3. Access Control

What is a Security Control?

A safeguards designed to preserve CIA

Access control: Limiting what is available to who:

• Not only restriction but granting

Denying access is based on three elements:

Subject

Any entity that requests access to assets: User/client/process/program

• Active: Initiates request

• Should have a relational level of clearance (perms)

Object

Anything a subject attempts to access: Device, process, person, user, program, server, client, entity

• Passive: Takes no action until called on by subject

• Objects respond to requests received

• Objects don't contain their own access control logic

  • Building, computer, file, db, printer, server, etc..

• Anything that provides service to a user and responds to a request

Rule

An instruction to allow/deny access to an object by comparing ID to ACL

• Can: Compare multiple attributes to determine appropriate access

  • Allow/deny access to an object, apply time-based access

  • Define how much access allowed

Controls Assessments: Risk reduction on the effectiveness of a control

Defense-in-Depth

Integrates people, tech, ops, to establish barriers across many layers

• Multiple countermeasures in layered fashion to fulfill objectives

Principle of Least Privilege

General

Permitting only min access needed for users, programs to function

Privileged Access Management Privileged Accounts:

• Perms beyond normal: Managers, admins, help desk, analysts

• More extensive and detailed logging

• More stringent access than regular users, more auditing

Segregation of Duties: No person should control high-risk transactions from start to finish

Dual control: Two separate combination locks on door of vault Two-Person Integrity: 2 ppl in an area, making it impossible to be alone

Authorized vs. Unauthorized Personnel

Provisioning

New employee: Requests from management to create new user IDs

• Instructions on access levels: Auth required for elevated perms

Change of position: Perm/access rights might change by role

• Any access no longer needed removed and vice versa

Separation of employment: Accounts disabled after termination

• Recommended accts be disabled for a period before deletion

Physical Access Controls

Mechanisms to prevent, monitor, areas in a facility

Guards, fences, detectors, doors, gates, badges, cameras, mantraps, turnstiles, alarms

General

Badge: Issued with employee identifiers, giving access

• May include biometric characteristics compared against a db

• Integrated with logging to doc access activity

• Some devices combine processes to detect counterfeiting

Include: Barcodes, magnetic stripes, proximity lights

CPTED

Crime Prevention through Environmental Design:

• Creating safer workspaces through passive design elements

• Helps solve challenges of crime via design methods

Biometrics

Uses characteristics unique to individuals

2 Processes for verification:

1. Enrollment: User’s registered biometric code is stored/kept by user

2. Verification: User presents biometric data so it can be compared

Physiological systems: Measure characteristics like fingerprints

Behavioral Systems

Measure how a person acts by signature and keystroke dynamics

• Logs may be needed to prove compliance with regulations

  • Must be protected from manipulation

• Guidelines for log retention must be established and followed

Log anomaly: Anything out of the ordinary in a log

PCI DSS: Payment Card Industry Data Sec Standard:

• Requires businesses retain 1 year of log data

Logical Access Controls

Electronic ways someone is limited from access

Passwords, biometrics, badges, tokens

Discretionary

Enforced over all subjects, objects in a system

Policy specifies those who have access can:

• Pass info and grant privs to others

• Change, choose attributes with newly created, revised objects

• Change rules governing access control

  • Rule-based access controls: Usually form of DAC

• An object’s ACL shows total set of subjects who have perms

• A capabilities list shows each object the subject has perms

Mandatory

Policy enforced across all subjects, objects within the boundary of a system

Constrained from:

• Passing info or granting access to unauthorized subjects

• Changing attributes on subjects, objects, components

• Choosing attributes associated with newly created, modified objects

• Changing rules governing access control

• Who can control access

Role-Based

Sets up perms on roles; Each represents users with similar perms