Читать книгу The Official (ISC)2 SSCP CBK Reference - Mike Wills - Страница 120

IDENTITY MANAGEMENT AND ACCESS control are two sides of the same coin. Attacks on your systems happen because there are exploitable vulnerabilities in your systems that allow the attacker to bypass your identity authentication and access control processes. Once inside your systems, other access control failures (be they physical, logical, or administrative) allow the attacker to exfiltrate data, corrupt your systems, or use your systems as the launching pad for attacks on other parties' systems.

Unfortunately, most intrusions are not discovered until months after attackers have already taken copies of your data and left your systems. If you've kept good records of all access and connection attempts, you may be able to identify what data has been lost or changed; if not, you'll probably not learn about the data breach until your lost data is found somewhere on the Dark Web.

This chapter provides you a detailed, operationalized guide to implementing and benefiting from an integrated identity management and access control system and process. In doing so, it makes extensive use of confidentiality, integrity, availability, nonrepudiation, authorization, privacy, and safety (CIANA+PS) as a way to focus our attention on the total set of an organization's information security needs. CIANA+PS starts, of course, with the CIA triad of confidentiality, integrity, and authentication, as is addressed in Chapter 1. This total set of attributes focuses our attention on the vital importance to business (and in law) of having highly reliable, auditable, and verifiable control of access to information assets and the systems that support them.

The CIANA+PS set of needs illustrates why information security and assurance is much more than just cybersecurity. Cybersecurity focuses intently upon the information technology aspects of keeping computers, networks, data centers, and endpoints safe, secure, and reliable. That focus on the technologies of the information infrastructure is important; it does not, however, provide much assistance in designing business processes for cross-organization collaboration that provide the appropriate assurance to each party that their knowledge, information, and data are safe and secure. Information assurance is about information risk management, which Chapter 3, “Risk Identification, Monitoring, and Analysis,” will address in more detail. Chapter 3 will also emphasize the use of physical, logical, and administrative means by which vulnerabilities are mitigated. Maintaining and operating those information assurance processes almost invariably requires a significant degree of attention to the human-facing procedural details, many of which are involved in how information systems and the IT they rely upon are managed; this is addressed in Chapter 1, “Security Operations and Administration,” as well as in Chapter 7, “Systems and Application Security.”

This chapter, however, deals almost exclusively with the logical means of implementing identity management and access control. These logical means will involve management making decisions that establish organizational and local policies and procedures, which will be addressed here in context, but I'll leave the physical restriction of access to computing and communications hardware to Chapter 7.