Access Control Concepts Explained
In order to maintain the confidentiality, integrity, and availability of data, a control is implemented as a protective measure. This aligns with the CIA Triad. Access control involves regulating the availability of objects to specific subjects based on certain rules.
Security Control
In order to maintain the confidentiality, integrity, and availability of data, a control is implemented as a protective measure. This aligns with the CIA Triad. Access control involves regulating the availability of objects to specific subjects based on certain rules. These three words form the basis of our discussion, so it's important to remember them. For instance, a firewall is one example of a control that can be added to a system or network to prevent external interference that could potentially compromise the environment. The firewall can also prevent unauthorized individuals from accessing confidential information by stopping it from leaving the internal network and being viewed or accessed on the internet.
Access controls can be considered as the foundation of an information security program, as they play a crucial role in determining who can access organizational assets such as buildings, systems, and data, and what actions they can perform once they have access. Access controls are not just about restricting access, but also about granting appropriate access to authorized personnel and processes while denying access to unauthorized individuals or functions. In this context, a subject refers to any entity that requests access to assets, which could be a user, a client, a process, or a program, for instance. Since a subject initiates a request for service, it is considered an active entity.
- Subject: A subject can be a user, process, procedure, client (or server), program, device such as an endpoint, workstation, smartphone, or removable storage device with onboard firmware. It is considered active because it initiates a request for access to resources or services and requests a service from an object. The subject should have a level of clearance or permissions that corresponds to its ability to successfully access services or resources.
- Object:An object, on the other hand, is anything that a subject tries to access, which could be a device, process, person, user, program, server, client, or any other entity that responds to a request for service. Unlike a subject, an object is passive and takes no action until requested by a subject. When requested, an object will respond to the request it receives, and if the request is incorrect, the response will likely not be what the subject intended.
It's worth noting that objects do not contain their own access control logic by definition. They are passive and must be protected from unauthorized access by other layers of functionality in the system, such as an integrated identity and access management system. An object has an owner who has the right to decide who or what should be allowed access to it, and access rules are typically recorded in a rule base or access control list.
An object can be a building, computer, file, database, printer, scanner, server, communication resource, block of memory, input/output port, person, software task, thread, or process. Its main function is to provide service to a user, and it is considered passive because it does not initiate any requests on its own. Instead, it responds to requests made by a subject.
An object may also have a classification, which typically corresponds to its level of sensitivity or confidentiality. However, unlike a subject, an object does not have clearance or permissions related to accessing services or resources.
- Rule: To permit or refuse access to an object, an access rule is created. This rule is designed to check the authenticated identity of the subject against an access control list. An instance of an access rule can be a firewall's access control list, which typically denies access from any address to any address on any port. However, to make the firewall useful, additional rules must be established. For example, a rule could be added to allow access from the inside network to the outside network. This rule grants access to the object "outside network" to a subject that has the address "inside network." Another example of an access rule is when a user requests access to a file. In this case, the rule determines the level of access that the user should have to the file by validating a set of attributes that define the appropriate access level.
An access rule has the following characteristics:
- It can evaluate multiple attributes to determine the correct level of access.
- It can authorize access to an object.
- It can restrict access to an object.
- It can apply access based on time.
Control Assesments
The effectiveness of a control is crucial in reducing risks, and it should be adaptable to changing circumstances. For instance, imagine a situation where a section of an office building is being repurposed as a secure storage facility. To ensure that confidential files are stored securely, five doors in the area need to be secured. When it comes to securing a physical location, various factors must be taken into account. For optimal security, it may be recommended to install biometric scanners on all doors, but a site assessment can determine whether all five doors require this level of security or only one or two. If the budget is limited, the remaining doors could be permanently secured, or they could be replaced with a permanent wall. The cost of implementing the controls must be commensurate with the value of what is being protected. In some cases, a simple deadbolt lock on all the doors may be sufficient if multiple biometric locks are unnecessary, and access to the area does not require auditing.
Defense In Depth
The focus is not solely on system access, but also on all access permissions, such as building access, server room access, network and application access, and utility access. These permissions are all part of an organization's layered defense strategy, also known as defense in depth.
Defense in depth is an information security approach that integrates people, technology, and operations to establish variable barriers across multiple layers and objectives of the organization. This strategy uses multiple countermeasures in a layered manner to meet security objectives. Although defense in depth is intended to prevent or deter cyberattacks, it cannot guarantee that attacks will not occur.
A technical example of defense in depth is the use of multiple layers of technical controls such as multi-factor authentication. For instance, after providing a username and password to log in to an account, a code is sent to a phone to verify the identity of the user. This type of authentication utilizes methods on two layers - something you have and something you know, making it more challenging for an adversary to access the account.
Another example of implementing multiple technical layers is by employing additional firewalls to segregate untrusted networks with varying security requirements from trusted networks containing servers with sensitive data in an organization. In case a company has data at various sensitivity levels, it might use more than one firewall to validate the network traffic, with the most sensitive data stored behind multiple firewalls.
To illustrate a non-technical example of defense in depth, think about the various layers of access required to reach the data stored in a data center. Initially, a lock on the door provides a physical barrier to accessing the data storage devices. Secondly, a technical rule prevents data access via the network. Lastly, a policy or administrative control outlines the regulations that allocate access to authorized individuals.
Least Privilage
In order to protect the privacy of sensitive data and guarantee that it is accessible only to authorized personnel, we employ privileged access management based on the principle of least privilege. This means that each user is given access only to the resources they require and nothing more.
As an instance, only those working in billing will be given permission to access financial data of customers, and only a select few will have the power to modify or erase that data. This ensures that confidentiality and integrity are maintained, while still providing availability by granting administrative access with a suitable password or sign-on that verifies the user's authorized access to that information.
At times, it may be necessary to grant users temporary or restricted access to certain information, such as during specific time periods or within business hours. Access rules may also limit the specific fields that users can access.
Monitoring systems are often in place to track access to private information. If logs indicate that someone has attempted to access a database without the proper permissions, an alarm is automatically triggered. The security administrator records the incident and alerts the appropriate personnel to take action.
Priviliged Accounts
To put it simply, privileged accounts refer to user accounts that have more permissions than standard accounts, typically used by managers and administrators. These accounts are utilized by several groups of users, including system administrators who are responsible for operating systems and applications, help desk or IT support personnel who need access to restricted operations, and security analysts who require swift access to the organization's IT infrastructure, systems, endpoints, and data environment.
Privileged user accounts can also be customized for specific clients or projects, granting team members greater control over data and applications. This illustrates that organizations frequently must entrust the management and safeguarding of their information assets to various individuals in managerial, supervisory, support, or leadership roles, each with varying degrees of power and accountability. Such delegation must be based on a foundation of trustworthiness, as any misuse or abuse of these privileges could have negative consequences for the organization and its stakeholders.
Typically, several measures are used to mitigate the potential risks associated with misuse or abuse of privileged accounts. These measures include:
- Detailed and extensive logging of privileged actions: This serves as both a deterrent and an administrative control that can be audited and reviewed to identify and respond to malicious activity.
- More stringent access control compared to regular user accounts: Even non-privileged users should use multi-factor authentication (MFA) to access organizational systems and networks. Privileged users, or highly trusted users with access to privileged accounts, should undergo additional or more rigorous authentication before being granted these privileges. Just-in-time identity can also be used to restrict the use of these privileges to specific tasks and times when the user is performing them.
Segregation of Duties
A core element of authorization is the principle of segregation of duties (aka separation of duties). Segregation of duties is based on the security practice that no one person should control an entire high-risk transaction from start to finish. Segregation of duties breaks the transaction into separate parts and requires a different person to execute each part of the transaction. For example, an employee may submit an invoice for payment to a vendor (or for reimbursement to themselves), but it must be approved by a manager prior to payment; in another instance, almost anyone may submit a proposal for a change to a system configuration, but the request must go through technical and management review and gain approval, before it can be implemented.
These measures can prevent fraudulent activities or identify process errors prior to implementation. To achieve segregation of duties, it is important that no single individual has complete control over a high-risk transaction. Instead, the transaction should be broken down into distinct stages and executed by different individuals. For instance, an employee may submit an invoice, but it must be approved by a manager before payment can be made. The same employee may have approval authority for some activities, but not for others. Despite the effectiveness of these measures, there is a risk of collusion between two individuals to bypass segregation of duties. Another way to implement segregation of duties is through dual control, where two individuals are required to work together to perform a task, such as opening a bank vault with two different combinations known to different personnel.
What's Your Reaction?