Security + Exam Guide (Charles River Media Networking/Security)

Access control defines the set of procedures used to restrict and monitor access to various types of sensitive information or resources. Access control can be implemented by hardware, software, or by IT administrators to do the following:

• Identify users

• Track users' use of resources

• Allow or deny access to those resources

Access is granted, limited, or denied, based on one's identity or membership in a predefined group through which privileges are inherited. The time of day or location of the user can also play a role in their level of access. The Security+ certification exam will require your knowledge of the different techniques and methodologies used to implement access control in an enterprise environment.

The most common type of access control in effect is witnessed when a user is denied access to a password-protected network share. Either the user wasn't specifically granted access to the resource or another restrictive measure is being enforced. Next, we will explore some of the important access control models from which many access control methods and techniques are based.

Access Control Models

If you have studied networking fundamentals, you are most likely familiar with the OSI (Open Systems Interconnection) model. The OSI model is used as a theoretical reference for programmers and developers to use as common ground for developing and implementing new programs and network related protocols and devices. (The OSI model will be described in detail in Chapter 4). Just as the OSI model is used as a theoretical approach to networking, access control models are used as theoretical approaches to the various access control methods we will discuss. Although you should focus your attention on the specific access control techniques detailed later in this chapter, it is important for you to familiarize yourself with the basic security models from which access control techniques are derived.

The most common access control models are as follows:

• Bell-LaPadula (B-L model): A mandatory access control model developed to control and protect government and military information and data. The Bell-LaPadula model was the first mathematical security model used to address security, modes of access, and a set of rules for assigning security access rights. This access control method is a hierarchical structure where access is based on the assigned rights and classifications of subjects and objects. With this approach, subjects and objects are assigned different levels of security. A subject can access only objects based on a subject's security clearance or level. This model also supports the ability to verify access rights by checking an active matrix. This form of access control is known as discretionary access, which restricts a user's access to an object. For example, a file or folder.

• Biba: In 1977, the Biba security model was created to address some of the particular weaknesses in the Bell-LaPadula model. Specifically, the Biba model addresses the problem concerning the ability of a subject or user with a lower security level rating to write to a subject's information with a higher security level or clearance. In simple terms, if User B has a lower security level than User A, User B should not be able to write over User A's information.

• Clark-Wilson: The Clark-Wilson security model was developed in 1987. Its main focus is to protect the integrity of data through the use of secured programs. This model is concerned primarily with the internal and external consistency of data.

• Non-interference: A mathematical technique developed for high-level security systems. Non-interference was designed as a tool for analyzing or testing the security of a computing system.

If you are interested in learning more about security models, a wealth of information is available for free on the Internet. Simply go to your Web browser and search Security Models. It is unlikely that the current Security+ exam will drill you on the fine details of the mathematical equations that make up these models. However, it is likely you will have to know what type of access control they use.