Читать книгу The Official (ISC)2 SSCP CBK Reference - Mike Wills - Страница 169

The word entitlement has two meanings within an information systems security concept: a personal one and a systems one. Both are important and relevant to you as the access control and identity management systems administrator; you're the one who has to broker the first set of ideas into the second set of physical, logical, and administrative controls and their use.

On the personal front, some employees will believe that because of who and what they are, they have some kind of overarching right to have access to systems and privileges on those systems. In many cases, this is a legitimate and logical conclusion they've reached: If I am hired to lead a software development team, I have a reasonable expectation that I can see into all of the software units, support files, log files, and such, that are the work of all the people assigned to my team and to the projects I'm responsible for. In other cases, a newly appointed senior manager might believe (perhaps based on perceptions and emotions rather than logic) that their position somehow grants them this uber-authority. In either case, the strong principle of separation of duties should be able to sort through, function by function, what privileges the person actually requires on which systems, platforms, or applications to do their assigned duties. This is the basis of principle of least privilege.

On the technical front, entitlement refers to the ways in which user IDs are constructed, assigned privileges, and managed.

As an illustration, consider the seemingly simple task of installing a new application on a Windows-based desktop or laptop computer. As part of its own self-defense mechanisms, Windows uses a specific identity called the trusted installer to perform this task; no other identity can actually perform the set of steps associated with installing and registering an application. As an out-of-the-shrink-wrap user of my new Windows 10 laptop, each attempt I make to install an app causes the User Account Control functions to intercede, seeking my conscious affirmation and permission to continue. On my company-provided system, Group Policy Objects (GPOs) have been configured in the system by the sysadmins to require that a software allowed and blocked list management to restrict execution system intercepts any such attempt. This happens on both machines even though my user account is an Administrator account. Thus, my Windows machines have internally applied a separation of duties concept in the way that user IDs are constructed and the ways in which systems policies (via GPOs) are set to restrict each ID to just what it should be authorized to do, and no more. Note how the use of allowed and blocked lists is implementing both positive and negative security control measures. Each attempt by one ID to ask another to do a restricted task on its behalf is defined as a security event and is logged for later troubleshooting; security events can also be treated as real-time alarm conditions, and in many cases, they should be.