Domain 3
Access control involves limiting what objects can be available to what subjects according to what rules. An example of this is a firewall that restricts access from the outside but can also prevent information from the inside from going out into the web.
Access controls are not just about restricting access to information systems and data, but also about allowing access. to give access to the right data to the right users, it is based on three elements:
Subjects - Entity that requests access to the assets (user, client, process, programm, etc). Is active which means is the initiator.
Objects - Anything the subject attempts to access (device, process, person, user, program, server, client). Contrary to the subjects is passive, and as passive, is not the one verifying access control.
Rules - Instruction to allow or deny access to an object (Ex.: a firewall rule).
Controls Assessments
Risk reduction depends on the effectiveness of the controls. The cost of implementing certain controls (e.g., biometric door scanners) must align with the value of the assets being protected. Assessments should be carried out to determine the cost and effectiveness of controls for different types of data.
Defense in depth
Defense in depth is a layered security strategy that includes controls for buildings, server rooms, networks, applications, and utilities. This strategy integrates people, technology, and operational capabilities to establish multiple barriers across different layers of an organization.
When an organization handles information with varying levels of sensitivity, network traffic may need to be validated by multiple firewalls. The most sensitive information is typically stored behind several layers of protection.
An example of defense in depth is:
Physical controls (door locks) → Technical/logical controls (network access restrictions) → Administrative controls (policies and procedures governing user access) → Protected asset
Priciple of least priviledge
The principle of least privilege ensures that data is only accessible to personnel who are explicitly authorized to view it. For example, in hospitals, staff may have access to general patient information, but only doctors can access detailed medical records. Even then, doctors may only access records for patients under their care. Additionally, the more sensitive the data a user can access, the stronger the security controls applied to their account should be.
Privileged Access Management (PAM)
Admin accounts like root accounts on linux have lots of priviledges and should be kept safe at all costs. If an administrative role is granted to a user 24/7, he/she will be able to access all the time. With PAM the root/admin accounts would be safe in a vault and not used. User can request specific rights that will expire after the task is completed.
These priviledged accounts might be used by:
- System administrators that need to operate systems, deploy applications, manage performance.
- Help desk or IT support that need to view or manipulate endpoints, server and applications
- Security analysts who might need quick access to the entire system
Typical measures to moderate the potential risks of priviledged accoutsn include exptensive logging of activities, reccord of priviledged actions executed (serves as deterrant to rpiviledge user to cause harm), and an administrative control (logs reviewd by hierarchy superior)
Priviledged users should have stricter login security systems, be subject to background checks, have stricter non-disclosure contracts and be willing to be investigated in case of damage.
Example: Help desk personnel should be able to reset client passwords, but must ensure that only passwords requested by end users are actually reset. A weekly report of reset passwords should be analyzed and compared with help desk password reset requests.
Separation of duties
No one person should control an entire high-risk transaction from start to finish. This is achieved either through supervision or dual control.
For example, in an approval workflow, an employee may submit an invoice, but a manager must approve it before it is sent to the customer. In dual control systems, two individuals each hold part of a secret or approval (e.g., two different codes), and both are required to perform a critical action such as opening a vault. No single person can complete the action alone.
Another security principle is two-person integrity. In high-security environments, access to a secure area may require two authorized individuals to be present simultaneously, for example by using a card reader system that only grants entry when both credentials are used. This reduces the risk of a single person being able to cause harm or perform unauthorized actions alone. It can also serve as a safety measure in sensitive environments, ensuring that there is always a second person present in case of an emergency.
Multiple controls
To increase security you can stack multiple layers of controls
1. Physical controls
Everything you can touch (security guards, fences, doors, badges, cameras, alarms)
- Protects physical access not to protect only physical assets but also health and safety of the personel
- Crime Prevention through Environmental Design - Passive methods to deter crime like keeping place clean, areas visible and lit, etc
- Biometrics - can be Physiological (irsis or finger print scan) or behavioral (voiceprint or keystroke dynamics) - these systems are expensive and might make personel reticent to use them because it might be an invasion of privacy (iris scans can detect diseases for example)
- Monitoring - monitoring personnel and equipment entering and leaving, and auditing and logging all physical events are primary elements in maintaining overall organizational security
- Cameras and video tech like infrared, microwave or laser systems
- logs (either sign-in sheet, entrance logs from card access or others)
- alarm systems to alert brute force entrance or a panic button used commonly in banks
- security guards are a very good deterant for any crime
2. Logical controls
Electronic methods that limit someone from getting access to systems
- Passwords
- Biometrics (here on a laptop or phone instead of a building)
- Badge / token readers
An employee may:
- Use a badge to enter the office (physical control).
- Tap the same badge or use a fingerprint to sign in to their workstation (logical control).
- Use biometrics again to approve access to sensitive applications (logical control)
2.1. Discretionary access control (DAC)
A user who has been granted permissions can pass information to other users, grant privileges, and modify security attributes at their own discretion.
Example: Windows and Linux systems allow file owners to grant or deny read, write, and execute (rwx) permissions to other users, and in some cases transfer ownership. Another example is a secretary issuing a visitor badge; because the secretary has been given that authority, they can assign access rights to another user at their discretion.
DAC systems are not very scalable because they rely on the access control decisions made by individual object owners. As a result, it can be difficult to identify the source of access control issues when problems occur.
2.2. Mandatory Access Control (MAC)
Access permissions are determined and enforced by a central authority based on security labels and classifications. Individual users cannot grant privileges, pass information to other users, or modify security attributes at their own discretion.
Example: Military and government systems classify information as Confidential, Secret, or Top Secret. Users are assigned security clearances, and the system determines which information they are allowed to access. A user with a Secret clearance cannot access Top Secret documents or grant others access to them.
MAC systems provide strong security and centralized control, making them suitable for environments where confidentiality is critical. However, they are less flexible and more difficult to administer than DAC systems.
This system is often accompanied by separation of duties, which is facilitated by Role-Based Access Control (RBAC). In RBAC, roles are assigned to users, and permissions are managed according to those roles. This allows administrators to add or remove a role from a user, with all associated privileges being granted or revoked automatically.
2. Administrative controls
Last but not least Administrative controles are the rules and policies in place to control access. If a seatbelt is a physical control, the rule that mandates everyone to use a seatbelt would be the administrative control