Would you like to inspect the original subtitles? These are the user uploaded subtitles that are being translated:
1
00:00:00,240 --> 00:00:03,780
So let's start with part two of identity and access management.
2
00:00:04,910 --> 00:00:08,000
We'll discuss authorisation and accountability first.
3
00:00:08,980 --> 00:00:15,100
So authorisation decides who is allowed to perform what, for example, on a system, you can create
4
00:00:15,100 --> 00:00:19,240
different groups of users, you can have normal users who can only view their account.
5
00:00:19,660 --> 00:00:23,690
Then you can have administrators who can create view and delete user accounts.
6
00:00:24,130 --> 00:00:25,900
However, these are broad categories.
7
00:00:25,900 --> 00:00:31,080
So you have divided users into broad categories and those categories have predefined privileges.
8
00:00:31,090 --> 00:00:33,790
You can even be more fine grained with your authorization.
9
00:00:34,030 --> 00:00:39,400
You can go down to the file level and see that if a user accesses a file, whether he has appropriate
10
00:00:39,400 --> 00:00:40,280
permissions or not.
11
00:00:40,570 --> 00:00:45,420
So if a user tries to write on a file on which he has only read only access, then that won't work.
12
00:00:47,080 --> 00:00:53,320
Accountability refers to logging user activities for accountability because, remember, accountability
13
00:00:53,320 --> 00:00:59,620
can only be done once a user has been identified and authenticated because only then will you have non
14
00:00:59,620 --> 00:01:00,430
repudiation.
15
00:01:01,300 --> 00:01:05,740
Now, this is done through audits of logs and accounts to identify any violations.
16
00:01:07,290 --> 00:01:12,780
Need to know is an important concept in authorization, the basic idea is that you should always give
17
00:01:12,780 --> 00:01:17,790
a subject the minimum amount of data or information that he or she needs to complete their job.
18
00:01:18,360 --> 00:01:23,550
Now, this ensures that every subject has got the least privileges that he or she need to complete the
19
00:01:23,550 --> 00:01:24,300
job duties.
20
00:01:24,690 --> 00:01:29,370
It's the fundamental idea in cybersecurity to provide least privileges.
21
00:01:31,020 --> 00:01:36,000
As an example, let's say you have an administrator who has an almost universal access to different
22
00:01:36,000 --> 00:01:37,000
parts of your system.
23
00:01:37,200 --> 00:01:42,060
He can even create, modify or delete user accounts and he can manage a lot of different databases.
24
00:01:42,600 --> 00:01:46,500
Does he really need to be able to view employee salary information?
25
00:01:47,160 --> 00:01:48,270
So that's the question.
26
00:01:48,480 --> 00:01:53,230
You only give privileges which are actually required by that person to fulfill his job.
27
00:01:53,580 --> 00:01:55,650
You should limit the privileges to a minimum.
28
00:01:56,340 --> 00:02:02,310
Similarly, if you have a user who needs to read a file in order to perform the job duties, you should
29
00:02:02,310 --> 00:02:03,890
only give read-only access.
30
00:02:03,900 --> 00:02:09,360
You should not give, read and write access because these type of privileges, if they are left unchecked,
31
00:02:09,360 --> 00:02:11,760
they can cause serious cybersecurity repercussions.
32
00:02:11,760 --> 00:02:13,650
Later on, they can be abused.
33
00:02:16,270 --> 00:02:21,670
Another important concept in organizations is privilege creep, this happens when someone accumulates
34
00:02:21,670 --> 00:02:26,990
privileges over time as the rule changes or as they move vertically up the organization.
35
00:02:27,580 --> 00:02:33,070
However, ideally, whenever someone gets new responsibilities, they get new privileges, but their
36
00:02:33,070 --> 00:02:36,050
old privileges should be reviewed and revoked accordingly.
37
00:02:36,400 --> 00:02:38,030
But this doesn't happen often.
38
00:02:38,770 --> 00:02:43,210
So an example could be you have a sales assistant who moves on to become network administrator and then
39
00:02:43,210 --> 00:02:49,120
a security administrator, but he still retains privileges to access the sale systems despite his lack
40
00:02:49,120 --> 00:02:49,960
of need to do so.
41
00:02:50,140 --> 00:02:54,730
Now, this usually happens because organizations don't have accountability processes in place.
42
00:02:57,990 --> 00:03:02,430
Now accountability basically refers to holding people responsible for their actions.
43
00:03:02,880 --> 00:03:08,490
This is enforced through log audits, account audits and an interesting concept, which is job rotation.
44
00:03:09,150 --> 00:03:13,950
So the basic idea of job rotation is that once in a while you rotate people among jobs.
45
00:03:15,050 --> 00:03:20,090
The problem stems from the fact that if there is someone who has been performing a role for a very long
46
00:03:20,090 --> 00:03:26,150
time, it is difficult to obtain visibility into what exactly is he doing or if he is, you know, violating
47
00:03:26,150 --> 00:03:26,800
any rules.
48
00:03:27,410 --> 00:03:33,080
But when you rotate people once in a while, this allows for the new employee or a different employee
49
00:03:33,080 --> 00:03:36,010
to gain visibility into the actions of the predecessor.
50
00:03:36,290 --> 00:03:38,540
And this can sometimes expose problems.
51
00:03:39,350 --> 00:03:45,440
Now, please remember, accountability can only be enforced if we have non-repudiation, that the subject
52
00:03:45,440 --> 00:03:47,990
must have done identification and authentication.
53
00:03:48,260 --> 00:03:53,450
Only then we can be sure that it was specifically the subject which was performing this task.
54
00:03:55,430 --> 00:04:00,810
There are a number of sources of information which can help with the accountability process, for example,
55
00:04:00,810 --> 00:04:06,770
if you have network logs which contain routers, switches, logs, that can be firewall logs, now they
56
00:04:06,770 --> 00:04:10,230
can show if a user has, for example, visited a particular Web site.
57
00:04:10,280 --> 00:04:12,830
What are the sessions, created by that user and so on.
58
00:04:13,700 --> 00:04:20,540
We also have database logs which basically log and monitor queries recorded, files accessed and any
59
00:04:20,540 --> 00:04:21,360
modifications.
60
00:04:21,769 --> 00:04:27,200
So, for example, if a part of your sensitive database has been modified or deleted, you can simply
61
00:04:27,200 --> 00:04:30,890
refer to database logs and see which user executed those queries.
62
00:04:31,460 --> 00:04:36,890
Similarly, we have application logs which basically record exceptions, crashes and anomalies.
63
00:04:36,920 --> 00:04:41,870
So if you have an inside user who's trying to crash your Web server, he's definitely going to leave
64
00:04:41,870 --> 00:04:43,590
a footprint in application logs.
65
00:04:44,180 --> 00:04:48,650
Similarly, you have system logs which refer to recorded information at the end stations.
66
00:04:49,040 --> 00:04:52,330
This refers to any resources used, any applications executed.
67
00:04:52,760 --> 00:04:57,770
This can even expose if a user has installed applications which were otherwise prohibited according
68
00:04:57,770 --> 00:04:59,690
to the organization's policy.
69
00:05:00,500 --> 00:05:01,700
This concludes our lecture.
70
00:05:02,180 --> 00:05:03,380
I'll see you in the next one.
7702
Can't find what you're looking for?
Get subtitles in any language from opensubtitles.com, and translate them here.