Page 1
1
Data Access Control, Password Policy and Authentication Methods for Online Bank
Md. Mahbubur Rahman Alam
B. Sc. (Statistics) Dhaka UniversityM. Sc. (Statistics, Major in Econometrics) Dhaka University
PGD(ICT)BUETM. Sc. (ICT) BUET
Assistant Professor, BIBM, Mirpur, Dhaka.Cell: 01556323244, Mail: [email protected] Website: mralam.net
Page 2
2
Kiosk
Bran
ch
InternetCustomer
POSTPSTN
ATM
Branch
Other Bank
Mobile
Call Center
Page 3
3Md. Mahbubur Rahman Alam, Assistant Professor (ICT), BIBM. Mail: [email protected]
Page 4
4
Data access typically refers to
software and activities related
to storing, retrieving, or acting
on data housed in a database
or other repository. Data
Access is simply the
authorization you have to
access different data files.
Data Access Control
Md. Mahbubur Rahman Alam, Assistant Professor (ICT), BIBM. Mail: [email protected]
Page 5
5
Access Controls
Access Controls should provide reasonable assurance that data and
applications are protected against unauthorized modifications,
disclosure, loss or impairment. Such controls include physical
controls, such as keeping a computer in a locked room to limit
physical access, and logical controls such as security software
programs designed to prevent or detect unauthorized access to
sensitive files.
Md. Mahbubur Rahman Alam, Assistant Professor (ICT), BIBM. Mail: [email protected]
Page 6
6
Implement Separation of duties (SOD) a preventive control.
Establish test and production environments which are
preventive control.
Restrict user account and Database administrator access which
is a preventive control.
Restricting Access
Md. Mahbubur Rahman Alam, Assistant Professor (ICT), BIBM. Mail: [email protected]
Page 7
7
Elements to restrict include:
Data access (Successful/Failed Selects)
Data Changes (Insert, Update, Delete)
System Access (Successful/Failed Logins);
User/Role/Permissions/Password changes
Privileged User Activity (All)
Schema Changes (Create/Drop/Alter Tables, Columns, Fields)
Identification, Authentication and Process
Md. Mahbubur Rahman Alam, Assistant Professor (ICT), BIBM. Mail: [email protected]
Page 8
8
Authentication Methods
We can authenticate an identity in three ways:
Something the user knows (such as a password or personal
identification number)
Something the user has (a security token or smart card)
Something the user is (a physical characteristic, such as a
fingerprint, called a biometric). Md. Mahbubur Rahman Alam, Assistant Professor (ICT), BIBM. Mail: [email protected]
Page 9
9
Fingerprint RecognitionHand or Palm Geometry
Md. Mahbubur Rahman Alam, Assistant Professor (ICT), BIBM. Mail: [email protected]
Page 10
10
Facial Recognition
Md. Mahbubur Rahman Alam, Assistant Professor (ICT), BIBM. Mail: [email protected]
Page 11
11
Eye Scans
Md. Mahbubur Rahman Alam, Assistant Professor (ICT), BIBM. Mail: [email protected]
Page 12
12
USB Security Token or One Time Password
RSA stands for Ron Rivest, Adi Shamir and Leonard Adleman
RSA Security LLC
Md. Mahbubur Rahman Alam, Assistant Professor (ICT), BIBM. Mail: [email protected]
Page 13
Login Authentication
AUTHENTICATION
Database ServerVerifies Trusted Connection
Database ServerVerifies Name and Password
ORDatabase Server
Windows 2000 Group or User
Windows 2000 Group or User Windows 2000
Database ServerLogin Account
Database ServerLogin Account
Page 14
Database User Accounts and Roles
Database Server Assigns Logins to User Accounts and Roles
DatabaseUser
Database Role
Windows 2000Group User
Database ServerLogin Account
Database Server Verifies Trusted Connection
Database ServerVerifies Name and Password
Database Server
Windows 2000
OR
Page 15
Database ServerChecks Permissions
Permission Validation
Permissions OK; Performs Command
Permissions not OK; Returns Error
2222 3333
SELECT * FROM MembersSELECT * FROM Members
Database UserExecutes Command
Database UserExecutes Command
1111
Page 16
Granting Permissions to Allow Access
User/RoleUser/RoleUser/RoleUser/Role SELECTSELECTSELECTSELECT
EvaEva
IvanIvan
DavidDavid
publicpublic
INSERTINSERTINSERTINSERT
UPDATEUPDATEUPDATEUPDATE
DELETEDELETEDELETEDELETE
Page 17
Denying Permissions to Prevent Access
User/RoleUser/RoleUser/RoleUser/Role SELECTSELECTSELECTSELECT
EvaEva
IvanIvan
DavidDavid
publicpublic
INSERTINSERTINSERTINSERT
UPDATEUPDATEUPDATEUPDATE
DELETEDELETEDELETEDELETE
Page 18
Revoking Granted and Denied Permissions
User/RoleUser/RoleUser/RoleUser/Role SELECTSELECTSELECTSELECT
EvaEva
IvanIvan
DavidDavid
publicpublic
INSERTINSERTINSERTINSERT
UPDATEUPDATEUPDATEUPDATE
DELETEDELETEDELETEDELETE
Page 19
19
Password Policy
Use of both upper- and lower-case letters (case sensitivity)
Inclusion of one or more numerical digits
Inclusion of special characters, e.g. @, #, $ etc.
Prohibition of words found in a dictionary or the user's personal
information
Prohibition of passwords that match the format of calendar dates,
license plate numbers, telephone numbers, or other common
numbers
Prohibition of use of company name or an abbreviation
Md. Mahbubur Rahman Alam, Assistant Professor (ICT), BIBM. Mail: [email protected]
Page 20
20
Password Duration
Some policies require users to change passwords periodically,
e.g. every 90 or 180 days. The benefit of password expiration,
however, is debatable. Systems that implement such policies
sometimes prevent users from picking a password too close to a
previous selection.
Md. Mahbubur Rahman Alam, Assistant Professor (ICT), BIBM. Mail: [email protected]
Page 21
21
Common Password Practice
Never share a computer account
Never use the same password for more than one account
Never tell a password to anyone, including people who claim to
be from customer service or security
Never write down a password
Never communicate a password by telephone, e-mail or instant
messaging
Md. Mahbubur Rahman Alam, Assistant Professor (ICT), BIBM. Mail: [email protected]
Page 22
22
Common Password Practice
Being careful to log off before leaving a computer unattended
Changing passwords whenever there is suspicion they may have
been compromised
Operating system password and application passwords are
different
Password should be alpha-numeric
Never use online password generation tools
Md. Mahbubur Rahman Alam, Assistant Professor (ICT), BIBM. Mail: [email protected]
Page 23
23
Password strength is a measure of the effectiveness of a
password in resisting guessing and brute-force attacks. In its usual
form, it estimates how many trials an attacker who does not have
direct access to the password would need, on average, to guess it
correctly. The strength of a password is a function of length,
complexity, and unpredictability.
Password Strength
Md. Mahbubur Rahman Alam, Assistant Professor (ICT), BIBM. Mail: [email protected]
Page 24
24
MFA, two-factor authentication, TFA, T-FA or 2FA is an approach
to authentication which requires the presentation of two or more of
the three authentication factors: a knowledge factor ("something
only the user knows"), a possession factor ("something only the user
has"), and an inherence factor ("something only the user is"). After
presentation, each factor must be validated by the other party for
authentication to occur.
Multi-factor Authentication (MFA)
Md. Mahbubur Rahman Alam, Assistant Professor (ICT), BIBM. Mail: [email protected]
Page 25
25
Something only the user knows (e.g., password, PIN, pattern);
Something only the user has (e.g., ATM card, smart card, mobile phone);
Something only the user is (e.g., biometric characteristic, such as a
fingerprint).
Multi-factor Authentication (MFA)
Md. Mahbubur Rahman Alam, Assistant Professor (ICT), BIBM. Mail: [email protected]
Page 26
26
Questions are
Welcome
Thank You