Authorization is the final step in the access control process. Once an individual successfully authenticates to a system, authorization determines the privileges that individual has to access resources and information. After completing this video, you will understand the basics of authorization, including the principles of least privilege and separation of duties.
- [Voiceover] Authorization is the final step in the access control process. Once an individual successfully authenticates to a system, authorization determines the privileges that individual has to access resources and information. There are many different authorization approaches and we'll discuss those in this course. First, let's talk about two general principles of authorization that lead to strong security. First, the principle of least privilege. This principle states, that "An individual should have only the minimum set of permissions necessary to accomplish his or her job duties.
Least privilege is important for two reasons. First, least privilege minimizes the potential damage from an insider attack. If an employee turns malicious, the damage they can cause will be limited by the privileges assigned to them by a job role. It's unlikely for example, that an accountant would be able to deface the company website, because an accountant's job responsibilities have nothing to do with updating web content. Second, least privilege limits the ability of an external attacker to quickly gain privileged access when compromising an employee's account.
Unless they happen to compromise a system administrator's account, they will find themselves limited by the privileges of the account that they steal. The second important principle is separation of duties. This principle states that sensitive business functions should require the involvement of at least two people. This reduces the likelihood of fraud, by requiring collusion between two employees to commit fraud. One common example of separation of duties, is found in accounting departments.
One way that employees might steal funds from the organization, is to set up fake vendors in the system, and then issue checks to those vendors for services that were never rendered. To prevent this, organizations typically separate the ability to set up a new vendor, and issue a check to that vendor, and say that no employee should ever have both of those privileges. Organizations must watch out for privilege creep when trying to follow the principles of least privilege and separation of duties. Privilege creep occurs when users change from one job to another, and gain new privileges, associated with their new responsibilities, but never lose the privileges from the job that they left.
Over time, an employee who moves around from role to role, may gain substantial privileges in this way. Consider the example of Alice. Alice starts as a clerk in the accounting department, where she is responsible for issuing checks to vendors. There, she has the issue check privilege. After a few years, Alice receives a promotion to a supervisory accountant position, and gains responsibility for setting up new vendors in the system. Nobody ever takes away her old privileges.
Alice now has the ability to both set up a new vendor, and issues checks. A violation of both least privilege and separation of duties. Organizations looking to preserve the principles of least privilege and separation of duties, should perform regular account reviews. These may come in both manual and automated forms. For example, an automated process might run every time a user is granted new privileges, to ensure that the new privileges won't violate any separation of duties' requirements.
The organization might supplement these automated checks with quarterly access reviews, where managers manually review the permissions assigned to each employee for compliance with the principle of least privilege. Maintaining authorization systems is a critical task for security professionals. The CISPY exam might contain a question asking you to review a scenario, and describe what authorization principle is being described. Be sure to know the difference between least privilege and separation of duties, so that you're ready for those exam questions.
- Identity and access management overview
- Identification mechanisms: user names, access cards, biometrics, and registration
- Authentication factors
- Password authentication protocols
- Identity as a service (IDaaS)
- Enforcing accountability
- Managing credentials with policies
- Using access control lists
- Defending against access control attacks