 goes like this then it will be possible to trace the actions uniquely to an entity.

advantages to implementing an information classification system in an organization’s

information security program:

1. Improved security: By identifying and classifying sensitive information, organizations

can better protect their most critical assets from unauthorized access or disclosure.
2. Compliance: Many regulatory and industry standards, such as HIPAA and PCI-DSS,
require organizations to implement information classification and data protection
measures.
3. Improved efficiency: By clearly identifying and labeling information, employees can
quickly and easily determine the appropriate handling and access requirements for
different types of data.
4. Better risk management: By understanding the potential impact of a data breach or
unauthorized disclosure, organizations can prioritize resources and develop more
effective incident response plans.
5. Cost savings: By implementing appropriate security controls for different types of
information, organizations can avoid unnecessary spending on security measures that
may not be needed for less sensitive data.
6. Improved incident response: By having a clear understanding of the criticality of
specific data, organizations can respond to security incidents in a more effective and
efficient manner.

There are some potential disadvantages to implementing an information classification

system in an organization’s information security program:

1. Complexity: Developing and maintaining an information classification system can be

complex and time-consuming, especially for large organizations with a diverse range of
data types.
2. Cost: Implementing and maintaining an information classification system can be costly,
especially if it requires new hardware or software.
3. Resistance to change: Some employees may resist the implementation of an information
classification system, especially if it requires them to change their usual work habits.
4. Inaccurate classification: Information classification is often done by human, so it is
possible that some information may be misclassified, which can lead to inadequate
protection or unnecessary restrictions on access.
5. Lack of flexibility: Information classification systems can be rigid and inflexible,
making it difficult to adapt to changing business needs or new types of data.
6. False sense of security: Implementing an information classification system may give
organizations a false sense of security, leading them to overlook other important security
controls and best practices.
7. Maintenance: Information classification should be reviewed and updated frequently, if
not it can become outdated and ineffective.

Uses of Information Security :

Information security has many uses, including:
 1. Confidentiality: Keeping sensitive information confidential and protected from
unauthorized access.
2. Integrity: Maintaining the accuracy and consistency of data, even in the presence of
malicious attacks.
3. Availability: Ensuring that authorized users have access to the information they need,
when they need it.
4. Compliance: Meeting regulatory and legal requirements, such as those related to data
privacy and protection.
5. Risk management: Identifying and mitigating potential security threats to prevent harm
to the organization.
6. Disaster recovery: Developing and implementing a plan to quickly recover from data
loss or system failures.
7. Authentication: Verifying the identity of users accessing information systems.
8. Encryption: Protecting sensitive information from unauthorized access by encoding it
into a secure format.
9. Network security: Protecting computer networks from unauthorized access, theft, and
other types of attacks.
10. Physical security: Protecting information systems and the information they store from
theft, damage, or destruction by securing the physical facilities that house these systems.

Issues of Information Security :

Information security faces many challenges and issues, including:

1. Cyber threats: The increasing sophistication of cyber attacks, including malware,

phishing, and ransomware, makes it difficult to protect information systems and the
information they store.
2. Human error: People can inadvertently put information at risk through actions such as
losing laptops or smartphones, clicking on malicious links, or using weak passwords.
3. Insider threats: Employees with access to sensitive information can pose a risk if they
intentionally or unintentionally cause harm to the organization.
4. Legacy systems: Older information systems may not have the security features of newer
systems, making them more vulnerable to attack.
5. Complexity: The increasing complexity of information systems and the information they
store makes it difficult to secure them effectively.
6. Mobile and IoT devices: The growing number of mobile devices and internet of things
(IoT) devices creates new security challenges as they can be easily lost or stolen, and may
have weak security controls.
7. Integration with third-party systems: Integrating information systems with third-party
systems can introduce new security risks, as the third-party systems may have security
vulnerabilities.
8. Data privacy: Protecting personal and sensitive information from unauthorized access,
use, or disclosure is becoming increasingly important as data privacy regulations become
more strict.
 9. Globalization: The increasing globalization of business makes it more difficult to secure
information, as data may be stored, processed, and transmitted across multiple countries
with different security requirements.

SSL, TLS, and HTTPS

Data Encryption and Authentication

Data encryption and authentication aim to protect sensitive information by scrambling it during
transmission. The intended recipient, such as a web server, receives a key that provides
instructions to decrypt the data. Without this key, intercepted encrypted data appears as
meaningless gibberish.

To establish effective encryption/decryption, there must be an agreement between the sender and
receiver. This is facilitated by security protocols like TLS and SSL. Understanding the
relationship between HTTP, TLS, and SSL is crucial before delving into their definitions.

HTTPS

The web operates as a distributed client/server information system, where clients request
information from servers using specific protocols. The protocol acts as a standard set of rules
which make it possible for the servers and clients to communicate and interact.

HTTP (Hypertext Transfer Protocol) is the fundamental protocol of the World Wide Web,
governing data transmission, formatting, and server responses. While widely adopted, HTTP
lacks security measures such as data encryption and authentication, leaving transmitted data
vulnerable. To address this, HTTPS (Hypertext Transfer Protocol Secure) establishes an
encrypted connection between clients and servers, safeguarding websites from eavesdropping,
tampering, and data theft.

Originally, HTTPS was designed specifically for e-commerce and business websites that
regularly handle sensitive information (such as passwords and credit card details), but new
recommendations3 suggest that every website — even ones that are strictly informational —
should use HTTPS. Google promotes this mindset by offering slight search engine rankings
boosts to HTTPS sites, and by displaying “not secure” warnings in Google Chrome browser
address bars on non-HTTPS sites.

HTTPS offers advantages such as:

 Data integrity: Data encryption and authentication between browser and website provide data
integrity to prevent cyberattackers from viewing sensitive information
 Faster performance: The speed of data transfers increases because HTTPS reduces the data’s
size
 Privacy and security: HTTPS prevents websites from being hacked between browser and server
 Secure communications: HTTPS establishes a secure connection prior to data transfers
 SEO: Search engines use it as a ranking signal and give preference to websites configured with
HTTPS
 User experience: Websites using HTTPS are marked as secure by browsers, thereby enhancing
user experience through trust

Overall, HTTPS offers a better, safer solution for the client/server model, but it isn’t exempt
from attacks. To maintain security standards, sites must use a TLS/SSL certificate purchased
from a trusted certificate authority.

SSL

SSL (Secure Sockets Layer) was developed by Netscape in 1994. SSL is the security protocol
part of HTTPS responsible for the encryption and authentication between various elements
operating on a network. To better understand SSL, let’s take a look at some history surrounding
the technology.

SSL encryption/decryption is a method by which internet connections are kept secure, whether
they be client to client, server to server, or client to server. This prevents unauthorized third
parties from seeing or altering any user data being exchanged across the internet.

SSL encryption was originally created to protect connections between customers and online
businesses. However, with the rising value of mundane personal information and online
browsing habits, cyber criminals began targeting non-commerce sites as well, leading to wider
SSL adoption. In 1999, an updated protocol called TLS was released and has replaced SSL as the
standard security certificate.

HTTPS vs. SSL

Hypertext Transfer Protocol Secure (HTTPS) combines Hypertext Transfer Protocol (HTTP)
with either SSL or TLS. It’s important to understand that SSL/TLS is a part of HTTPS; together,
they are a single protocol. The difference between HTTPS and HTTP is that HTTPS uses
SSL/TLS to provide more security than HTTP alone. This leads to the question: Is SSL the same
as TLS?

TLS

Often, the terms TLS and SSL are used interchangeably. But there is a difference between the
two.

TLS, short for Transport Layer Security, is an enhanced and more secure version of SSL. TLS
serves the same purpose as SSL, providing privacy, authentication, and data integrity over
computer networks for various applications such as web browsing, instant messaging, and email.
While the terms SSL and TLS are used interchangeably, TLS is considered more trustworthy due
to its improvements over SSL. TLS addresses known vulnerabilities of SSL, supports stronger
cipher suites and algorithms, and offers a faster handshake process. It includes additional
security features like the “close notify” message, HMAC (Hash-based Message Authentication
Code), and upgraded cipher suites to mitigate previous SSL security concerns.

Message authentication ensures and reassures that data has not been modified during transit and
allows the recipient to verify the message source.

TLS networks offer improved key management, incorporating features such as key material
generation, advanced encryption algorithms, elliptical-curve keys, secure remote passwords, pre-
shared keys, and Kerberos. TLS encryption is superior to SSL’s in security and data
communication. TLS has undergone four versions, with TLS 1.3 being the most recent and
secure. You can easily identify a TLS connection in your browser by the presence of a padlock
icon and the “HTTPS” prefix in the URL.

Many certificates and references still use the term SSL; it’s well known, and the distinction is
less relevant to the general populace. However, it’s important to recognize that TLS is the
modern, more secure version. For accuracy, IT authorities use the term “SSL/TLS” to encompass
both protocols.

HTTPS Is SSL/TLS Secure

TLS/SSL is essential for securing websites — it puts the S in HTTPS. Major browser makers
highly recommend having an up-to-date TLS/SSL certificate. In 2018, Google Chrome started
labeling sites without SSL/TLS as “not secure,” and other browsers adopted similar practices.
Furthermore, Google rewards sites with HTTPS with improved search engine rankings,
motivating website owners to prioritize SSL/TLS certificates.
SSL/TLS Decryption

To be effective, modern SSL/TLS needs to combine high performance and reliable security. It
does this by using both symmetric and asymmetric cryptography.

Symmetric cryptography employs a shared secret key (at least 128 bits) for encrypting data,
while asymmetric cryptography relies on key pairs (private and public keys) for a more secure
connection. Modern SSL/TLS uses asymmetric cryptography to generate a secure session key,
which is used for data encryption/decryption and discarded afterward. The TLS handshake is a
negotiation process during which the client and server establish communication, verify
authenticity, determine encryption algorithms, and agree upon session keys.

The Three Levels of TLS/SSL Certificates

Although SSL/TLS offers a relatively secure solution for communications security, businesses
may need extended authentication to provide increased protection for sensitive data.
Organizations can opt for business-level authentication TLS/SSL certificates. How do TLS and
SSL certificates work?

TLS/SSL certificates come in three security levels:

1. Domain validation certificates

The most basic TLS/SSL certificate requires the organization to prove it controls the given
domain name but does not confirm the identity of the organization.
 2. Organization validation certificates
This requires the business to prove that it controls the domain name and that the company is
legally registered as a business. This authentication level is preferred for public-facing sites that
collect data from users.
3. Extended validation certificates
This is the most secure TLS/SSL certificate. In addition to proving ownership of the domain and
company name, these SSL certificates include additional verification steps designed to protect
data from tampering.

Of course, even with extended validation, TLS/SSL certificates may still be vulnerable in certain
circumstances.

Introduction to Directory Services and Directory Server

Directory Server provides a central repository for storing and managing information. Almost any
kind of information can be stored, from identity profiles and access privileges to information
about application and network resources, printers, network devices and manufactured parts.
Information stored in Directory Server can be used for the authentication and authorization of
users to enable secure access to enterprise and Internet services and applications. Directory
Server is extensible, can be integrated with existing systems, and enables the consolidation of
employee, customer, supplier, and partner information.

Directory Server provides the foundation for the new generation of e-business applications and
Web services, with a centralized and distributed data repository that can be used in your intranet
or over your extranet with your trading partners.

Directory Service

This section defines Directory Services and enterprise-wide directory services, in addition to
clarifying the differences between directories and databases. It examines the major roles played
by directories and establishes exactly where Sun Java System Directory Server fits into the
Directory Service picture.

Directory services are an essential part of today's network-centric computing infrastructure.

Directory-enabled applications now power almost all the mission critical processes of an
enterprise, including resource planning, value chain management, security and firewalls, and
resource provisioning. Directory services also provide the foundation for deployment of e-
business and extranet applications. So what exactly is a Directory Service?

A directory service is the collection of software and processes that store information about your
enterprise, subscribers, or both. An example of a directory service is the Domain Name System
(DNS), which is provided by DNS servers. A DNS server stores the mappings of computer host
names and other forms of domain name to IP addresses. A DNS client sends questions to a DNS
server about these mappings (e.g. what is the IP address of test.example.com?). Thus, all of the
computing resources (hosts) become clients of the DNS server. The mapping of host names
enables users of the computing resources to locate computers on a network, using host names
rather than complex numerical IP addresses.

Whereas the DNS server stores only two types of information: names and IP addresses, an LDAP
directory service can store information on many other kinds of real-world and conceptual
objects. Sun Java System Directory Server stores all of these types of information in a single,
network-accessible repository. You may for example want to store physical device information,
employee information (name, E-mail address), contract or account information (name, delivery
dates, contract numbers, etc.), authentication information, manufactured production information.
It is worth noting that although a directory service can be considered an extension of a database,
directory services generally have the following characteristics:

 Hierarchical naming model

A hierarchical naming model uses the concept of containment to reduce ambiguity between
names and simplify administration. The name for most objects in the directory is relative to the
name of some other object which conceptually contains it. For example, the name of an object
representing an employee of a particular company contains the name of the object representing
the company, and the name of the company might contain the name of the objects representing
the country where the company operates, e.g. cn=John Smith, o=Example Corporation, c=US.
Together the names of all objects in the directory service form a tree, and each Directory Server
holds a branch of that tree, which in the Sun Java System Directory Server documentation is also
referred to as a suffix.
 Extended search capability
Directory services provide robust search capabilities, allowing searches on individual attributes
of entries.
 Distributed information model
A directory service enables directory data to be distributed across multiple servers within a
network.
 Shared network access
While databases are defined in terms of APIs, directories are defined in terms of protocols.
Directory access implies network access by definition. Directories are designed specifically for
shared access among applications. This is achieved through the object-oriented schema model.
 By contrast, most databases are designed for use only by particular applications and do not
encourage data sharing.
 Replicated data
Directories support replication (copies of directory data on more than one server) which make
information systems more accessible and more resistant to failure.
 Datastore optimized for reads
The storage mechanism in a directory service is generally designed to support a high ratio of
reads to writes.
 Extensible schema
The schema describes the type of data stored in the directory. Directory services generally
support the extension of schema, meaning that new data types can be added to the directory.

Enterprise-Wide Directory Services

Directory Server provides enterprise-wide directory services, meaning it provides information to

a wide variety of applications. Until recently, many applications came bundled with their own
proprietary user databases, with information about the users specific to that application. While a
proprietary database can be convenient if you use only one application, multiple databases
become an administrative burden if the databases manage the same information.

For example, suppose your network supports three different proprietary E-mail systems, each
system with its own proprietary directory service. If users change their passwords in one
directory, the changes are not automatically replicated in the others. Managing multiple instances
of the same information results in increased hardware and personnel costs, a problem referred to
as the n+ 1 directory problem.

An enterprise-wide directory service solves the n+ 1 directory problem by providing a single,

centralized repository of directory information that any application can access. However, giving
a wide variety of applications access to the directory requires a network-based means of
communicating between the applications and the directory. Directory Server provides two ways
in which applications can access its enterprise-wide directory:

 Lightweight Directory Access Protocol (LDAP)

 Directory Services Markup Language (DSML)

LDAP

LDAP provides a common language that client applications and servers use to communicate with
one another. LDAP-based applications can easily search, add, delete and modify directory
entries. LDAP is a "lightweight" version of the Directory Access Protocol (DAP) defined in the
ISO/ITU-T X.500 standard. DAP gives any application access to the directory via an extensible
and robust information framework, but at an expensive administrative cost. DAP does not use the
Internet standard TCP/IP protocol and has complicated directory-naming conventions. LDAP
preserves the best features of DAP while reducing administrative burdens. LDAP uses an open
directory access protocol running over TCP/IP and uses simplified encoding methods. It retains
the X 500 standard data model and can support millions of entries for a comparatively modest
investment in hardware and network infrastructure.
DSML

DSML is a markup language that enables you to represent directory entries and commands in
XML. This means that XML-based applications using HTTP can take advantage of directory
services while staying within the existing web infrastructure. Directory Server implements
version 2 of the DSML standard (DSMLv2). For detail regarding the restrictions and extensions
to the DSML standard refer to the Directory Server Administration Reference.

Tuned for Enterprise and e-business Directory Roles

Online directories that support LDAP have become critical components of e-business
infrastructure, supporting identity and risk management in several important roles. They provide
a dynamic and flexible means of storing information and retrieving it over the internet, and can
of course be configured to use the Secure Sockets Layer (SSL) or Transport Layer Security
(TLS) protocols for authenticated and encrypted communications. As protected repositories of
personal information, LDAP directories are also a key component for the personalized delivery
of services to users of the directory and personalized treatment of information contained in the
directory. Directories have the following three primary roles to play, each of which have very
different deployment characteristics:

 Network Operating System (NOS) Directory

A NOS is a distributed operating system that manages multiple requests concurrently in a

multiuser environment. It consists of clients and servers configured so that client
machines can access the drivers on servers as if they were local drives on the client
machine, and servers can handle requests from the client to share files and applications as
well as network devices such as printers or faxes.

A NOS directory is used to administer a NOS allowing intranet users to log in once for
all network file and printing requirements. The user population for a NOS directory
ranges from 20 to 20,000 users, The NOS directory provides a single point of integrated
administration and management for the network and the most important characteristics of
this directory role are the tight integration with the NOS and sophisticated management
tools for clients and servers.

 Enterprise Directory

An enterprise directory provides a global repository for shared information about people,
organizations, and devices, including white/yellow pages, organization charts, seating
charts, information about network devices such as routers, etc. It is important for an
enterprise directory to provide flexible ways of organizing data and flexible management
tools that can accommodate heterogeneous application environments or autonomous
business units (through delegated administration). The user population for an enterprise
directory tends to range from between 20,000 and 200,000 users.

 e-business Directory
 An e-business directory maintains information about customers, trading partners, and
suppliers, which involves making the information available to an extranet as necessary
and appropriate. The user population for an e-business directory is typically millions of
users, and in addition to the flexible management tools required the NOS and enterprise
directories, e-business directories require a high degree of reliability and scalability to be
able to rapidly accommodate millions of users.

The deployment characteristics of each role vary hugely, and as we will see throughout this
Technical Overview, Sun Java System Directory Server is very much tuned for the enterprise
and e-business directory roles, in that it provides a single directory service infrastructure for both
enterprise and e-business applications and services. Sun Java System Directory Server is a
mature LDAP directory solution which supports open standards, and it's carrier-grade design
provides the extreme scalability, performance, and high availability required by large enterprise
and e-business directories that support millions of users.

Directory Server
Directory Server and Java Enterprise System

Sun Java System Directory Server provides a central repository for storing and managing
intranet and Internet information such as identity profiles (employees, customers, suppliers, etc.),
user credentials (public key certificates, passwords, and pin numbers), access privileges,
application resource information, and network resource information. Directory Server is now
delivered as a component product of the Sun Java Enterprise System, Sun's software
infrastructure that provides the services needed to support enterprise-strength applications
distributed across a network or Internet environment. For further information on Sun Java
Enterprise System, and on the concepts underlying distributed enterprise applications and
distributed service infrastructures see the Directory Server Technical Overview..

Directory Server Architecture Overview

When you install Directory Server, the following components are installed on your machine:

 An LDAP server for processing requests.

 Sun Java System Administration Server.
 Sun Java System Server Console for managing Directory Server.
 Command-line tools for starting and stopping the server, importing and exporting data in the
database, database re-indexing, account inactivation and deactivation, LDIF merges, kernel
tuning, and replication management.
 Front ends responsible for LDAP and DSMLv2.
 Agent responsible for responding to Simple Network Management Protocol (SNMP) queries
about the state of the server.
 Plug-ins for server functions, such as access control and replication.
 An initial directory information tree, consisting of server configuration and sample enterprise
data.
Without adding other client programs, Directory Server can provide the foundation for an
intranet or extranet. Every Sun Java System server uses the directory as a central repository for
shared server information, such as employee, customer, supplier, and partner data.

You can use Directory Server to manage extranet user-authentication, create access control, set
up user preferences, and centralize user management. In hosted environments, partners,
customers, and suppliers can manage their own areas of the directory, reducing administrative
costs. We will examine the following items in more detail and expand on some of the more
advanced architecture features of Directory Server:

 LDAP and DSML Front Ends

 Support for Industry Communication Standards
 Directory Server Plug-in Extensibility
 Sun Java System Directory Server Resource Kit
 Java Naming and Directory Interface™ (JNDI)
 Directory Information Tree
 Multiple Database Design and Large Cache Support
 Sun Cluster Agent 3.1 Support

LDAP and DSML Front Ends

The server front ends of Sun Java System Directory Server manage communications with
directory client programs. Directory Server functions as a daemon and multiple client programs
can communicate with the server using LDAP over TCP/IP or DSMLv2 over HTTP/SOAP.
These connections can be made secure using the Secure Socket Layer over Transport Layer
Security (SSL/TLS), depending on whether the client negotiates the use of TLS for the
connection.

Multiple clients can bind to the server at the same time over the same network because Directory
Server is a multi-threaded application. As your directory services grow to include larger numbers
of entries or larger numbers of clients spread out geographically, they also include multiple
Directory Servers placed in strategic locations around the network or organization. You can also
distribute your Directory Servers to conform with data protection regulations and to provide high
availability.

Another advantage of Directory Server is that it implements LDAP natively, thereby avoiding
the performance and management overheads associated with having a gateway on top of an
X.500 directory, and with relational databases.

Directory Server Data Storage

By default, Directory Server uses a single database to store the directory tree. This database can
manage millions of entries. The default database supports advanced methods of backing up and
restoring data.
Since Directory Server supports multiple databases you can also distribute data across the
databases, enabling the server to store more data than can be held in a single database.

The following sections describe how a directory database stores data.

Directory Entries

LDAP Data Interchange Format (LDIF) is a standard text-based format for describing directory
entries. An entry is a group of lines in an LDIF file that contains information about an object,
such as a person in your organization or a printer on your network. Information about the entry is
represented in the LDIF file by a set of attributes and their values. Each entry has an object class
attribute that specifies the kind of object the entry describes and defines the set of additional
attributes it contains. Each attribute describes a particular trait of an entry.

For example, an entry might have the object class organizationalPerson, indicating that the entry
represents a person within a particular organization. This object class allows the givenname and
telephoneNumber attributes. The values assigned to these attributes give the name and phone
number of the person represented by the entry.

Directory Server also uses read-only attributes that are either calculated by the server, or for
certain server functions such as access control, set by the administrator. These attributes are
called operational attributes.

Entries are stored in a hierarchical structure in the directory tree. In LDAP, you can query an
entry and request all entries below it in the directory tree. This subtree is called the base
distinguished name, or base DN. For example, if you make an LDAP search request specifying a
base DN of ou=people,dc=example,dc=com, the search operation examines only the ou=people
subtree in the dc=example,dc=com directory tree.

Note that not all entries are automatically returned in response to an LDAP search. For instance,
entries of the ldapsubentry object class are not returned in response to normal search requests.
An ldapsubentry entry represents an administrative object, for example the entries that are used
internally by Directory Server to define a role or a class of service. To receive these entries,
clients must search specifically for entries of the ldapsubentry object class.

Distributing Directory Data

When you store various parts of a tree in separate databases, your directory can process client
requests in parallel, improving performance. You can also store databases on different machines,
to improve performance further. We examine in further detail the various data distribution
options provided in Chapter 5, "Directory Server Scalability".
Directory Server Data Management

The database is the basic unit of storage, performance, replication, and indexing. A variety of
operations can be performed on a database, including importing, exporting, backing up,
restoring, and indexing.

These command line utilities are subcommands of the directoryserver command. For more
information see the Directory Server Man Page Reference.

Importing Data

Directory Server provides three methods for importing data:

 Importing from the Directory Server Console.

You can use the Directory Server Console to append data to all of your databases,
including database links.

 Initializing databases.

You can use the Directory Server Console to import data to one database. This method
overwrites any data contained by the database.

 Importing data from the command line.

You can import data using the command-line utilities ldif2db, ldif2db-task, and ldif2ldap.

Exporting Data

You can use LDIF to export database entries from your databases. LDIF is a standard format
described in RFC 2849, "The LDAP Data Interchange Format (LDIF) - Technical Specification."

Exporting data can be useful for the following:

 Backing up the data in your database

 Copying your data to another Directory Server
 Exporting your data to another application
 Repopulating databases after a change to your directory topology

You can use the Directory Server Console or the command-line utilities db2ldif and db2ldif-task
to export data.

Backing Up and Restoring Data

You can use Directory Server Console or the db2bak or db2bak-task command line utilities to
back up directory data. Both methods allow you to perform a backup while the server is running,
which prevents you having a period during which the directory is not accessible.

You can restore data from a previously generated backup using Directory Server Console or the
command-line utilities bak2db or bak2db-task. Restoring databases overwrites any existing
database files. While restoring databases, the server must be running. However, the databases are
unavailable for processing operations during the restore.

Indexing Data

Depending on the size of your databases, searches performed by client applications can take a lot
of time and resources. You can use indexes to improve search performance. Indexes are files
stored in the directory databases. Separate index files are maintained for each database in the
directory. Each file is named according to the attribute it indexes. The index file for a particular
attribute can contain multiple types of indexes, allowing you to maintain several types of index
for each attribute. For example, a file called givenName.db3 contains all the indexes for the
givenName attribute.

Depending on the types of applications using your directory, you will use different types of
index. Different applications may frequently search for a particular attribute, or may search your
directory in a different language, or may require data in a particular format. For more
information on how to use indexes to improve your Directory Server performance see

Directory Server Schema

In addition to its prescriptive properties, Directory schema can maintain the integrity of the data
stored in your directory by imposing constraints on the size, range, and format of data values.
You decide what types of entries your directory contains (people, devices, organizations, and so
forth) and the attributes available to each entry.

The predefined schema included with Directory Server contains both the standard LDAP schema
as well as additional application-specific schema to support the features of the server. While this
schema meets most directory needs, you may need to extend it with new object classes and
attributes to accommodate the unique needs of your directory.

The following sections describe the format, standard attributes, and object classes included in the
Sun standard schema.

Schema Format

Directory Server bases its schema format on version 3 of the LDAP protocol (LDAPv3). This
protocol requires Directory Servers to publish their schemas through LDAP itself, allowing
directory client applications to retrieve the schema and adapt their behavior based on it. The
global set of schema for Directory Server can be found in the entry named cn=schema. In
addition, it uses a private field in the schema entries called X-ORIGIN, which describes where
the schema entry was defined originally. For example, if a schema entry is defined in the
standard LDAPv3 schema, the X-ORIGIN field refers to RFC 2252. For example, the standard
person object class appears in the schema as follows:

objectClasses: ( 2.5.6.6 NAME 'person' DESC 'Standard LDAP objectclass' SUP top MUST ( sn
$ cn ) MAY ( description $ seeAlso
$ telephoneNumber $ userPassword ) X-ORIGIN 'RFC 2256' )

This schema entry states the object identifier, or OID, for the class (2.5.6.6), the name of the
object class (person), a description of the class (Standard Person Object Class), then lists the
required attributes (objectclass, sn, and cn) and the allowed attributes (description, seeAlso,
telephoneNumber, and userPassword).

Types of access control

Access control and access control models

Access Control Models allow organizations to grant user permissions and enforce access
policies. There are four types of access control methods: Mandatory Access Control (MAC),
Role-Based Access Control (RBAC), Discretionary Access Control (DAC), and Rule-Based
Access Control (RBAC or RB-RBAC). A method is chosen based on the level of access needed
by each user, security requirement, infrastructure, etc.

Simply put, this is the access control process:

 identifying a person doing a specific job

 authenticating them by looking at their identification
 granting a person only the key to the door or computer that they need access to and nothing
more

In information security, one would look at this as:

 granting an individual permission to get onto a network via a username and password
 allowing them access to files, computers, or other hardware or software they need
 ensuring they have the right level of permission to do their job

So, how does one grant the right level of permission to an individual so that they can perform
their duties? This is where access control models come into the picture.

Access control models have four flavors:

Mandatory Access Control (MAC)

Role-Based Access Control (RBAC)

Discretionary Access Control (DAC)

Rule-Based Access Control (RBAC or RB-RBAC)

1. The Mandatory Access Control, or MAC, model gives only the owner and custodian
management of the access controls. This means the end-user has no control over any settings that
provide any privileges to anyone. Now, there are two security models associated with MAC:
Biba and Bell-LaPadula.

The Biba model is focused on the integrity of information, whereas the Bell-LaPadula model is
focused on the confidentiality of information. Biba is a setup where a user with low-level
clearance can read higher-level information (called “read up”) and a user with high-level
clearance can write for lower levels of clearance (called “write down”). The Biba model is
typically utilized in businesses where employees at lower levels can read higher-level
information and executives can write to inform the lower-level employees.

Bell-LaPadula, on the other hand, is a setup where a user at a higher level (i.e. Top Secret) can
only write at that level and no lower (called “write up”), but can also read at lower levels (called
“read down”). Bell-LaPadula was developed for governmental and/or military purposes where if
one does not have the correct clearance level and does not need to know certain information,
they have no business with the information.

At one time, MAC was associated with a numbering system that would assign a level number to
files and level numbers to employees. This system made it so that if a file (i.e. myfile.ppt) had is
level 400, another file (i.e. yourfile.docx) is level 600 and the employee had a level of 500, the
employee would not be able to access “yourfile.docx” due to the higher level (600) associated
with the file.

MAC is the highest access control there is and is utilized in military and/or government settings
utilizing the classifications of Classified, Secret, and Unclassified in place of the numbering
system previously mentioned.

2. The Role-Based Access Control, or RBAC, model provides access control based on the
position an individual fills in an organization. So, instead of assigning Alice permissions as a
security manager, the position of security manager already has permissions assigned to it. In
essence, Alice would just need access to the security manager profile.

RBAC makes life easier for the system administrator of the organization. The big issue with this
access control model is that if Alice requires access to other files, there has to be another way to
do it since the roles are only associated with the position; otherwise, security managers from
other organizations could possibly get access to files for which they are unauthorized.

3. The Discretionary Access Control, or DAC, model is the least restrictive model compared to
the most restrictive MAC model. DAC allows an individual complete control over any objects
they own along with the programs associated with those objects.

This gives DAC two major weaknesses. First, it gives the end-user complete control to set
security level settings for other users which could result in users having higher privileges than
they’re supposed to. Secondly, and worse, the permissions that the end-user has are inherited into
other programs they execute. This means the end-user can execute malware without knowing it
and the malware could take advantage of the potentially high-level privileges the end-user
possesses.
4. The fourth and final access control model is Rule-Based Access Control, also with the
acronym RBAC or RB-RBAC. Rule-Based Access Control will dynamically assign roles to
users based on criteria defined by the custodian or system administrator. For example, if
someone is only allowed access to files during certain hours of the day, Rule-Based Access
Control would be the tool of choice.

The additional “rules” of Rule-Based Access Control requiring implementation may need to be
“programmed” into the network by the custodian or system administrator in the form of code
versus “checking the box.”

Now that I have covered access control and its models, let's look at how they are logically
implemented.

Logical access control methods

Logical access control is done via access control lists (ACLs), group policies, passwords, and
account restrictions. We will take a look at each of these to see how they provide controlled
access to resources.

Access Control Lists (ACLs) are permissions attached to an object (i.e. spreadsheet file) that a
system will check to allow or deny control to that object. These permissions range from full
control to read-only to “access denied.” When it comes to the various operating systems (i.e.
Windows®, Linux, Mac OS X®), the entries in the ACLs are named “access control entry,” or
ACE, and are configured via four pieces of information: a security identifier (SID), an access
mask, a flag for operations that can be performed on the object, and another set of flags to
determine inherited permissions of the object. So, as one can see, ACLs provide detailed access
control for objects. However, they can become cumbersome when changes occur frequently, and
one needs to manage many objects.

Read about Privilege Escalation on Windows or Privilege Escalation on Linux.

Group policies are part of the Windows® environment and allow for centralized management of
access control to a network of computers utilizing the directory services of Microsoft called
Active Directory. This eliminates the need to go to each computer and configure access control.
These settings are stored in Group Policy Objects (GPOs) which make it convenient for the
system administrator to be able to configure settings. Although convenient, a determined
cybercriminal can get around these group policies and make life miserable for the system
administrator or custodian.

Passwords are “the most common logical access control, sometimes referred to as a logical
token” (Ciampa, 2009). Passwords need to be tough to hack in order to provide an essential level
of access control. If one makes the password easy to guess or uses a word in the dictionary, they
can be subject to brute-force attacks, dictionary attacks, or other attacks using rainbow tables.

Keeping this in mind, experts agree that the longer the password is, the harder it is to crack,
provided the user remembers it and used many different characters and non-keyboard type
characters in creating it. Utilizing this concept also makes it more difficult for a cybercriminal to
crack the password with the use of rainbow tables.

In addition, ensuring patches are accomplished regularly, deleting, or disabling unnecessary

accounts, making the BIOS password-protected, ensuring the computer only boots from the hard
drive, and keeping your door locked with your computer behind it will help ensure your
passwords are protected.

Of course, not writing down the password will help, too.

Types of physical access control

Physical access control is utilizing physical barriers which can help prevent
unauthorized users from accessing systems. It also allows authorized users to access
systems keeping physical security in mind. This type of control includes keeping the
computer secure by securing the door which provides access to the system; using a
paper access log; performing video surveillance with closed-circuit television; and in
extreme situations, having “mantraps.”

Securing the computer consists of disabling hardware so that if a bad guy were to gain
access, they can’t do any damage to the computer due to disabled USB ports, CD or
DVD drives, or even a password-protected BIOS. Again, this just reduces the risk of
malicious code being loaded onto the system and possibly spreading to other parts of a
network.

Door security can be very basic or it can utilize electronic devices such as keyed
dead-bolt locks on the door, cipher locks, or physical tokens. A keyed dead-bolt lock
is the same as one would use for a house lock. The cipher lock only allows access if
one knows the code to unlock the door. Physical tokens will typically consist of an ID
badge which can either be swiped for access, or they may instead contain a radio
frequency identification tag (RFID) that contains information on it identifying the
individual needing access to the door.

Paper access logs are common in many places for physical security. This allows a
company to log a person in with name, company, phone number, time in, and time
out. It can also document the employee who escorted the person during the time they
were there. Paper access logs, filled out accurately, will complement video
surveillance.

Video surveillance on closed-circuit television allows for the recording of people

who pass through a security checkpoint. This type of door security allows one to
observe the individuals going through the checkpoint, as well as the date and time,
which can be useful when trying to catch bad guys. Video surveillance can also be
utilized in mantraps.

Mantraps take door security to another level. This type of security can be seen in
military and government settings, among others when entering very high-security
areas. A person will present their identification to the security attendant and the
attendant will allow the person to enter the first door into a room. Only if the
individual’s identification credentials are valid will they be allowed to pass through
the room and go through the second door; if not, mantrap! They can only get out of
the room by going back through the first door they came in.

In summary, I presented a definition of access control and discussed the 4 access

control models. Additionally, I described the logical access control methods and
explained the different types of physical access control.

Remember, no access control model or method is perfect. However, if one does

something to deter an attacker, they can count that as a success in information security
practice.