IAPP CIPT – Privacy in Systems and Applications

1. Identity and Access Management (IAM)

Hi guys. In this lesson, we’ll discuss about identity and access management. Identity management includes the process involved in verifying the identity of an individual, group, process, or device. Identification via most computer systems consists of a person typing her credentials, user ID, and password into an authentication screen.

Most people are familiar with the login prompts for connected to services such as Facebook, LinkedIn, Twitter, et cetera. Many computers require that the user provide credentials to login, which sometimes also authenticates the user for access to the organization’s network. Single or dual factor authentication can be used to protect access to services, depending on the level of protection needed. After all, no authentication occurs. Authorization still has to take place to ensure that a user is permitted to access a resource or execute a command. Even if a user has access to a folder, it doesn’t mean the person can access every file in a folder.

And having access to a file doesn’t mean that the user can modify the file or even print it. Let’s review some identity and access management terms. So authentication is the act of validating a person’s identity with an identity management service before access to resources is permitted. Types of authentication are something you know. This type it involves something the user knows, usually an ID and a password, something you have. Usually that’s an RFID card, key, fob or USB device, something you are. This involves biometrics to authenticate, such as a fingerprint or retinal scan, or where you are. These types involves confirmation of the user’s location. Then we can have multifactor authentication. When more than one type of authentication is used to validate an individual, for example, something you know and something you have.

Authorization is the act of confirming that an authenticated person has legitimate access to a resource or permission to execute a command. And access control list is a set of identities associated with a resource that indicates the types of permissions for which the identities are authorized. So right now, let’s speak about the limitations of access management as a privacy tool. Access management is an essential tool in enforcing privacy requirements regarding who gets access to data. Access controllers can restrict the individuals, devices, or services that get to access a resource or set of resources. Sophisticated access management techniques can restrict access to data based on the type of data being accessed, the role of the person accessing the data, the location of the user, time of the day, or type of the device being used. While strong access management can ensure that the right people access the right data in the right way, it can’t ensure that people with legitimate access to the data do the right things while the data once is in their possession.

A user could always use data for the wrong purpose, share it with the wrong entity, place it on an unprotected storage, or sell it on the open market where access management leaves off proper policies, training and audited can fill the gaps. Employees must understand their obligations before gaining access to data. There must also be accountability for the data that employees access. Enterprise policies must be in place so employees are clear about how they must handle data. The idea of least privilege focuses on granting individuals and services the lowest possible access rights to resources. This minimizes the ability of the user to access unnecessary resources or execute unneeded programs.

For example, when placing a person in a role on a computer or the organization’s identity systems, choose the role with the fewest privileges necessary for the person to perform the required duties. Likewise, when adding a person to access control list for a resource, don’t give the person write access if read access is sufficient. If ROG programs or hackers gain access to an employee’s account, following a list access regime can minimize what else they can access on the employee’s computer or over the network. userBased Access Control userBased access control relies on the identity of the person to determine the type of access to grant or deny to a desired resource, such as a file directory or website. The user’s identity, as defined by the computer or network identity management system is added to the resource ACL along with the type of access being granted.

For example, Kiri could be granted read access to a file by adding her account ID to the file’s ACL and setting the access type as read. User based access controls can be used to manage a set of individuals in the same way they can manage one person. For example, a security group named File Readers could be created. Individuals in the company could then be added to the group and the group added to a file with the access type set to read. This would permit everyone in the group to have read access to the file. Removing a person from the group would remove the person’s access to any resources the group had been granted access to as long as the person did not have access directly or via another group.

User based access control can be implemented using discretionary access control called DAC, or mandatory access control called MEAC. With DAC, users who own a resource can manage the ACLs of that resource, adding other individuals or groups to the resources ACLs. While DAC makes managing security for resources easier, it provides leeway for employees to add users to a resources ACLs against organizational policy. With Mac, only the administrator is permitted to modify a resources ACL. This mitigates the risk that employees will add users to a resources ACL against policy. Role based access control differs from user based access control in that access to a resource is determined by a person’s role in an organization rather than identity.

Typically, an organization will have a fixed set of roles such as shipping clerk, salesperson and privacy architect. Access to resources is allocated based on which roles should access a resource and how? With Airbag, it is more intuitive for an administrator to know when to move a person from one set of roles to another, versus trying to remember every ACL or group to which a person must have been assigned. With Airbag, it is more intuitive for an administrator to know when to move a person from one set of roles to another, versus trying to remember every ACL or group to which a person may have been assigned. The use of roles make it easier to implement separation of duties and create an effective auditing program. The ability to provide cross site authentication authorization is a powerful tool that can streamline access to resources.

Also known as single sign on or SSO, it means users have to remember only one ID and password that can be used across multiple sites. SSO can also be used across applications and services, though a user can reuse the same ID and password to access each site. If the password is ever compromised, the user has to go to each site to change it. Personal data may also be shared across SSO sites that the user visits. The following list describes some SSO technologies. Open ID Federation is an organization that provides a mechanism that allow users to be authenticated to a relying party using a third party authentication service. For example, Cloud. com can be considered a relying party that uses Twitter. com or Facebook. com as an authentication service. This permits end users to use a single ID for multiple services and permits Cloud the relying party to avoid having to develop its own authentication service.

Liberty alliance is a standards organization established to define open standards, guidelines and best practices for identity management. As of June 2009, the Liberty Alliance work was transitioned to the Kantara Initiative, which builds trust frameworks for verifying online identities. Identity Mecca System Architecture is a privacy enhancing, security enhancing identity solution for the Internet. Developed by Microsoft, it was implemented as part of the Windows operating system as Windows Card space and later Deprecated. It is based on King Cameron’s laws of identity and is similar to Liberty Alliance and Open ID in that it permits users to log into multiple sites with a single identity. Social Networks Facebook, Google Plus and other social networks provide the ability to log into other services with a single ID. This is a great feature, but users must take care to understand what data is exchanged between the services and how that data is used.

2. Credit card information & processing

Hi guys. In this lesson we will discuss about credit card information and processing. Credit cards are one of the major ways people pay for merchandise. They are an inextricable part of people’s lives. It is difficult to rent a car at a hotel room or purchase products online without one. But with every purchase, a person is sharing credit card information not only with the credit card vendor, but with the store and the clerk handling the card. Each of those points of contact represents an opportunity for someone to steal the credit card information or for a bridge to happen. Let’s discuss now about credit card holder data. Types credit card data is some of the most sought after personal information on the Internet. Part of the driving force behind identity theft is the ability to use the information to obtain a credit card.

Credit cards are easy to use in person, and online laws like California Song Beverly Credit Card Act can make it easier for credit card tips to get away with illegal purchases as it limits the personal information a merchant may collect, thus curtailing the merchant’s ability to verify the identity of the cardholder. Credit card data consists of the name, credit card number, expiration data, and the security code. The credit card number itself is a formatted value that contains the major industry Identifier issuer Identification number and the account number, and ends with a check digit. Presenting these values to a cashier or a kiosk is typically all that is needed to make a purchase. Some guest stations and other retailers require the zip code for the billing address to be entered. Copying the magnetic stripe on a card provides the information needed to create a duplicate card. Illegally copying the magnetic stripe is called skimming. A typical skimming device is small enough to fit in a person’s pocket and basically consists of a magnetic stripe, reader and memory to store the credit card information.

A person steering with a small set of credit card numbers with a skimmer can make about $10 for each credit card number skimmed, while hackers who steer millions of credit card numbers can make about $3. 5 per number. Although they are paid less per card, they make up for it in volume. Because of the ease of acquiring credit card data and using it to make purchases, it is the target of many chiefs and online hackers. Some organizations that offer online purchases will capture the credit card information and store it in their database unencrypted. This leaves them vulnerable to viewing by employees or hackers or via a data breach. Several techniques can be used to mitigate this risk. First, credit card number can be encrypted right after processing. Once the processing has been completed, there should be no need to access the credit card number again.

If an inquiry comes up from a cardholder, the credit card number can be provided at the time of the inquiry and can be hashed to perform a database lookup, the credit card number can even be stored in a separate database using a foreign key. For an additional level of security, some credit card issuers offer a service that will issue a one time credit card number for online transactions.

This prevents the reuse of a credit card number, thus mitigating the risk from data breach for organizations that use this capability. Another method of protecting credit card involves encrypted transactions, where the vendor gets only an encrypted version of the user’s credit card number that can be decrypted only by the card issuer. The PCI DSS, which is Payment Card Industry Data Security Standard, is a global standard managed by the PCI Security Standards Console, which helps merchants and payment card processors apply information security best practices. This section highlights PCI DSS as an example of one standard that can be used to protect credit card data. It was selected because it applies both privacy and security standards to a company.

It should not be considered the only or best standard for protecting credit card data. The standard consists of twelve requirements that apply to any organization that accepts payment cards and or stores, processes and transmits cardholder data. It includes supporting materials such as framework or specifications, tools, self assessment questioners measurements, and support resources to help organizations ensure the safe handling of cardholder information. For the most part, PCI DSS is prescriptive in its guidance, making it easier to measure compliance than with regulations such as HIPAA or Basel Three, which are more vague in regards to what is required to reach compliance. You can see in the slide the twelve requirements for PCI DSS. These requirements are fulfilled by performing three important steps assess, remediate, and report regarding.

Assess each organization covered by PCI DSS must perform an assessment and vulnerabilities scan based on the PCI DSS requirements, looking for technology and process vulnerabilities that may pose a risk to cardholder data. Organizations can perform on self assessment using one of the self assessment questionnaire validation tools provided by the PCI SSE, or hire a qualified security assessor to perform the assessment remediate this process is for addressing any vulnerabilities found during the assessment process. Once the remediation process is completed, a reassessment and vulnerability scan is required to ensure that no vulnerabilities still exist. Report regular assessment reports must be submitted to the organization’s acquiring bank the bank or financial institution that processes credit and or debit card payments for products or services for a mentioned implementation of payment application data security standard, which is the PADSS? The PADSS is a set of requirements that applies to software vendors that are looking to develop payment card processing software.

Vendors who create payment application software may not be required to be PADSS compliant if the software does not store, process, or transmit cardholder data. Software vendors looking to create PADSS approved payment application software must comply with requirements contained in the PADSS standard. A synopsis of the requirements is as follows create the payment application, create a PADSS implementation guide, educate customers reseller and integrators. Ensure that each application passes a PADSS review and provide customers with a copy of the validated applications. PADSS. Implementation guide.

3. Remote access, telecommuting and bridging devices to work

Hi, guys. In this lesson, we’ll discuss about remote access, telecommuting and bring your own device. Permitting employees to work from home or use their own devices to access organizational resources can make them more productive and help to improve their work life balance. Letting an employee attend his child’s play in the middle of a workday can be disruptive. If the employee can access resources is from his smartphone, it can lessen the disruption and keep the employee happy. Remote access and bring your own device are a great benefit, but they do not come without risks. When using a personal device or a computer to access enterprise resources, be it remotely or locally, employees run the risk of exposing the personal information. Data sent across the company’s network can be viewed and captured by the company’s scanning services.

Data stored on the employee’s device or computer could be scanned as well. The results of the scans could identify content that may go against organizational policies or even break the law. Interception of email or other personal communications could be breaking laws in some jurisdictions. It administrators should work with their legal and privacy departments to help avoid practices that may be viewed as illegal. Employees should limit personal communication or transfer of personal data over company networks or storing personal data on company resources. When personal devices are used to access organizational networks, It departments often do not have an opportunity to validate the configurations of the devices. Devices could contain viruses, network scanners, kiloggers, or other types of malware that could be transferred to computers on the network.

Devices could also be stolen, giving thieves access to organizational resources. Organizations looking to permit users to have remote access on their own devices to companies resources should consider the following guidelines use corporate devices. Require employees to use organizational computers that the It department has verified and have the proper configuration software and access controls. Use approved devices when organizational computers can’t be mandated. Ask employees to use devices that have specific features, such as encryption, user login, antivirus, and even remote wipe. Limit data transfers. Ask employees not to download content to their devices or upload content to the network. Limit types of access. Employees accessing the network remotely or within a personal device could be restricted to accessing a specific set of computers or networks or using them during a certain time of day. Mandate device controls. Create policies that instruct employees to enable login encryption and remote wipe.

Have them install antivirus software. Limit social access. Do not permit employees to store company content on cloud services or social networks. How to upload features should be disabled to prevent accidentally sending content to a social site. Provide notice and obtain consent. Require employees using their own devices to read the policies governing the use of personal devices and sign a consent form. Outlining the employee’s obligations and possibility of losing data from a remote wipe if the device is torn. Access to computers within the organization. It is normally easy to identify when a stranger is on the property and inappropriately accessing a computer. Individuals who access the network remotely cannot necessarily be verified as employees. Devices or computers can have the access credentials to a network pre programmed so the users don’t have to enter them each time. This causes the risk of a TIFF gaining access to natural resources.

It departments can mitigate this risk in several ways. One limit computer Access computers may contain so much sensitive data that employees accessing them must be physically verified. When this need arises, several means can be used to prevent employees from accessing the computer remotely. Require manual authentication employees can be required to manually log in or reauthenticate to sensitive services. Use multifactor Authentication multifactor authentication can be used to help verify that the person accessing the computer is an employee. Architecture Controls when developing the It architecture, It professionals should consider the impact of remote employees and the use of personal devices within the company. By preparing for the possibility in advance, it personal can save time and mitigate risks to the company resources.

Several types of architecture controls can be considered virtual, private networks, or VPNs. By deploying a VPN, employees can access organizational resources over a secure network and not have to worry about their data being captured while working in public places. Demilitarized zone Networks organizations will often have visiting customers, vendors, and other non employees who want to access the Internet.

At times, it may be difficult to say no to a valid visitor, and employees may be influenced to permit the visitor to use their computer or connect to the standard network using their device. Providing a separate net just for visitors to access the Internet that has limited or no access to the organization’s network can mitigate the risk from visitors. Multifactor authentication or MFA, forces employees to provide two types of authentication to access network resources. If you remember just an example, something you have or something you are.

• Category: Uncategorized