Access Control Concepts

A control is a safeguard or defense mechanism intended to protect data's confidentiality, integrity, and availability. Access control involves limiting what objects can be available to what subjects according to what rules. Access control doesn’t just refer to restricting access to information system but also granting access to authorized personnel.

Access is based on this three elements:

1. Subjects: this can be referred to as an initiator of request for service, it is active. An entity (user, client, a process, or a program) that request access to our assets is know as a Subject. A subject should have a level of clearance (permissions) that relates to its ability to successfully access services or resources.
2. Object: this is anything that a Subject attempts to access, it could be a device process, person, user, program, a server or even a client. An object is passive in the sense that it takes no action until called upon by the subject.
3. Rules: an access rule is a set of instructions designed to allow or deny access to an object by comparing the subject's validated identity to an access control list. A firewall access control list is an example of a rule. Firewalls, by default, deny access from any address to any address on any port. More rules are required for a firewall to be useful. To allow access from the inside network to the outside network, a rule could be added.

Types of Access Controls

1. Discretion Access Control (DAC): this is an access control policy that is enforced over all subjects and objects in an information system where the policy specifies that a subject that has been granted access to information can do one or more of the following: (i) pass the information to other subjects or objects; (ii) grant its privileges to other subjects; (iii) change security attributes on subjects, objects, information systems, or system components; (iv) choose the security attributes to be associated with newly-created or revised objects; or (v) change the rules governing access control. Mandatory access controls restrict this capability. CNSSI 4009-2015
2. Mandatory Access Control (MAC): this is an access control policy that is uniformly enforced across all subjects and objects within the boundary of an information system. A subject that has been granted access to information is constrained from doing any of the following: (i) passing the information to unauthorized subjects or objects; (ii) granting its privileges to other subjects; (iii) changing one or more security attributes on subjects, objects, the information system, or system components; (iv) choosing the security attributes to be associated with newly-created or modified objects; or (v) changing the rules governing access control. Organization-defined subjects may explicitly be granted organization-defined privileges (i.e., they are trusted subjects) such that they are not limited by some or all of the above constraints. CNSSI 4009-2015

Note: Discretion Access Control permission is giving by the owner of an object, while Mandatory Access Control permission is given by security administrators following organizations policy.

1. Role-Based Access Control (RBAC): this control sets up users permissions based on roles. A role is created and assigned the access required for personnel working in that role. When a user takes on a job, the administrator assigns them to the appropriate role. If a user leaves that role, the administrator removes that user and then access for that user associated with that role is removed. RBAC works well in an environment with high staff turnover and multiple personnel with similar access requirements. Role-based access control provides each worker privileges based on what role they have in the organization. For instance, only Finance has access to bank accounts, whereas each manager has access to their own direct reports and department. Very high-level system administrators may have complete access; new employees would have very limited access, just enough to do their jobs.

The implementation of access control does not only involve system access but covers all access permissions which include access to networks, application and utilities, building access and access to server rooms. All of this actions are access control steps and are part of the layered defense strategy, mostly known as defense in depth.

Defense in depth describes an information security strategy that combines the people, technology, and operations capabilities to initiate various barriers across different layers in an organization. It is advisable to implement this method as it could prevent or deter a cyberattack, but it cannot guarantee that an attack will not occur.

A technical example of defense in depth, in which multiple layers of technical controls are implemented, is when logging into your account requires a username and password, followed by a code sent to your phone to verify your identity. This is a type of multi-factor authentication that employs two layers of authentication: something you have and something you know. An adversary would have to work much harder to obtain the combination of the two layers than either of the authentication codes independently.

Let’s look at a data center, it might have multiple layers of defense. Like, administrative controls, such as policies and procedures. Then logical or technical controls, which include programming to limit access. There are also physical controls, which are sometimes forgotten in our highly technical world. Regardless of how much we focus on cloud computing and virtualization, there is always a physical location where information is being stored or processed in a physical hard drive in a physical computer.

Another very important defense mechanism under access control is the Principle of Least Privilege, this principle states that users and programs should have only minimum privileges necessary to complete their tasks. That is, users are provided access only to systems and programs needed to perform their specific jobs or tasks. This helps to preserve the confidentiality of information and ensures that it is available only to authorized personnels.

An example could be a healthcare environment. Some workers might have access to patient data but not their medical data. Individual doctors might have access only to data related to their own patients. In some cases, this is regulated by law, such as HIPAA in the United States, and by specific privacy laws in other countries.

Systems often monitor access to private information, and if logs indicate that someone has attempted to access a database without the proper permissions, that will automatically trigger an alarm. The security administrator will then record the incident and alert the appropriate people to take action.