Access Control Policies

Access control policies are controls that are put into place to mitigate security risks and minimize vulnerabilities. These policies are the guidelines that should be followed by both automated access control systems and actual physical security. When an access control policy has been defined, it is the responsibility of the security administrator to ensure that the policy is implemented across all aspects of the organization. With a properly implemented access control policy, many security risks can be eliminated and the potential for loss within the organization can be minimized in the event of an attack.

Access control policies have many different parts and vary greatly in purpose and implementation. Every access control policy has a specific purpose defined and this purpose in turn defines the type of access control policy. There are three major types of access control policies, which are covered in the following section. There are also three major types of access control implementations, which are also discussed.

Access Control Policy Types

There are three different types of access control policies: preventive, corrective, and detective. Each of these work together to support a global access control policy. This section goes over the three types of access control policies, examines what they entail and how they interrelate, and discusses some of the ways that they are implemented.

Preventive

Some access control policies are designed to prevent events from occurring. This type of policy is put into place to minimize vulnerabilities within the access control system and to help protect the system. An example of this is an administrative policy to expedite installation of security-related patches or service packs on network systems. This policy helps ensure that the organization's systems are protected from recently discovered and patched vulnerabilities.

Preventive access control policies help keep organizations secure; it is very important that this type of policy be defined and enforced. There are many situations where having a good preventive access control policy in place will prevent major damages to an organization. Typically, when defining access control policies, preventive policies should be the first policies put into place. Some examples of this type of policy are:

• Performing background checks on new employees

• Classifying data and restricting access based on the classification

• Separating duties so that one person does not have complete control over a process

• Separating knowledge so that one person does not know an entire process

• Processes to perform when an employee is terminated to eliminate their access

Corrective

Corrective access control policies are policies that are defined as part of a good access control system, but are only used after an attack has occurred. These policies are designed so that a corrective action plan is available and ready in the event that an organization's preventive access control policies are unable to prevent an attack. These policies include disaster recovery plans, emergency restore procedures, and procedures for enabling backup systems.

A corrective access control policy is important to have in place prior to an attack occurring. If this type of policy has been implemented, there will not be as much confusion after an attack occurs and administrators can stay focused on implementing the predefined plan. This saves a great deal of time during a critical situation and can be a priceless asset.

Detective

The last type of access control policy is a detective policy. This type of policy is defined and implemented in order for administrators to know when an attack is occurring. Without detective measures in place, administrators may not even be aware that an attack has occurred. In addition, by having a detective access control policy implemented, attacks can sometimes be detected while they are in progress and stopped before any damage has been done. Most detective access control policies require the use of intrusion detection systems or network intrusion detection systems, which are covered later in this chapter.

Detective access control policies are critical to having a good access control system implemented. To be able to properly react to an intrusion, you must first be aware that it is occurring. The idea behind this type of policy is for security administrator's to be able to detect intrusions or security problems. These policies should be implemented in all organizations.

Access Control Policy Implementations

Just as there are multiple types of access control policies, there are also multiple ways to implement each policy. These implementation types define the manner in which the access control policy is put into place and how it is enforced. By using the correct implementation type for their access control policy, security administrator's can ensure that it is actually useful and not defined and forgotten.

The three types of access control policy implementations are administrative, logical/technical, and physical. Each of these implementation types can be used for any of the access control types. Choosing the right implementation is very important to ensuring the usability and effectiveness of the access control policy.

Administrative

The first access control policy implementation is administrative. This type of implementation defines that a policy is administratively controlled through workplace policies or orders passed down to subordinates. Administrative access control policy implementations do not have any automated steps built in and require that people do as they are told or follow orders. Due to human nature, this type of implementation is often fallible, but it does offer an easy way to implement a first line of defense. For example, an administrative access control policy could require that employees not allow other people into a secure location without each person using their access card. This type of access control requires that the employees follow the procedure.

Logical/Technical

Logical/technical access control policy implementations provide an automated method of enforcing access control policies. This type of implementation relies on the use of technology and logical sequences to ensure that an access control policy is enforced. A simple example of this is the use of SSL encryption of the HTTP protocol (S-HTTP). Requiring the use of S-HTTP on a Web server can easily enforce an access control policy requiring that all communications coming into or out of the organization be encrypted. This type of implementation eliminates human error from the implementation of the access control policy and restricts any errors of this type to the policy design.

Physical

A physical access control policy implementation is one that interfaces with the physical world, not just with computer systems. This type of implementation includes everything from controlling access to a secure building to protecting network cabling from electro-magnetic interference (EMI). This access control implementation also includes anything dealing with biometrics as biometric devices function in the physical world. In most cases, physical access control implementations use technology to assist with identification and authentication, but the actual access control device or procedure is physical such as the locking mechanism on a door which uses biometrics for identification. Some good examples of physical access control policy implementations are:

• Biometric devices

• Identification badges

• Perimeter defenses (walls/fences)

• Physical locks

• Security guards