1

Data Access Control, Password Policy and Authentication Methods for Online Bank

Md. Mahbubur Rahman Alam

B. Sc. (Statistics) Dhaka UniversityM. Sc. (Statistics, Major in Econometrics) Dhaka University

PGD(ICT)BUETM. Sc. (ICT) BUET

Assistant Professor, BIBM, Mirpur, Dhaka.Cell: 01556323244, Mail: alam_mr@yahoo.com Website: mralam.net

2

Kiosk

Bran

ch

InternetCustomer

POSTPSTN

ATM

Branch

Other Bank

Mobile

Call Center

3Md. Mahbubur Rahman Alam, Assistant Professor (ICT), BIBM. Mail: alam_mr@yahoo.com

4

Data access typically refers to

software and activities related

to storing, retrieving, or acting

on data housed in a database

or other repository. Data

Access is simply the

authorization you have to

access different data files.

Data Access Control

Md. Mahbubur Rahman Alam, Assistant Professor (ICT), BIBM. Mail: alam_mr@yahoo.com

5

Access Controls

Access Controls should provide reasonable assurance that data and

applications are protected against unauthorized modifications,

disclosure, loss or impairment. Such controls include physical

controls, such as keeping a computer in a locked room to limit

physical access, and logical controls such as security software

programs designed to prevent or detect unauthorized access to

sensitive files.

Md. Mahbubur Rahman Alam, Assistant Professor (ICT), BIBM. Mail: alam_mr@yahoo.com

6

Implement Separation of duties (SOD) a preventive control.

Establish test and production environments which are

preventive control.

Restrict user account and Database administrator access which

is a preventive control.

Restricting Access

Md. Mahbubur Rahman Alam, Assistant Professor (ICT), BIBM. Mail: alam_mr@yahoo.com

7

Elements to restrict include:

Data access (Successful/Failed Selects)

Data Changes (Insert, Update, Delete)

System Access (Successful/Failed Logins);

User/Role/Permissions/Password changes

Privileged User Activity (All)

Schema Changes (Create/Drop/Alter Tables, Columns, Fields)

Identification, Authentication and Process

Md. Mahbubur Rahman Alam, Assistant Professor (ICT), BIBM. Mail: alam_mr@yahoo.com

8

Authentication Methods

We can authenticate an identity in three ways:

Something the user knows (such as a password or personal

identification number)

Something the user has (a security token or smart card)

Something the user is (a physical characteristic, such as a

fingerprint, called a biometric). Md. Mahbubur Rahman Alam, Assistant Professor (ICT), BIBM. Mail: alam_mr@yahoo.com

9

Fingerprint RecognitionHand or Palm Geometry

Md. Mahbubur Rahman Alam, Assistant Professor (ICT), BIBM. Mail: alam_mr@yahoo.com

10

Facial Recognition

Md. Mahbubur Rahman Alam, Assistant Professor (ICT), BIBM. Mail: alam_mr@yahoo.com

11

Eye Scans

Md. Mahbubur Rahman Alam, Assistant Professor (ICT), BIBM. Mail: alam_mr@yahoo.com

12

USB Security Token or One Time Password

RSA stands for Ron Rivest, Adi Shamir and Leonard Adleman

RSA Security LLC

Md. Mahbubur Rahman Alam, Assistant Professor (ICT), BIBM. Mail: alam_mr@yahoo.com

Login Authentication

AUTHENTICATION

Database ServerVerifies Trusted Connection

Database ServerVerifies Name and Password

ORDatabase Server

Windows 2000 Group or User

Windows 2000 Group or User Windows 2000

Database ServerLogin Account

Database ServerLogin Account

Database User Accounts and Roles

Database Server Assigns Logins to User Accounts and Roles

DatabaseUser

Database Role

Windows 2000Group User

Database ServerLogin Account

Database Server Verifies Trusted Connection

Database ServerVerifies Name and Password

Database Server

Windows 2000

OR

Database ServerChecks Permissions

Permission Validation

Permissions OK; Performs Command

Permissions not OK; Returns Error

2222 3333

SELECT * FROM MembersSELECT * FROM Members

Database UserExecutes Command

Database UserExecutes Command

1111

Granting Permissions to Allow Access

User/RoleUser/RoleUser/RoleUser/Role SELECTSELECTSELECTSELECT

EvaEva

IvanIvan

DavidDavid

publicpublic

INSERTINSERTINSERTINSERT

UPDATEUPDATEUPDATEUPDATE

DELETEDELETEDELETEDELETE

Denying Permissions to Prevent Access

User/RoleUser/RoleUser/RoleUser/Role SELECTSELECTSELECTSELECT

EvaEva

IvanIvan

DavidDavid

publicpublic

INSERTINSERTINSERTINSERT

UPDATEUPDATEUPDATEUPDATE

DELETEDELETEDELETEDELETE

Revoking Granted and Denied Permissions

User/RoleUser/RoleUser/RoleUser/Role SELECTSELECTSELECTSELECT

EvaEva

IvanIvan

DavidDavid

publicpublic

INSERTINSERTINSERTINSERT

UPDATEUPDATEUPDATEUPDATE

DELETEDELETEDELETEDELETE

19

Password Policy

Use of both upper- and lower-case letters (case sensitivity)

Inclusion of one or more numerical digits

Inclusion of special characters, e.g. @, #, $ etc.

Prohibition of words found in a dictionary or the user's personal

information

Prohibition of passwords that match the format of calendar dates,

license plate numbers, telephone numbers, or other common

numbers

Prohibition of use of company name or an abbreviation

Md. Mahbubur Rahman Alam, Assistant Professor (ICT), BIBM. Mail: alam_mr@yahoo.com

20

Password Duration

Some policies require users to change passwords periodically,

e.g. every 90 or 180 days. The benefit of password expiration,

however, is debatable. Systems that implement such policies

sometimes prevent users from picking a password too close to a

previous selection.

Md. Mahbubur Rahman Alam, Assistant Professor (ICT), BIBM. Mail: alam_mr@yahoo.com

21

Common Password Practice

Never share a computer account

Never use the same password for more than one account

Never tell a password to anyone, including people who claim to

be from customer service or security

Never write down a password

Never communicate a password by telephone, e-mail or instant

messaging

Md. Mahbubur Rahman Alam, Assistant Professor (ICT), BIBM. Mail: alam_mr@yahoo.com

22

Common Password Practice

Being careful to log off before leaving a computer unattended

Changing passwords whenever there is suspicion they may have

been compromised

Operating system password and application passwords are

different

Password should be alpha-numeric

Never use online password generation tools

Md. Mahbubur Rahman Alam, Assistant Professor (ICT), BIBM. Mail: alam_mr@yahoo.com

23

Password strength is a measure of the effectiveness of a

password in resisting guessing and brute-force attacks. In its usual

form, it estimates how many trials an attacker who does not have

direct access to the password would need, on average, to guess it

correctly. The strength of a password is a function of length,

complexity, and unpredictability.

Password Strength

Md. Mahbubur Rahman Alam, Assistant Professor (ICT), BIBM. Mail: alam_mr@yahoo.com

24

MFA, two-factor authentication, TFA, T-FA or 2FA is an approach

to authentication which requires the presentation of two or more of

the three authentication factors: a knowledge factor ("something

only the user knows"), a possession factor ("something only the user

has"), and an inherence factor ("something only the user is"). After

presentation, each factor must be validated by the other party for

authentication to occur.

Multi-factor Authentication (MFA)

Md. Mahbubur Rahman Alam, Assistant Professor (ICT), BIBM. Mail: alam_mr@yahoo.com

25

Something only the user knows (e.g., password, PIN, pattern);

Something only the user has (e.g., ATM card, smart card, mobile phone);

Something only the user is (e.g., biometric characteristic, such as a

fingerprint).

Multi-factor Authentication (MFA)

Md. Mahbubur Rahman Alam, Assistant Professor (ICT), BIBM. Mail: alam_mr@yahoo.com

26

Questions are

Welcome

Thank You