Assignment task: Access Control and Identity Management Plan
Purpose: This course project is intended to assess your ability to comprehend and apply the basic concepts related to information security management, access controls, and identity management.
The following tools and resources will be needed to complete this project:
? Course textbook
? Access to the Internet
Learning Objectives and Outcomes:
Successful completion of this project will ensure that you can design an access control and identity management system. To be able to do so, you need to be able to do the following:
? Develop a plan for conducting an infrastructure assessment.
? Create a risk assessment plan.
? Create a plan for implementing role-based access control (RBAC).
? Research single sign-on (SSO) solutions.
? Describe a solution for remote access.
? Develop procedures for physical security of facilities, including biometrics.
? Create a plan for testing access controls.
? Create a plan for monitoring access controls.
Overall Project Scenario:
Big Tire Transport is a U.S. logistics company that operates a large fleet of trucks and is responsible for the movement of goods across the 48 contiguous states. Big Tire has accounts with companies of all sizes, as well as the U.S. federal government and several U.S. state government agencies.
The Big Tire headquarters is centrally located in Kansas City, Missouri. After a recent merger with a competitor, the company has employees in the following locations:
? Kansas City, Missouri, 500 employees
? Minneapolis, Minnesota, 200 employees
? Memphis, Tennessee, 150 employees
? Reno, Nevada, 175 employees
? El Paso, Texas, 250 employees
Due to the merger, the systems in each location differ. The headquarters location has fairly new computing equipment (workstations and servers) and runs Windows 10 on client computers and the latest edition of Windows Server on most servers. The other locations run a mix of current and outdated Windows-based software, and much of the hardware is outdated.
The main assets at the Big Tire headquarters location are housed in a data center. The assets consist of:
? Four Microsoft Windows Server application servers (current version of Windows Server)
? Two email servers running Microsoft Exchange
Two Linux web servers
? Microsoft Active Directory
? Accounting and financial software
? Logistics software
Other software, such as customer relationship management (CRM), are cloud services that Big Tire subscribes to each month.
Last year, Big Tire suffered two network compromises at the headquarters location that led to the disclosure of sensitive and strategic information on contracts and mergers. More recently, the Minneapolis location dealt with an insider destroying corporate data that could not be restored because the backup media contained errors. The Memphis location experienced a 4-day network outage due to a successful ransomware attack.
You play the role of an IT security architect. Your boss, the company chief information office (CIO), relies
on you for infrastructure planning and input on proposals to senior management.
Your goals for this project are to:
? Develop a plan for assessing infrastructure assets and risks.
? Develop a plan to implement role-based access control (RBAC) to ensure confidentiality, integrity, and availability.
? Research and describe single sign-on (SSO) and determine whether it is feasible for implementation for Big Tire locations.
? Address secure remote access requirements for users and physical security for facilities.
? Recommend RBAC tests and a plan for on-going network monitoring to ensure RBAC is working properly.
? Develop and submit reports to the CIO that address all requirements within each scenario.
Deliverables:
This project is divided into several parts, as follows:
? Project Part 1: Infrastructure Assessment and Risk Assessment
? Project Part 2: Role-Based Access Control (RBA) and Single Sign-On (SSO)
? Project Part 3: Remote Access and Physical Security
? Project Part 4: Testing and Monitoring
Project Part 1: Infrastructure Assessment and Risk Assessment
Scenario: The CIO recently made a strategic presentation to the executive management team to assess the infrastructure assets (hardware, software, databases, and types of sensitive information) and risks. Funding has been approved for both assessments. The CIO wants you to create a high-level plan for the infrastructure assessment and the risk assessment.
Tasks: Create a two-part report to the CIO that addresses the following:
1. A plan for conducting an infrastructure assessment of all company locations
2. A plan for conducting an IT risk assessment of all company locations
Each plan should include the following:
? Purpose and importance
? The scope and boundaries for the plan
? (Risk assessment only) At least five issues the plan will address upon completion
? A list of typical threats and vulnerabilities
? A high-level outline of major steps to be taken
? A proposed schedule
Project Part 2: Role-Based Access Control (RBAC) and Single Sign-On (SSO)
Scenario: Big Tire currently relies on access control lists (ACLs) for control over what users can access and what actions they can carry out. As the company has grown, ACLs have proven to be very time-consuming for IT staff to maintain.
You believe RBAC, used as a company-wide access control system, is superior to ACLs in terms of security and administrative overhead. RBAC user roles and permissions make it easy to perform role assignments because individual users no longer have unique access rights. Instead, they have privileges that conform to the permissions assigned to their specific role or job function.
Your CIO also asked you to research and report on the feasibility of SSO.
Tasks: Create a two-part report to the CIO that addresses the following:
1. A high-level plan for implementing RBAC or an RBAC-like solution at each Big Tire location
2. A description of SSO and a determination whether it is feasible for implementation at Big Tire
Project Part 3: Remote Access and Physical Security
Scenario: The Big Tire CIO wants users at all company locations and trusted business partners to be able to access applications hosted in the data center, such as the logistics and accounting applications. A remote access solution that provides a good user experience working with the logistics application would be ideal. A previous attempt to access the application over a virtual private network (VPN) connection was abandoned due to very slow response time.
The CIO also wants improved and uniform physical security at all locations, which should include some type of smart card and/or programmable locks for all office buildings and garages.
Finally, the CIO wants all employees, including drivers using mobile devices, to use biometrics, tokens, fobs, or authenticator apps for access to all websites that offer it as a factor in multifactor authentication.
The chosen access control should be convenient for employees and cost-effective.
Tasks:
Create a three-part report to the CIO that addresses the following:
? A high-level plan for implementing remote access to applications hosted in the data center
? A high-level plan for implementing physical security at Big Tire locations
? A high-level plan for cost-effective multifactor authentication for websites
Project Part 4: Testing and Monitoring
Scenario:
Access control systems are constantly under surveillance and attack. An attacker who gains control of an access control system can leverage that access to gain entry to other systems in the enterprise. Frequent testing of access control systems ensures that weaknesses are found and can be dealt with before they are exploited.
Network monitoring is a critical IT process where all networking components, such as routers, switches, firewalls, and servers, are monitored for faults, performance, and anomalies in order to detect possible intruders or attacks.
Tasks:
Create a two-part report to the CIO that addresses the following:
? A high-level plan for testing RBAC and physical security (building access)
o Include type of tests to be performed and frequency
? A high-level plan for on-going network monitoring to ensure the RBAC solution is working properly
o Network monitoring to be performed at each Big Tire location