Would you like to inspect the original subtitles? These are the user uploaded subtitles that are being translated: 1 00:00:00,240 --> 00:00:03,780 So let's start with part two of identity and access management. 2 00:00:04,910 --> 00:00:08,000 We'll discuss authorisation and accountability first. 3 00:00:08,980 --> 00:00:15,100 So authorisation decides who is allowed to perform what, for example, on a system, you can create 4 00:00:15,100 --> 00:00:19,240 different groups of users, you can have normal users who can only view their account. 5 00:00:19,660 --> 00:00:23,690 Then you can have administrators who can create view and delete user accounts. 6 00:00:24,130 --> 00:00:25,900 However, these are broad categories. 7 00:00:25,900 --> 00:00:31,080 So you have divided users into broad categories and those categories have predefined privileges. 8 00:00:31,090 --> 00:00:33,790 You can even be more fine grained with your authorization. 9 00:00:34,030 --> 00:00:39,400 You can go down to the file level and see that if a user accesses a file, whether he has appropriate 10 00:00:39,400 --> 00:00:40,280 permissions or not. 11 00:00:40,570 --> 00:00:45,420 So if a user tries to write on a file on which he has only read only access, then that won't work. 12 00:00:47,080 --> 00:00:53,320 Accountability refers to logging user activities for accountability because, remember, accountability 13 00:00:53,320 --> 00:00:59,620 can only be done once a user has been identified and authenticated because only then will you have non 14 00:00:59,620 --> 00:01:00,430 repudiation. 15 00:01:01,300 --> 00:01:05,740 Now, this is done through audits of logs and accounts to identify any violations. 16 00:01:07,290 --> 00:01:12,780 Need to know is an important concept in authorization, the basic idea is that you should always give 17 00:01:12,780 --> 00:01:17,790 a subject the minimum amount of data or information that he or she needs to complete their job. 18 00:01:18,360 --> 00:01:23,550 Now, this ensures that every subject has got the least privileges that he or she need to complete the 19 00:01:23,550 --> 00:01:24,300 job duties. 20 00:01:24,690 --> 00:01:29,370 It's the fundamental idea in cybersecurity to provide least privileges. 21 00:01:31,020 --> 00:01:36,000 As an example, let's say you have an administrator who has an almost universal access to different 22 00:01:36,000 --> 00:01:37,000 parts of your system. 23 00:01:37,200 --> 00:01:42,060 He can even create, modify or delete user accounts and he can manage a lot of different databases. 24 00:01:42,600 --> 00:01:46,500 Does he really need to be able to view employee salary information? 25 00:01:47,160 --> 00:01:48,270 So that's the question. 26 00:01:48,480 --> 00:01:53,230 You only give privileges which are actually required by that person to fulfill his job. 27 00:01:53,580 --> 00:01:55,650 You should limit the privileges to a minimum. 28 00:01:56,340 --> 00:02:02,310 Similarly, if you have a user who needs to read a file in order to perform the job duties, you should 29 00:02:02,310 --> 00:02:03,890 only give read-only access. 30 00:02:03,900 --> 00:02:09,360 You should not give, read and write access because these type of privileges, if they are left unchecked, 31 00:02:09,360 --> 00:02:11,760 they can cause serious cybersecurity repercussions. 32 00:02:11,760 --> 00:02:13,650 Later on, they can be abused. 33 00:02:16,270 --> 00:02:21,670 Another important concept in organizations is privilege creep, this happens when someone accumulates 34 00:02:21,670 --> 00:02:26,990 privileges over time as the rule changes or as they move vertically up the organization. 35 00:02:27,580 --> 00:02:33,070 However, ideally, whenever someone gets new responsibilities, they get new privileges, but their 36 00:02:33,070 --> 00:02:36,050 old privileges should be reviewed and revoked accordingly. 37 00:02:36,400 --> 00:02:38,030 But this doesn't happen often. 38 00:02:38,770 --> 00:02:43,210 So an example could be you have a sales assistant who moves on to become network administrator and then 39 00:02:43,210 --> 00:02:49,120 a security administrator, but he still retains privileges to access the sale systems despite his lack 40 00:02:49,120 --> 00:02:49,960 of need to do so. 41 00:02:50,140 --> 00:02:54,730 Now, this usually happens because organizations don't have accountability processes in place. 42 00:02:57,990 --> 00:03:02,430 Now accountability basically refers to holding people responsible for their actions. 43 00:03:02,880 --> 00:03:08,490 This is enforced through log audits, account audits and an interesting concept, which is job rotation. 44 00:03:09,150 --> 00:03:13,950 So the basic idea of job rotation is that once in a while you rotate people among jobs. 45 00:03:15,050 --> 00:03:20,090 The problem stems from the fact that if there is someone who has been performing a role for a very long 46 00:03:20,090 --> 00:03:26,150 time, it is difficult to obtain visibility into what exactly is he doing or if he is, you know, violating 47 00:03:26,150 --> 00:03:26,800 any rules. 48 00:03:27,410 --> 00:03:33,080 But when you rotate people once in a while, this allows for the new employee or a different employee 49 00:03:33,080 --> 00:03:36,010 to gain visibility into the actions of the predecessor. 50 00:03:36,290 --> 00:03:38,540 And this can sometimes expose problems. 51 00:03:39,350 --> 00:03:45,440 Now, please remember, accountability can only be enforced if we have non-repudiation, that the subject 52 00:03:45,440 --> 00:03:47,990 must have done identification and authentication. 53 00:03:48,260 --> 00:03:53,450 Only then we can be sure that it was specifically the subject which was performing this task. 54 00:03:55,430 --> 00:04:00,810 There are a number of sources of information which can help with the accountability process, for example, 55 00:04:00,810 --> 00:04:06,770 if you have network logs which contain routers, switches, logs, that can be firewall logs, now they 56 00:04:06,770 --> 00:04:10,230 can show if a user has, for example, visited a particular Web site. 57 00:04:10,280 --> 00:04:12,830 What are the sessions, created by that user and so on. 58 00:04:13,700 --> 00:04:20,540 We also have database logs which basically log and monitor queries recorded, files accessed and any 59 00:04:20,540 --> 00:04:21,360 modifications. 60 00:04:21,769 --> 00:04:27,200 So, for example, if a part of your sensitive database has been modified or deleted, you can simply 61 00:04:27,200 --> 00:04:30,890 refer to database logs and see which user executed those queries. 62 00:04:31,460 --> 00:04:36,890 Similarly, we have application logs which basically record exceptions, crashes and anomalies. 63 00:04:36,920 --> 00:04:41,870 So if you have an inside user who's trying to crash your Web server, he's definitely going to leave 64 00:04:41,870 --> 00:04:43,590 a footprint in application logs. 65 00:04:44,180 --> 00:04:48,650 Similarly, you have system logs which refer to recorded information at the end stations. 66 00:04:49,040 --> 00:04:52,330 This refers to any resources used, any applications executed. 67 00:04:52,760 --> 00:04:57,770 This can even expose if a user has installed applications which were otherwise prohibited according 68 00:04:57,770 --> 00:04:59,690 to the organization's policy. 69 00:05:00,500 --> 00:05:01,700 This concludes our lecture. 70 00:05:02,180 --> 00:05:03,380 I'll see you in the next one. 7702