Effective access control systems enforce the principle of accountability. Each action taken on a system can be clearly traced back to an individual user without any ambiguity. Administrators can clearly tell who performed an action and the individual cannot deny responsibility for that action. In this video, learn how access control systems enforce accountability.
- [Instructor] Effective access control systems enforce the principle of accountability. Accountability means that every action taken on a system can be clearly traced back to an individual user without any ambiguity. Administrators can clearly tell who performed an action, and the individual can't deny responsibility for that action. There are two prerequisites for ensuring accountability, and they are two of the fundamental requirements for any access control system. The first is identification.
Each user of the system must be identified by a unique identifier, such as a username. The system and organizational policies must not allow the use of any shared departmental or generic accounts. If two individuals do share an account, the system cannot distinguish between them, and either of the two users can simply blame the other for any action taken under the shared account. Without identification, there is no accountability. The second important principle is Authentication.
Every account on the system must be protected by strong authentication that prevents unauthorized users from gaining access. If the system uses single-factor authentication using weak passwords, a user accused of inappropriate activity may simply claim that his or her account was compromised, and the actions must have been taken by an unauthorized individual. Access control systems that provide strong identification and strong authentication have the foundation required to provide accountability for user actions.
In addition to implementing strong identification and authentication mechanisms, access control systems must track user activity carefully to enforce accountability. This requires the use of auditing mechanisms that record any significant user activity in a log. For example, Windows provides the Event Viewer tool to allow administrators to view logs. Here I am in that tool on a Windows server. I'm going to go ahead and expand the Windows Log Setting and then click on the security logs, and all of a sudden my screen fills with details from this Windows Server.
As you can see, the server's already recorded over 35,000 security events, and as I look through these, I can see there are records of audit failures, and you can scroll down and see this was a log in attempt that had an unknown username or bad password. And if we scroll through this list, we'll see there have been quite a few audit failures for log-ins on this system. If I re-sort this list so I can see audit failures and audit successes separately, here you can see some successful attempts to log on to the system.
One last important detail on logging. It's very important to write logs some place where they can't be modified by individuals accessing the system in question. For example, if I am logging activity on a server, I would want to write those logs to a different server that is very locked down. Otherwise, an administrator on the original server could perform some malicious activity and then use his or her administrative powers to delete the logs, covering up the signs of that activity. For this reason, most organizations use a centralized log server to store security log information.
That centralized log server receives log records from other servers in the organization as they occur, and writes them to a locked-down database, that even administrators are not able to purge. For now, know that strong logging and monitoring mechanisms must accompany identification and authentication techniques to enforce the principle of accountability.
To join one of Mike's free study groups for access to bonus tips and practice questions, visit certmike.com.
- The security triad: confidentiality, integrity, and availability
- Security principles
- Resource security
- Data security
- Security controls
- Assessing security controls
- Security policy
- Physical security