Sample Access & Authentication Scope
March 16, 2010
A high-level outline was developed with input from the each discipline. The outline centers on the ability to identify data classifications and the assignment of access controls.
The documents that will be generated are:
1. Summary document in outline form
2. Authentication and Access Control Strategy
3. Network Access Strategy
Action Items
1. A
2. B
3. C
4. D
Scope
The group discussed the strategy for the meeting and agreed to concentrate on building an outline from which a document or set of documents could be created. We discussed the various levels of access: system, networks and applications and how authentication may be applied across these levels.
Data Classification
The team believes that data (information) needs to be classified (categorized) before layer2 / layer3 authentication can be practical. This classification of data is expensive and resource intensive. It was stated that how someone gets into a system, network or application is different than the authentication of the data.
There was a discussion on the current 2-factor authentication such as offered with the Authentication Methods. Caller-id was also discussed as a future second factor.
Policies and profiles
Policy profiles and their administration to provide access controls. Is it possible for a profile database to contain both user profiles and application policies?
A simple policy could be:
Is the user an employee?
A more complex policy could be:
Is the user an employee of budget code 1234?
A policy strategy must allow delegation of policy authorities, but prevent backward delegation.
There may be a need to develop a policy creation “language” or sub-system. Policies should be defined by application development, not within the scope of this team’s charter.
PAM (Protocol Authentication Module) which is used to determine which authentication scheme should be used for a specific process or application.
Access controls must express policies to machines, records, networks, etc. Policy can and probably will be different for each application.
Outline
| Requirement |
Questions and comments |
| Deliver packets |
|
| L1,L2,L3 connectivity |
|
| Access control on resources Authentication (identification) database(s) |
Can user profiles be collapsed or merged? Where is the decision point for specific access? Does every application need to ask these questions? User profiles |
| Access control decisions – OS dependent – Application dependent – Language dependent – Environment dependent – Legacy databases |
How much of this exists? How much will exist and For which platforms? |
| Auditing (security) |
|
| Accounting (Financial) |
What should be the scope of the documents that would be produced? For example, should the scope include both employee and non-employee access strategies? Non-employees were listed as: vendors, suppliers, contractors, negotiable, etc.
Based on the outline, it was decided that the following documents would be generated from this team:
1. Summary document (in outline form)
2. Authentication and Access Control Strategy (for applications)
3. Network Access Strategy (concentrated on dialup access for employees/contractors)
The Summary document will be in outline form. It will identify all known issues and whether or not they are being addressed. It will be the framework for the Authentication and Access Strategy. The Summary will be revised on a 6-month basis.