Chapter -3 Access Control Concepts

Access Control Concepts

Access control is a security mechanism used to regulate who can access or modify certain resources within a system, and under what conditions. It ensures that only authorized users or entities are allowed to interact with specific objects (such as files, data, or devices) according to defined rules.

The three core elements of access control are:

1. Subjects (Who): Subjects are the individuals or entities (such as users, processes, or applications) that request access to objects. Essentially, subjects are the "actors" within the system that need permission to perform actions.

2. Objects (What): Objects are the resources or entities (like files, databases, devices, or data) that subjects are trying to access. Objects represent the "things" within the system that need protection from unauthorized access.

3. Rules (How and When): Rules define the conditions under which access is granted or denied. They specify how access is granted (e.g., which actions are allowed: read, write, execute) and when access is allowed (e.g., time of day, user role, or other conditions). Rules also govern the security policies for the system, ensuring that access is controlled according to predefined criteria.

In essence, access control ensures that only the right subjects can interact with the right objects in a secure and regulated manner.

Defense in Depth

Defense in depth is a security strategy that involves implementing multiple layers of security controls and measures to protect systems and data. The idea is that if one security layer is breached, additional layers will still provide protection, reducing the likelihood of a successful attack. This approach helps mitigate the risk of single points of failure and strengthens overall security.

1. Physical Controls These controls protect the physical environment, such as infrastructure, hardware, and facilities.

2. Technical Controls (Logical Controls) These controls use technology to protect systems, networks, and data through access management, monitoring, and encryption.

3. Administrative Controls These controls focus on policies, procedures, and management processes to guide and enforce security practices within an organization.

4. Core (Assets) The core refers to the critical resources or assets that need to be protected, such as sensitive data and infrastructure.

These elements work together to create a comprehensive security approach, ensuring protection at different levels.

Privilege Access Management

Privileged Access Management (PAM) is a security practice that involves controlling, monitoring, and managing access to critical systems and sensitive resources by users with elevated privileges. It is specifically focused on ensuring that users who have elevated permissions, such as system administrators or other high-level users, are granted access only when necessary and are closely monitored to prevent abuse or unauthorized activities.

PAM typically includes:

1. Access Control: Restricting privileged access based on roles and responsibilities, ensuring that only authorized individuals can access sensitive systems.

2. Session Monitoring and Recording: Monitoring the actions of privileged users during their sessions and recording their activities for auditing and analysis.

3. Credential Management: Managing and securing the credentials (such as passwords or access keys) used by privileged accounts, including periodic rotation and ensuring their secrecy.

4. Least Privilege: Enforcing the principle of least privilege, meaning that privileged access is granted only to perform specific tasks and only for the minimum time required.

By implementing PAM, organizations can reduce the risks associated with the misuse or compromise of privileged accounts, protecting sensitive data and systems from internal and external threats.

User management lifecycle

1. New employee – account created

2. “Onboarding” – creating an account (or cloning a baseline account) for a new employee

3. Changed position – account modified

4. Temporary leave of absence – account disabled

5. Separation of employment – account deleted

6. “Offboarding” – deleting an account (or disabling then deleting an account) for a terminated employee

---

Physical Access Controls

Physical Access Controls are security measures designed to restrict unauthorized physical access to buildings, rooms, devices, or other physical assets. These controls help protect sensitive equipment, data, and infrastructure from theft, damage, or unauthorized use.

Physical access controls typically include:

1. Barriers and Perimeter Security: Physical structures like fences, gates, and walls that limit access to protected areas.

2. Entry/Exit Controls: Mechanisms like locked doors, turnstiles, and gates, often combined with access cards, keypads, biometrics, or security guards to control who can enter or exit a facility or restricted area.

3. Identification Systems: Methods like badges, ID cards, and biometric scanners to verify the identity of individuals attempting to access a secure area.

4. Surveillance and Monitoring: Cameras, motion detectors, and alarm systems to monitor and record physical access events and detect unauthorized activity.

5. Security Personnel: Guards or attendants stationed at entry points to verify credentials and monitor for suspicious activity.

These controls are critical to ensuring that only authorized individuals have access to sensitive areas, helping to prevent unauthorized physical access, theft, or tampering with important resources.

---

Logical Access Controls

Logical Access Controls are security measures that manage and restrict access to computer systems, networks, and digital resources based on users' identities and permissions. These controls ensure that only authorized users can access specific data or systems, and they regulate how users interact with digital resources.

Logical Access Control Types define the methods and rules used to manage who can access digital resources and how that access is granted. The three main types of logical access controls are:

DAC

Discretionary Access Control (DAC)

• In DAC, the owner of the resource (such as a file or database) has the discretion to determine who can access the resource and what type of access they have (e.g., read, write, execute).

• Access decisions are typically based on user identity and can be easily modified by the owner or creator of the resource.

MAC

Mandatory Access Control (MAC)

• MAC is a more rigid access control model where access to resources is governed by policies set by the system administrator, rather than the resource owner.

• In MAC, users cannot modify access permissions to resources. Instead, access is determined based on predefined rules or labels, often related to classification levels like "top secret" or "confidential."

• This model is typically used in highly secure environments where data sensitivity and strict access policies are critical.

RBAC

Role-Based Access Control (RBAC)

• In RBAC, access to resources is granted based on the roles that users have within an organization rather than their individual identity.

• Each role is assigned specific permissions, and users are assigned to one or more roles. Access is controlled by the permissions associated with those roles.

• RBAC helps manage access at scale, simplifying the process of granting or revoking access, especially in large organizations.

---

Chapter Resources

230KB

CC-Chapter3.pdf

pdf