Chapter 2

Account and security administration

 Objective of the Chapter

At the end of this chapter students are

able to :
 User and Group Concepts, and User
Private Group Scheme (DAC, RBAC)

 Managing File Ownership

 Controlling Access to files

 Managing Disk Quotas

Key Word
 Account and security Administration
 Managing files and folder permission
Sys Admin NAME OR LOGO 2
Introduction
1 Importance of Account and Security 2 Overview of Access Control Models
Administration (DAC, RBAC)

Discover why effective account and security Explore the two main access control models:
administration is crucial for protecting sensitive Discretionary Access Control (DA C) and Role-
information and preventing unauthorized Based Access Control (RBAC).
access.
 Why is Access Control ?

○ Nobody in an organization should have free rein to

access any resource.
○ Access control is the combination of policies and
technologies that decide which authenticated users may
access which resources.
○ Security requirements, infrastructure, and other
considerations lead companies to choose among the four
most common access control models:
Sys Admin NAME OR LOGO 4
 The four most common access control
models:
 Mandatory Access Control (MAC)
 Discretionary Access Control (DAC)
 Role-Based Access Control (RBAC)
 Privileged Access Management (PAM)

Sys Admin NAME OR LOGO 5

 Mandatory access control (MAC)?
○ Mandatory access control uses a ○ These security labels consist of two
centrally managed model to elements:
provide the highest level of 1. Classification and clearance — MAC relies
security. A non-discretionary on a classification system (restricted, secret,
system, MAC reserves control over top-secret, etc.) that describes a resource’s
sensitivity. Users’ security clearances determine
access policies to a centralized what kinds of resources they may access.
security administration.
2. Compartment — A resource’s compartment
○ MAC works by applying security describes the group of people (department,
labels to resources and individuals. project team, etc.) allowed access. A user’s
compartment defines the group or groups they
participate in.
Sys Admin NAME OR LOGO 6
 Cont..,

○ A user may only access a resource if their security 2. Compartmentalization — Security labels limit the
label matches the resource’s security label. exposure of each resource to a subset of the user base.

○ MAC originated in the military and intelligence

community. Beyond the national security world,
○ Disadvantages of MAC
MAC implementations protect some companies’
most sensitive resources. Banks and insurers, for 1. Collaboration — MAC achieves security by
example, may use MAC to control access to constraining communication. Highly collaborative
organizations may need a less restrictive approach.
customer account data.
2. Management burden — A dedicated organizational
○ Advantages of MAC structure must manage the creation and maintenance
1. Enforceability — MAC administrators set of security labels.
organization-wide policies that users cannot override,
making enforcement easier.

Sys Admin NAME OR LOGO 7

 Discretionary access control (DAC)?
○ Discretionary access control decentralizes security ○ Advantages of DAC
decisions to resource owners. The owner could be 1. Conceptual simplicity — ACLs pair a user with
a document’s creator or a department’s system their access privileges. As long as the user is in the
administrator. DAC systems use access control lists table and has the appropriate privileges, they may
(ACLs) to determine who can access that resource. access the resource.
These tables pair individual and group identifiers 2. Responsiveness to business needs — Since
with their access privileges. policy change requests do not need to go through a
security administration, decision-making is more
○ The sharing option in most operating systems is a nimble and aligned with business needs.
form of DAC. For each document you own, you can
set read/write privileges and password
requirements within a table of individuals and user
groups. System administrators can use similar
techniques to secure access to network resources.

Sys Admin NAME OR LOGO 8

 DAC Cont..,
○ Disadvantages of DAC ○ 3. Compromised security — By giving
1. Over/underprivileged users — A user can users discretion over access policies, the
be a member of multiple, nested workgroups. resulting inconsistencies and missing
Conflicting permissions may over- or under oversight could undermine the organization’s
privilege the user. security posture.

2. Limited control — Security administrators

cannot easily see how resources are shared
within the organization. And although viewing a
resource’s ACL is straightforward, seeing one
user’s privileges requires searching every ACL.

Sys Admin NAME OR LOGO 9

 Role Based Access Control (RBAC)?
○ Role-based access control grants access ○ Accounts payable administrators and their
privileges based on the work that individual supervisor, for example, can access the
users do. A popular way of implementing company’s payment system. The
“least privilege‚ policies, RBAC limits access to administrators’ role limits them to creating
just the resources users need to do their jobs. payments without approval authority.
Supervisors, on the other hand, can approve
○ Implementing RBAC requires defining the payments but may not create them.
different roles within the organization and
determining whether and to what degree
those roles should have access to each
resource.

Sys Admin NAME OR LOGO 10

 RBAC
Advantages of RBAC Disadvantages of RBAC

1. Flexibility — Administrators can optimize an 1. Complex deployment — The web of

RBAC system by assigning users to multiple roles, responsibilities and relationships in larger
creating hierarchies to account for levels of enterprises makes defining roles so challenging
responsibility, constraining privileges to reflect that it spawned its own subfield: role engineering.
business rules, and defining relationships between
roles. 2. Balancing security with simplicity — More
roles and more granular roles provide greater
2. Ease of maintenance — With well-defined roles, security, but administering a system where users
the day-to-day management is the routine on- have dozens of overlapping roles becomes more
boarding, off-boarding, and cross-boarding of difficult.
users’ roles.
3. Layered roles and permissions — Assigning
3. Centralized, non-discretionary policies — too many roles to users also increases the risk of
Security professionals can set consistent RBAC over-privileging users.
policies across the organization.

4. Lower risk exposure — Under RBAC, users only

have access to the resources their roles justify,
greatly limiting potential threat vectors.
Sys Admin NAME OR LOGO 11
 Privileged Access Management (PAM)

○ A recent Thycotic Centrify study found that ○ Based on least-privilege access principles,
53% of organizations experienced theft of PAM gives administrators limited, ephemeral
privileged credentials and 85% of those thefts access privileges on an as-needed basis.
resulted in breaches of critical systems. These systems enforce network security best
Privileged access management is a type of practices such as eliminating shared
role-based access control specifically designed passwords and manual processes.
to defend against these attacks.

Sys Admin NAME OR LOGO 12

 Privileged Access Management (PAM)

○ Advantages of PAM ○ Disadvantages of PAM

1. Reduced threat surface — Common passwords, 1. Internal resistance — Just as doctors make the
shared credentials, and manual processes are worst patients, IT professionals can be resistant to
commonplace even in the best-run IT tighter security measures.
departments. Imposing access control best
practices eliminates these security risks. 2. Complexity and cost — Implementing PAM
requires investments in time and money within
2. Minimizing permission creep — PAM systems already-constrained IT departments.
make it easier to revoke privileges when users no
longer need them, thus preventing users from
“collecting‚ access privileges.

3. Auditable logging — Monitoring privileged users

for unusual behavior becomes easier with a PAM
solution.
Sys Admin NAME OR LOGO 13
 Where is access control headed?

○ In fact, today’s complex IT environment is ○ Cloud and hybrid architectures — IT began

the reason companies want more dynamic leaving the premises decades ago. Getting
access control solutions. Even before the business done now requires a mix of in-house,
pandemic, workplace transformation was hybrid cloud, and X-as-a-Service resources.
driving technology to a more
heterogeneous, less centralized ecosystem ○ Remote workforces — Remote working is no
characterized by: longer just for salespeople. Accelerated by the
pandemic just about any employee may access
○ Device diversity — Bring-your-own- sensitive resources from their home network.
device policies and the Industrial Internet
of Things create a diverse array of devices ○ Blended, dynamic teams — Security
with different security profiles connecting administrators must manage a constantly shifting
to company resources. workforce comprising employees, contractors,
consultants, suppliers, and other third parties.
Sys Admin NAME OR LOGO 14
 Where is access control headed? Cont’…,

○ Given these complexities, modern approaches to ○ Behavioral patterns — Real-time evaluation of

access control require more dynamic systems access behaviors can identify and block threats before
that can evaluate: security is compromised.

○ Device posture and trust — An evaluation of ○ These and other variables should contribute to a per-
device security factors such as operating device, per-user, per-context risk assessment with
system, application, and antivirus updates every connection attempt. That assessment determines
should inform access decisions. whether or to what degree users can access sensitive
resources.
○ Location — Likewise, access privileges should
reflect the nature of the device’s network
connection whether from an on-prem LAN
connection or an unsecured café hotspot.

Sys Admin NAME OR LOGO 15

 User Accounts and Security

○ A user account is identified by a user name and ○ When you create a user account, you must not only
defines the attributes of the user, including the assign a user name, a password, and default
following: tablespaces for the account, but you must also do the
• Authentication method
following:

• Password for database authentication • Grant the appropriate system privileges, object privileges,
and roles to the account.
• Default tablespaces for permanent and temporary
data storage • If the user will be creating database objects, then give the
user account a space usage quota on each tablespace in
• Tablespace quotas which the objects will be created.
• Account status (locked or unlocked)
• Password status (expired or not)

Sys Admin NAME OR LOGO 16

 Network (Internet) Security

○ Network security, especially as it relates to the ○ Policy Issues

biggest network of all, the Internet, has
emerged as one of today's highest- ○ Connecting to the Internet doesn't necessarily raise its
profile information security issues. own security policy issues as much as it focuses
attention on the necessity of implementing security
○ Many education organizations have already strategies properly.
connected their computing resources into a
single network; others are in the process of ○ Internet security goals fall within two major domains.
doing so.  The first centers around protecting your networks,
information, and other assets from outside users who
○ The next step for these organizations is to weigh enter your network from the Internet.
the costs and benefits of opening a connection
 The second deals with safeguarding information as it is
between their private networks (with their being transmitted over the Internet.
trusted users) and the unknown users and
networks that compose the Internet

Sys Admin NAME OR LOGO 17

 Network Security Countermeasures

○ The following countermeasures address network ○ Isolate your network through the use of
security concerns that could affect your site(s) a firewall: Installing a firewall enables the
and equipment. These strategies are organization to decide which types of messages should
recommended when risk assessment identifies be allowed into the system from external sources
or confirms the need to counter breaches in the
security of your network. ○ Locate equipment and information that is intended for
external users outside of the firewall or demilitarized
○ 1. Protect Your Network from Outsiders: Zone:
• Implement applicable security recommendations
○ If an organization's Web server is intended to provide
such as: Solid defense against external Internet
information and services to the public, it should not be
threats includes the proper implementation of
relatively straightforward security measures located on the private side of the firewall. Nor should it
like encryption software, virus be able to access confidential information that
scanners, remote access regulations, resides inside the firewall. This way, if the
and passwords. public Web server should ever be compromised,
confidential information is still protected.
Sys Admin NAME OR LOGO 18
 Network Security Countermeasures,… Cont…

○ 2. Protect Transmissions Sent over the ○ Authenticate messages through the use of digital
Internet: signatures: A digital signature amounts to a
"fingerprint" of a message. It depicts the message
○ Use Secure Sockets Layer (SSL) Servers to such that if the message were to be altered in any
secure financial and information transactions way, the "fingerprint" would reflect it--thus making it
made with a Web browser: In a secure Web possible to detect counterfeits. The converse, of
session, your Web browser generates a course, is that if the "fingerprint" does not change
random encryption key and sends it to the Web during transmission, you can be confident that the
site host to be matched with its public message was not altered.
encryption key. Your browser and the Web site
then encrypt and decrypt all transmissions.

Sys Admin NAME OR LOGO 19

 Network Security Countermeasures,… Cont…

○ Authenticate messages through the use of time ○ Encrypt all messages sent over the Internet : As more
stamps or sequence numbers: Another way and more messages are sent over larger and larger
to recognize when messages have been networks, information becomes increasingly vulnerable
modified is to challenge the "freshness" of the to assault.
message. This is done by embedding time
stamps, sequence numbers, or random numbers ○ Encryption has become a leading tool to combat
in the message to indicate precisely when and in this vulnerability. Like other countermeasures, it can
what order the message was sent. If a received be very effective if used properly and regularly.
message's time and sequence are not
consistent, you will be alerted that someone
may have tampered with the transmission.

Sys Admin NAME OR LOGO 20

Managing Files and
Permission

In this presentation, we will explore the importance of account and

security administration, as well as managing files and folder permissions.
Learn how to safeguard your data and ensure efficient access control.
User Account Manag ement

User Account Creation User Account Deletion

Create new user accounts with sp ecific Safely remove user accounts that are no
access privileg es, allowing individuals to long er required, ensuring data security and
access relevant resources. minimizing potential risks.

User Account Modification Password Reset and Recovery

Modify user account setting s as needed, Implement mechanisms to easily reset

enabling customization of access forg otten passwords and recover lost
permissions and personalization of user account access, enhancing user convenience
experience. and reducing support requests.
Security Administration
1 Role-Based Access Control
Implement role-based access control to determine and manage user privileges
based on their roles within the organization, ensuring appropriate authorization.

2 Access Permission Management

Efficiently manage access permissions for different user groups, allowing fine-
grained control over data and resource accessibility.
Managing Files and Folder Permission
1 File Sharing Settings

Configure file sharing settings to enable seamless collaboration and controlled access
within teams or specific user groups.

2 Folder Access Control

Manage folder access control to determine who can read, write, or modify files within
specific directories, enhancing data security and privacy.

3 Permissions Inheritance

Utilize permissions inheritance to efficiently manage access control across nested

folders, avoiding repetitive permission settings and reducing administrative overhead.
Data Security Best Practices

Stay Vig ilant Against Protect Confidential Reg ularly Review Access
Cyber Threats Documents Permissions
Implement robust Employ access controls and Perform reg ular audits of
cybersecurity measures like encryption for confidential access permissions to mitig ate
firewalls, encryption, and files, ensuring that only security risks, ensuring that
intrusion detection systems to authorized individuals can only appropriate individuals
safeg uard sensitive data. view, access, or modify have access to sp ecific data or
sensitive information. resources.
Achieving C om pliance and
Auditability
1 Compliance Policies
Establish and enforce compliance policies to adhere to industry reg ulations and
maintain data integ rity, confidentiality, and availability.

2 Monitoring and Log s

Implement monitoring mechanisms and maintain detailed log s to track user
activities and ensure auditability for compliance purposes.

3 Audit Trails
Create comprehensive audit trails documenting chang es to access permissions,
enabling traceability and accountability.
Training and User Awareness
Education and Training
Provide comprehensive training programs to educate users about account and security
administration best practices, ensuring responsible usage.

User Awareness Campaigns

Launch user awareness campaigns to promote good security hygiene, emphasizing
the importance of strong passwords, avoiding phishing attempts, and detecting social
engineering attacks.
Continuous Improvement and Risk
Management
1 Regular Risk Assessments

Conduct periodic risk assessments to identify vulnerabilities and proactively address

potential security risks, adapting to evolving threats.

2 Incident Response Planning

Develop and implement incident response plans to quickly and effectively handle
security incidents, minimizing the impact on operations and data integrity.

3 Continuous Monitoring
Establish continuous monitoring mechanisms to detect and respond to security
events in real-time, ensuring a proactive security posture.
Thank
You