3. Access Control

What is a Security Control?

A safeguards designed to preserve CIA

Access control: Limiting what is available to who:

  • Not only restriction but granting

Denying access is based on three elements:

Any entity that requests access to assets: User/client/process/program

  • Active: Initiates request

  • Should have a relational level of clearance (perms)

Principle of Least Privilege

Permitting only min access needed for users, programs to function

Privileged Access Management Privileged Accounts:

  • Perms beyond normal: Managers, admins, help desk, analysts

  • More extensive and detailed logging

  • More stringent access than regular users, more auditing

Segregation of Duties: No person should control high-risk transactions from start to finish

Dual control: Two separate combination locks on door of vault Two-Person Integrity: 2 ppl in an area, making it impossible to be alone

Authorized vs. Unauthorized Personnel

New employee: Requests from management to create new user IDs

  • Instructions on access levels: Auth required for elevated perms

Change of position: Perm/access rights might change by role

  • Any access no longer needed removed and vice versa

Separation of employment: Accounts disabled after termination

  • Recommended accts be disabled for a period before deletion

Physical Access Controls

Mechanisms to prevent, monitor, areas in a facility

Guards, fences, detectors, doors, gates, badges, cameras, mantraps, turnstiles, alarms

Badge: Issued with employee identifiers, giving access

  • May include biometric characteristics compared against a db

  • Integrated with logging to doc access activity

  • Some devices combine processes to detect counterfeiting

Include: Barcodes, magnetic stripes, proximity lights

Logical Access Controls

Electronic ways someone is limited from access

Passwords, biometrics, badges, tokens

Enforced over all subjects, objects in a system

Policy specifies those who have access can:

  • Pass info and grant privs to others

  • Change, choose attributes with newly created, revised objects

  • Change rules governing access control

    • Rule-based access controls: Usually form of DAC

  • An object’s ACL shows total set of subjects who have perms

  • A capabilities list shows each object the subject has perms

Last updated