Objectives of Access Control
Access to assets and associated facilities is limited to authorized users, processes, or devices, and to authorized activities and transactions.
- PR.AC-1: Identities and credentials are managed for authorized devices and users
- PR.AC-2: Physical access to assets is managed and protected
- PR.AC-3: Remote access is managed
- PR.AC-4: Access permissions are managed, incorporating the principles of least privilege and separation of duties
- PR.AC-5: Network integrity is protected, incorporating network segregation where appropriate
Things to Know
- Information : data.
- Systems : file servers, web servers, databases.
- Devices : desktops, servers, laptops, tablets, phones, printers, etc.
- Facilities : buildings, data centers.
- Personnel : people, employees.
A subject : users, applications, processes, or anything that can access an object.
An object : a passive entity provides information to subjects. Things like files for instance.
There are 7 Access Control types. The 3 primary control types are preventive, detective, and corrective:
- Preventive : this access control type attempts to stop the access from happening in the first place. Examples:
- Biometric devices
- Policy of separation of duties
- Policy of job rotation
- Data classification
- Penetration testing
- Callback procedures
- Intrusion Prevention System (IPS)
- Some that I think are classified wrong because they won’t actually prevent the action from happening, are lighting, alarm system, auditing, penetration testing, auditing, the presence of cameras or CCTV, security awareness training.
- Detective : this access control type alerts you when the unwanted access DOES happen. Examples are:
- Security guards
- Motion detectors
- The recordings of security cameras (DVR) or CCTV
- Policy of job rotation
- Policy of mandatory vacations
- Audit trails
- Honeypots and honeynets
- Intrusion Detection Systems (IDS)
- Incident investigations
- Corrective : this access control type modifies the environment to return the system to normal. Examples are:
- Terminating malicious session
- Rebooting a system
- Quarantine a virus
- Restoring from backup
- An active IDS that can change the ACLs
The 4 other access control types:
Steps for implementing Access Control
- Identify and authenticate users or other subjects attempting to access resources.
- Determine whether the access is authorized.
- Grant or restrict access based on the subject’s identity.
- Monitor and log access attempts.