[Jessica Jagerson]

Choose one of the following to discuss in detail.  Give at least 4 examples that include information from the text and videos (at least 2 examples from each).

1. Access control characteristics and threats to access control.
2. Information Classification: Reasons, criteria, levels, and benefits.
3. Access Control Models and Technologies: models, and model types
4. Access Control Methods: administration, RADIUS pros, cons, and characteristics

[Kelly Crooks]

RADIUS- Remote Authentication Dial-In User Service.

Pros:
RADIUS is open-source and readily available
RADIUS utilizes the client/server model to authenticate and authorize users
Radius allows for unique credentials for each user
RADIUS passwords do not routine changing
RADIUS allows IT admins to have one point of contact for user management
RADIUS makes it easier to control who or what has access

Cons:
RADIUS uses connectionless protocol using UDP
RADIUS maintenance can be difficult and time-consuming
RADIUS initial setup can be difficult
RADIUS setup can be complicated
RADIUS can be hard to know which version is best to choose
RADIUS has options that can be costly and require long-term commitments

Some of RADIUS’s characteristics include the AAA protocol(Authentication, Authorization, Accounting, and Auditing). Cloud-based RADIUS a-as-a-Service offers similar capabilities. De facto standard for the authentication protocol. Open source means it has been integrated into many vendor products. RADIUS works on the client/server model. RADIUS is deemed connectionless since it is based on UDP.

The methods for centralized access control using RADIUS include:
The user connects to the server.
The access server requests authentication data from the user.
The RADIUS client sends authentication data to the RADIUS server.
RADIUS server compares data to the database.
RADIUS server sends the response.
If Accept is the response the RADIUS client allows the user to access the network.

[Marcena Davis]

RADIUS is a powerful tool for managing user access in networks. The idea of having one point of contact for user management is especially appealing – it seems like it would simplify the process for IT admins and reduce the likelihood of errors or oversights.

However, the cons you listed are definitely worth considering as well. It’s important to weigh the benefits against the potential difficulties and costs of implementation and maintenance.

I’m intrigued by the possibilities of RADIUS and the flexibility it offers for controlling access to network resources. It’s fascinating to think about the different ways it could be used to enhance security and streamline user management.

[Marcena Davis]

I chose to discuss “Information Classification: Reasons, criteria, levels, and benefits” in detail.

Information classification is the process of categorizing information based on its level of sensitivity and value to the organization. This classification helps organizations to identify the appropriate level of protection and access control required for different types of information. Here are four examples that illustrate the reasons, criteria, levels, and benefits of information classification:

Reasons: Information classification is important for several reasons, including compliance with regulatory requirements, protection of intellectual property, and safeguarding against unauthorized access and theft. For example, the text discusses how compliance with regulations such as HIPAA and PCI DSS requires organizations to classify information and implement appropriate controls to protect it.

Criteria: The criteria for information classification typically include factors such as the level of confidentiality, integrity, and availability required for the information, as well as the potential impact of a breach or loss. The video provides an example of how information about employee salaries and bonuses might be classified as confidential and high-impact, requiring strict access controls and monitoring.

Levels: Information classification typically involves assigning different levels or categories to different types of information based on their sensitivity and value. The text describes a common classification scheme that includes four levels: public, internal, confidential, and restricted. The video provides an example of how medical records might be classified as restricted, requiring the highest level of protection and access control.

Benefits: The benefits of information classification include improved protection of sensitive information, more efficient use of resources, and better alignment of security measures with business objectives. The text discusses how information classification can help organizations to prioritize their security investments based on the level of risk associated with different types of information. The video provides an example of how information classification can help to ensure that resources are allocated appropriately based on the level of risk and impact of a breach.

Overall, information classification is a crucial aspect of information security management, as it enables organizations to determine the level of protection and access control required for various types of information. By implementing a reliable framework for information classification, organizations can protect their valuable assets from unauthorized access and misuse, thereby contributing to their long-term success.

[Kelly Crooks]

I agree that information classification helps organizations determine what level of protection and access control is required for their various types of information. I have seen this used firsthand both in my organization and the underground lab my brother works for. While my customer’s information and the organization’s financial information are important and require a more secure level of protection the information that the underground lab needs protected are much more critical and requires a much higher level of protection. My brother had to apply for a top-secret security clearance with the Department of Homeland Security. They want to make sure those who are protecting their assets can be trusted and are reliable.

[Kevin Mehok]

IST3100 Information Systems Security Officer
Week One
Discussion #4
Kevin Mehok

How is access to IT systems and data controlled? Well this week we have each learned that over time the ways in which IT systems can be accessed has grown, and the job of securing those system and their data has become increasingly more complex (Precisely, 2023). High-profile breaches have spawned a host of compliance regulations that further expanded the ways and thus the complexities in which organizations needed to secure their systems and protect sensitive data (Precisely, 2023).

Access control systems perform identification authentication and authorization of users and entities by:

Strengthening logon security through multi-factor authentication
Restricting user privilege through elevated authority management solutions
Granting requests for access to systems and data based on the identity of the user and the context of the request (Precisely, 2023).
A complete system access control solution requires a layered defense to protect access control systems (Precisely, 2023).

How is system access control performed? Well, once again, we have learned this week that a system access control solutions determine how users are allowed to interact with specific systems and resources (Precisely, 2023). A robust system access control regime gives an organization the ability to manage, restrict, and monitor user activity while protecting sensitive systems and data (Precisely, 2023).

God Bless,

Kevin

References:

https://www.precisely.com/glossary/system-access-control

[Author]

Posts