A Control is there to Protect the core Values of the CIA Triad.
(Confidentiality, Integrity and Availability)

Access control involves limiting what objects are available to what users according to a set of rules.

Subject or Users

Any person/system or process that requires access to an Object.

Objects

An Object is a system-related entity e.g. devices, files, records, tables, processes, programs, domains that contain or receive information. Access to an object (by a subject) implies access to the information it contains.
#NIST800-53

Rule

A Rule is an instruction created to allow or deny access to an Object by checking the identity of the Subject against an Access Control List.

Control is an Important component of managing a Risk. The effectiveness of a control directly impacts the degree of Risk, these controls also need to be able to adapt as the digital landscape evolves.

Defence in Depth & Layered Defence

The layers of Access control can be combined into a Layered defence.

"Physical" The Fences, walls, doors and alarms, anything physical that prevents you from accessing the object.
"Logical/technical Controls" Coding and Programming restraints and "preventing malicious code forgot the word"
"Administrative Controls" Policies or procedures
"Asset / Object"

Principle of Least Privilege

Privileged access & accounts

In general a privileged account is an account given more access rights than a normal account. e.g system admins, IT support staff & security analysts.

The prescence of these accounts does allow for the potential of misuse or abuse. Ways this risk can be mitigated is;

  • High levels of Logging for these accounts

  • More strict authentication with secure passwords and Multi-factor authentication.

  • More auditing of the accounts. Are they still needed? should that person still have those rights? etc

Goldeneye 007 - Takes two people to activate the satelite turning keys at the same time.

Segregation of duties

aka Separation of Duties

No one person should have all the security access for the whole duration of a high-risk process.

Two person control is an example of separation is where two or mor epeople must be present in order to gain access or entry. This prevents a single person from being aloud unmonitored access to a resource, mitigating the risk of insider threats.

Authorised Vs Unauthorised

Authorized been Authenticated.
Unauthorized not Authenticated.

Once Authenticated does the user posses the rights? if not, still not authorized.

Why change their permissions?

  • New Employees - Given the most basic initial security untill their role is defined.

  • Change of Position - PromotionDemotion, change of job role. their permissions and access will also change.

  • Termination of employment - Depending on the company policie and procedures, access will be needed to be terminated, straight away or after an agreed period. or simply their permissions massively reduced.

Permission of Privilege Creep

cutting corners duplicating existing users for new users can lead to unexpexted access control and permissions. A new user should always be created fresh.

Lets get Physical!
(Physical Access Controls)

Physical Access Controls as the name suggest are those security measure that are a physical thing you can touch and interact physically with. Doors fences, Bollards, Swipe card readers, key locks etc.

Control of Access - Turnstiles & Mantraps
Monitoring of Access - CCTV
Management of Access - Swipe Card or Pinpad access.

Crime prevention through environmental controls (CPTED)
Designing of buildings and architecture that deters criminal or malicious activity.

Lets be Logical!
(Logical Access Controls)

Electronic methods of gaining access to a system.
Most commonly Passwords, Pins, Biometrics and Token readers connected to a electronic system.

Discretionary Access Control (DAC)
the most common information system in the world. It allows users to pass the information onto other subjects or objects, Change security attributes on files and change access controls.

It is the discretion of the owner/creator of a data who has access controls & rights.

In a business environment this can lead to malicious altering of data as it is passed around if they all have the write permission. An example would be a New word document you type "Hello World" and send it onto your friend Steve, who passes it on to others when it comes back to you with a completely different message, but the creator is still saying you created this file. (The reason the office suite got updated with a quite detailed change log for documents)

Mandatory Access Control (MAC)
Enforced security measures on an information system. Where all data is set to a fixed level of access control and can only have the permissions changed by the organization. So when a person not specified tries to access a file they will not gain access or would only be able view.

This prevents the transfer of information to unauthorized users.
Prevents changing of security attributes.
Prevents changing the rules governing access control.

Role-Based Access Control (RBAC)
A system where users are given a job role and that role already has pre determined access to certain resources, if they leave that role they can just be removed again. Useful when multiple people are going to all need the same access.