Post on 21-Jan-2016
1
Data Access Control, Password Policy and Authentication Methods for Online Bank
Md. Mahbubur Rahman Alam
B. Sc. (Statistics) Dhaka UniversityM. Sc. (Statistics, Major in Econometrics) Dhaka University
PGD(ICT)BUETM. Sc. (ICT) BUET
Assistant Professor, BIBM, Mirpur, Dhaka.Cell: 01556323244, Mail: alam_mr@yahoo.com Website: mralam.net
2
Kiosk
Bran
ch
InternetCustomer
POSTPSTN
ATM
Branch
Other Bank
Mobile
Call Center
3Md. Mahbubur Rahman Alam, Assistant Professor (ICT), BIBM. Mail: alam_mr@yahoo.com
4
Data access typically refers to
software and activities related
to storing, retrieving, or acting
on data housed in a database
or other repository. Data
Access is simply the
authorization you have to
access different data files.
Data Access Control
Md. Mahbubur Rahman Alam, Assistant Professor (ICT), BIBM. Mail: alam_mr@yahoo.com
5
Access Controls
Access Controls should provide reasonable assurance that data and
applications are protected against unauthorized modifications,
disclosure, loss or impairment. Such controls include physical
controls, such as keeping a computer in a locked room to limit
physical access, and logical controls such as security software
programs designed to prevent or detect unauthorized access to
sensitive files.
Md. Mahbubur Rahman Alam, Assistant Professor (ICT), BIBM. Mail: alam_mr@yahoo.com
6
Implement Separation of duties (SOD) a preventive control.
Establish test and production environments which are
preventive control.
Restrict user account and Database administrator access which
is a preventive control.
Restricting Access
Md. Mahbubur Rahman Alam, Assistant Professor (ICT), BIBM. Mail: alam_mr@yahoo.com
7
Elements to restrict include:
Data access (Successful/Failed Selects)
Data Changes (Insert, Update, Delete)
System Access (Successful/Failed Logins);
User/Role/Permissions/Password changes
Privileged User Activity (All)
Schema Changes (Create/Drop/Alter Tables, Columns, Fields)
Identification, Authentication and Process
Md. Mahbubur Rahman Alam, Assistant Professor (ICT), BIBM. Mail: alam_mr@yahoo.com
8
Authentication Methods
We can authenticate an identity in three ways:
Something the user knows (such as a password or personal
identification number)
Something the user has (a security token or smart card)
Something the user is (a physical characteristic, such as a
fingerprint, called a biometric). Md. Mahbubur Rahman Alam, Assistant Professor (ICT), BIBM. Mail: alam_mr@yahoo.com
9
Fingerprint RecognitionHand or Palm Geometry
Md. Mahbubur Rahman Alam, Assistant Professor (ICT), BIBM. Mail: alam_mr@yahoo.com
10
Facial Recognition
Md. Mahbubur Rahman Alam, Assistant Professor (ICT), BIBM. Mail: alam_mr@yahoo.com
11
Eye Scans
Md. Mahbubur Rahman Alam, Assistant Professor (ICT), BIBM. Mail: alam_mr@yahoo.com
12
USB Security Token or One Time Password
RSA stands for Ron Rivest, Adi Shamir and Leonard Adleman
RSA Security LLC
Md. Mahbubur Rahman Alam, Assistant Professor (ICT), BIBM. Mail: alam_mr@yahoo.com
Login Authentication
AUTHENTICATION
Database ServerVerifies Trusted Connection
Database ServerVerifies Name and Password
ORDatabase Server
Windows 2000 Group or User
Windows 2000 Group or User Windows 2000
Database ServerLogin Account
Database ServerLogin Account
Database User Accounts and Roles
Database Server Assigns Logins to User Accounts and Roles
DatabaseUser
Database Role
Windows 2000Group User
Database ServerLogin Account
Database Server Verifies Trusted Connection
Database ServerVerifies Name and Password
Database Server
Windows 2000
OR
Database ServerChecks Permissions
Permission Validation
Permissions OK; Performs Command
Permissions not OK; Returns Error
2222 3333
SELECT * FROM MembersSELECT * FROM Members
Database UserExecutes Command
Database UserExecutes Command
1111
Granting Permissions to Allow Access
User/RoleUser/RoleUser/RoleUser/Role SELECTSELECTSELECTSELECT
EvaEva
IvanIvan
DavidDavid
publicpublic
INSERTINSERTINSERTINSERT
UPDATEUPDATEUPDATEUPDATE
DELETEDELETEDELETEDELETE
Denying Permissions to Prevent Access
User/RoleUser/RoleUser/RoleUser/Role SELECTSELECTSELECTSELECT
EvaEva
IvanIvan
DavidDavid
publicpublic
INSERTINSERTINSERTINSERT
UPDATEUPDATEUPDATEUPDATE
DELETEDELETEDELETEDELETE
Revoking Granted and Denied Permissions
User/RoleUser/RoleUser/RoleUser/Role SELECTSELECTSELECTSELECT
EvaEva
IvanIvan
DavidDavid
publicpublic
INSERTINSERTINSERTINSERT
UPDATEUPDATEUPDATEUPDATE
DELETEDELETEDELETEDELETE
19
Password Policy
Use of both upper- and lower-case letters (case sensitivity)
Inclusion of one or more numerical digits
Inclusion of special characters, e.g. @, #, $ etc.
Prohibition of words found in a dictionary or the user's personal
information
Prohibition of passwords that match the format of calendar dates,
license plate numbers, telephone numbers, or other common
numbers
Prohibition of use of company name or an abbreviation
Md. Mahbubur Rahman Alam, Assistant Professor (ICT), BIBM. Mail: alam_mr@yahoo.com
20
Password Duration
Some policies require users to change passwords periodically,
e.g. every 90 or 180 days. The benefit of password expiration,
however, is debatable. Systems that implement such policies
sometimes prevent users from picking a password too close to a
previous selection.
Md. Mahbubur Rahman Alam, Assistant Professor (ICT), BIBM. Mail: alam_mr@yahoo.com
21
Common Password Practice
Never share a computer account
Never use the same password for more than one account
Never tell a password to anyone, including people who claim to
be from customer service or security
Never write down a password
Never communicate a password by telephone, e-mail or instant
messaging
Md. Mahbubur Rahman Alam, Assistant Professor (ICT), BIBM. Mail: alam_mr@yahoo.com
22
Common Password Practice
Being careful to log off before leaving a computer unattended
Changing passwords whenever there is suspicion they may have
been compromised
Operating system password and application passwords are
different
Password should be alpha-numeric
Never use online password generation tools
Md. Mahbubur Rahman Alam, Assistant Professor (ICT), BIBM. Mail: alam_mr@yahoo.com
23
Password strength is a measure of the effectiveness of a
password in resisting guessing and brute-force attacks. In its usual
form, it estimates how many trials an attacker who does not have
direct access to the password would need, on average, to guess it
correctly. The strength of a password is a function of length,
complexity, and unpredictability.
Password Strength
Md. Mahbubur Rahman Alam, Assistant Professor (ICT), BIBM. Mail: alam_mr@yahoo.com
24
MFA, two-factor authentication, TFA, T-FA or 2FA is an approach
to authentication which requires the presentation of two or more of
the three authentication factors: a knowledge factor ("something
only the user knows"), a possession factor ("something only the user
has"), and an inherence factor ("something only the user is"). After
presentation, each factor must be validated by the other party for
authentication to occur.
Multi-factor Authentication (MFA)
Md. Mahbubur Rahman Alam, Assistant Professor (ICT), BIBM. Mail: alam_mr@yahoo.com
25
Something only the user knows (e.g., password, PIN, pattern);
Something only the user has (e.g., ATM card, smart card, mobile phone);
Something only the user is (e.g., biometric characteristic, such as a
fingerprint).
Multi-factor Authentication (MFA)
Md. Mahbubur Rahman Alam, Assistant Professor (ICT), BIBM. Mail: alam_mr@yahoo.com
26
Questions are
Welcome
Thank You