamic Password Tokens

Asynchronous Dynamic Password Tokens

Two-step authentication

Hash message authentication code (HMAC)

Time-based One-Time Password (TOTP)

Email or SMS PIN challenge

Comparing Identification and Authentication 4/5
Biometrics
Fingerprints, face, retina, iris, palm, hand geometry, heart/pulse, voice, signature, keystroke
Errors:
Type 1: False Rejection Rate (FRR)
Type 2: False Acceptance Rate (FAR)
Crossover error rate (CER)
Enrollment
Reference profile/template
Throughput rate

Comparing Identification and Authentication 5/5
Multifactor Authentication
Device Authentication
Device fingerprinting
802.1x
Service Authentication
Application accounts

Implementing Identity
Management 1/2
Centralized vs. decentralized
Single Sign-On
LDAP and PKI
Kerberos
KDC, TGT, ST
Federated Identity Management
Security Assertion Markup Language (SAML),
Service Provisioning Markup Language (SPML),
Extensible Access Control Markup Language (XACML)
OAuth 2.0, OpenID, OpenID Connect
Scripted access

Implementing Identity
Management 2/2
Credential Management Systems
Integrating Identity Services
Identity and access as a service (IDaaS)
Managing Sessions
AAA Protocols
Remote Authentication Dial-in User Service (RADIUS)
Terminal Access Controller Access-Control System (TACACS)
Diameter

Managing the Identity and
Access Provisioning Lifecycle
Provisioning
Account Review
Excessive privilege
Privilege creep
Account Revocation

Conclusion
Read the Exam Essentials
Review the chapter
Perform the Written Labs
Answer the Review Questions