Uncovering Concepts of Access Control

Previous page
Table of content
Next page

Access control, in the context of information security, is the ability to permit or deny the use of an object (a passive entity such as a system or file) by a subject (an active entity such as an individual or process). Such use is normally defined through a set of rules or permissions: read, write, execute, list, change, and delete.

Control types

Access control is achieved through an entire set of controls that, identified by purpose, include preventive (which reduce risk) and detective (which identify violations and incidents) controls. Other types of controls include corrective (which remedy violations and incidents and improve existing preventive and detective controls), deterrent (which discourage violations), recovery (which restore systems and information), and compensating (alternative controls).

 Tip   Access controls can be administrative, technical, or physical.

Administrative controls

Administrative controls include the policies and procedures that an organization implements as part of its overall information security strategy. Administrative controls ensure that technical and physical controls are understood and properly implemented in accordance with the organization’s security policy. The purpose of administrative controls is often both preventive and detective. These may include

  • Policies and procedures

  • Security awareness training

  • Asset classification and control

  • Employment policies and practices (background checks, job rotations, and separation of duties and responsibilities)

  • Account administration

  • Account, log, and journal monitoring

  • Review of audit trails

 Cross-Reference   We discuss administrative controls in Chapters 6 and 10.

Technical controls

Technical (or logical) controls use hardware and software technology to implement access control.

Preventive technical controls include

  • Encryption: Data Encryption Standard (DES), Advanced Encryption Standard (AES), Merkle-Hellman Knapsack.

  • Access control mechanisms: Biometrics, smart cards, and tokens.

  • Access control lists

  • Remote access authentication protocols: Password Authentication Protocol (PAP), Challenge Handshake Authentication Protocol (CHAP), Remote Authentication Dial-In User Service (RADIUS), Lightweight Directory Access Protocol (LDAP).

Detective technical controls include

  • Violation reports

  • Audit trails

  • Network monitoring and intrusion detection

 Cross-Reference   Technical controls are the focus of this chapter; we also discuss them in Chapters 5 through 9.

Physical controls

Physical controls ensure the safety and security of the physical environment. These can be preventive or detective in nature.

Preventive physical controls include

  • Environmental controls (for example: heating, ventilation, and air conditioning [HVAC])

  • Security perimeters (fences, locked doors, and restricted areas)

  • Guards and dogs

Detective physical controls include

  • Motion detectors

  • Video cameras

  • Environmental sensors and alarms (to detect heat, smoke, fire, and water hazards)

 Cross-Reference   We discuss physical controls in Chapter 13.

 Instant Answer   When a control failure results in no accesses permitted, this is called fail closed. When a control failure results in all accesses permitted, this is called fail open.

Access control services

Access control systems provide three essential services:

  • Authentication

  • Authorization

  • Accountability

Authentication

Authentication (who can log in) is actually a two-step process consisting of identification and authentication (I&A). Identification is the means by which a user claims a specific identity to a system. Authentication is the process of verifying that identity. For example, a username/password combination is one common technique (albeit a weak one) that demonstrates the concepts of identification (username) and authentication (password).

 Instant Answer   Authentication determines who can log in.

Authorization

Authorization (also referred to as establishment) defines the rights and permissions granted to a user account or process (what you can do). After a user is authenticated, authorization determines what that user can do with a system or resource.

 Instant Answer   Authorization (or establishment) determines what a subject (either a person or a system) can do.

Accountability

Accountability is the ability to associate users and processes with their actions (what they did). Audit trails and system logs are components of accountability. An important security concept that’s closely related to accountability is non-repudiation. Non-repudiation means that a user (user-name Madame X) can’t deny an action because her identity is positively associated with her actions.

 Instant Answer   Accountability determines what a subject did.

Non-repudiation means that a user cannot deny an action.



Previous page
Table of content
Next page
CISSP For Dummies
CISSP For Dummies
ISBN: 0470537914
EAN: 2147483647
Year: 2004
Pages: 242
Authors: Lawrence C. Miller, Peter H. Gregory CISA CISSP
BUY ON AMAZON
Absolute Beginner[ap]s Guide to Project Management
Lotus Notes and Domino 6 Development (2nd Edition)
A+ Fast Pass
Systematic Software Testing (Artech House Computer Library)
The Java Tutorial: A Short Course on the Basics, 4th Edition
Information Dashboard Design: The Effective Visual Communication of Data
flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net
Privacy policy