3. Access Control

What is a Security Control?

A safeguards designed to preserve CIA
Access control: Limiting what is available to who:
Not only restriction but granting

Denying access is based on three elements:

Any entity that requests access to assets: User/client/process/program

Principle of Least Privilege

Permitting only min access needed for users, programs to function

Privileged Access Management Privileged Accounts:

Segregation of Duties: No person should control high-risk transactions from start to finish

Dual control: Two separate combination locks on door of vault Two-Person Integrity: 2 ppl in an area, making it impossible to be alone

Authorized vs. Unauthorized Personnel

New employee: Requests from management to create new user IDs

Change of position: Perm/access rights might change by role

Separation of employment: Accounts disabled after termination

Physical Access Controls

Mechanisms to prevent, monitor, areas in a facility
Guards, fences, detectors, doors, gates, badges, cameras, mantraps, turnstiles, alarms

Badge: Issued with employee identifiers, giving access

Include: Barcodes, magnetic stripes, proximity lights

Logical Access Controls

Electronic ways someone is limited from access
Passwords, biometrics, badges, tokens

Enforced over all subjects, objects in a system

Policy specifies those who have access can:

Pass info and grant privs to others
Change, choose attributes with newly created, revised objects
Change rules governing access control
- Rule-based access controls: Usually form of DAC
An object’s ACL shows total set of subjects who have perms
A capabilities list shows each object the subject has perms

Last updated 8 months ago