Access Controls encompass all operational levels of an organization.
Facilities; Support Systems; Information Systems; and Personnel
Confidentiality, Integrity and Availability
Two Philosophies for Access Control
Allow by Default and Deny by Default
Defense in Depth Strategy
Applying multiple layers of security protection between an information resource and a potential attacker.
Three step process for determining access controls
1. Defining Resources 2. Determining Users 3. Specifying the Users use of the resources
Consistent Access Control Strategy
Simplicity is the key to an effective security system.
Separation of Duties
Primary Objective is the prevention of fraud and errors. Distributing tasks and associated privileges for a specific process among multiple people
Collection of tasks that must be performed to achieve an objective.
Applicabililtiy of Separation of Duties
Sensitivity of the function under consideration; and the elements within a function are prone to abuse, which are easily segmented, and what skills are available.
User is given no more access priviliege than necessary to perform a job, task, or function
Need to know
Defines the minimum needed to know to perform job function
Seperating groups of people and information such that each group is isolated and information does not flow between groups.
Area where common process and security control work to separate all entities involved in these processes from other entities or security domains.
Objective is to group an organization's information assets by levels of sensitivity and criticality.
Information Classification Program
1. Determine objectives 2. Establish organizational support 3. Develop policy and supporting procedures 4. Develop process flows and procedures 5. Develop tools to support 6. Identify process and application owners 7. Identify information owners and delgates 8. Distribute standard templates 9. Classify information and applications 10. Develop auditing procedures 11. Load classification information into a central repository 12. Train users. 13. Periodically review and update information classifications.
Access Control System Requirements
Reliability, Transparency, Scalability, Integrity, Maintainability, Authentication Data Security, and Auditability
Main Categories of Access Control
1. Directive - apply rules 2. Deterrent - discourage violations 3. Preventitive - prevent incident 4. Compensating - mitigate risk 5. Detective - signal warning when breached 6. Corrective - remedy circumstance 7. Recovery - restore conditions
Access Control Types
1. Administrative Controls - define roles, responsibilities, policies, and administrative functions. 2. Logical (Technical) controls - electronic hardware and software solutions implemented to control access to information and information networks. 3. Physical Controls - protect physical environment - locks, gates, guards
Major Groups of Administrative Controls
1. Policies and Procedures 2. Personnel Security, evaluation and clearances 3. Security policies 4. Monitoring 5. User management 6. Privilege management
Business continuity plan/disaster recovery plan
Remote Authentication Dial In User Service
Major Groups of Logical Controls
1. Network Access 2. Remote Access 3. System Access 4. Application Access 5. Malware Control 6. Encryption
Discretionary Access Controls (DACS)
Controls placed on data by the owner of the data
Mandatory Access Controls (MACS)
Controls determined by the system and based primarily on organizational policy. Data needs to be labeled as to its classification. Access permissions are applied to an object based on the level of clearance given to a subject.
Nondiscretionary Access Control
Based on assignment of permissions as defined by the administrator of a system
Access Control Matrix
An access control list in the form of a table - showing what permissions a user has for various system objects.
Rule-based Access Control
Specifies the privileges granted to user s(e.g read, write) when the specific condition of a rule is met - e.g. the time a certain file can be accessed.
Role-based Access Control
Based on job function - objects associated with a role will inherit privileges assigned to that role
Non-RBAC - user granted access Limited RBAC - users mapped to roles within a single application Hybrid RBAC-role applied to multiple applications or systems, but instances wheresubjects assigned to roles defined within an application FUll RBAS - roles defined by organizational policy
Content Dependent Access Control
Based on content of data not roles