Page 259 - DCAP311_DCAP607_WIRELESS_NETWORKS
P. 259

Unit 14: Authentication




          (or cookie, when talking about Web applications) to only need to sign on to one service, but   Notes
          gain access to many. Synchronizing passwords between services isn’t usually done for security
          reasons; instead it’s for user convenience. In the rare instances where a password change on one
          system, not a central system, propagates to all others, it is possible to implement a password
          aging policy. Generally, these types of setups are organically grown because a diverse set of
          applications don’t support a coherent set of protocols, and password aging is impossible.

          As contrary as it may sound, central authentication is the only way to ensure proper security.
          Administrators  can  instantly disable access  to all services  at the same  time with central
          authentication, and they can also ensure that password policies are enforced. The fact that a user
          is supplying the same password for all services isn’t as much of a concern as one might think.
          Indeed, there will always be multiple levels of security requirements. The most critical and secure
          financial systems, for example, can still be kept separate to alleviate concerns about a password
          compromise, but only if it also implements appropriate password strictness and aging policies.

          Finally, be sure to pay close attention to how your chosen systems will handle passwords set
          before your change in policy. Some systems may continue to allow old users with weak password
          to continue using them after you’ve turned on password complexity requirements. Likewise, be
          sure to verify that new aging policies apply to all existing user accounts, not just new ones.
          Properly managed accounts, that is, accounts that are automatically disabled after too much idle
          time, will shut down the main vehicle of attack used today. Of course, disabling ex-employee
          accounts is just as important. Leaving an account open so that people can have access to an
          ex-employee’s e-mail is risky, and should be carefully considered. It’s generally best to make a
          copy of all existing e-mail, and then configure an e-mail forward to their supervisor. Combine
          constant user education about social engineering tactics, sysadmin education about security best
          practices, and vigilance in account policies; now your enterprise can be much more secure and
          easier to manage.

          14.6.1 Data Security Policy


          Data security includes the mechanisms that control the access to and use of the database at the object
          level. Your data security policy determines which users have access to a specific schema object,
          and the specific types of actions allowed for each user on the object. For example, the policy could
          establish that user scott can issue SELECT and INSERT statements but not DELETE statements
          using the emp table. Your data security policy should also define the actions, if any, that are
          audited for each schema object.
          Your data security policy is determined primarily by the level of security you want to establish
          for the data in your database.For example, it may be acceptable to have little data security in a
          database when you want to allow any user to create any schema object, or grant access privileges
          for their objects to any other user of the system. Alternatively, it might be necessary for data
          security to be very controlled when you want to make a database or security administrator the
          only person with the privileges to create objects and grant access privileges for objects to roles
          and users.
          Overall data security should be based on the sensitivity of data. If information is not sensitive,
          then the data security policy can be more lax. However, if data is sensitive, a security policy
          should be developed to maintain tight control over access to objects.

          14.6.2 End-User Security

          Security administrators must define a policy for end-user security. If a database has many users,
          the security administrator can decide which groups of users can be categorized into user groups,
          and then create user roles for these groups. The security administrator can grant the necessary
          privileges or application roles to each user role, and assign the user roles to the users. To account




                                           LOVELY PROFESSIONAL UNIVERSITY                                   253
   254   255   256   257   258   259   260   261   262   263   264