CISSP For Dummies

Access control, in the context of information security, is the ability to permit or deny the use of an object (a passive entity such as a system or file) by a subject (an active entity such as an individual or process). Such use is normally defined through a set of rules or permissions: read, write, execute, list, change, and delete.

Control types

Access control is achieved through an entire set of controls that, identified by purpose, include preventive (which reduce risk) and detective (which identify violations and incidents) controls. Other types of controls include corrective (which remedy violations and incidents and improve existing preventive and detective controls), deterrent (which discourage violations), recovery (which restore systems and information), and compensating (alternative controls).

 Tip   Access controls can be administrative, technical, or physical.

Administrative controls

Administrative controls include the policies and procedures that an organization implements as part of its overall information security strategy. Administrative controls ensure that technical and physical controls are understood and properly implemented in accordance with the organization’s security policy. The purpose of administrative controls is often both preventive and detective. These may include

 Cross-Reference   We discuss administrative controls in Chapters 6 and 10.

Technical controls

Technical (or logical) controls use hardware and software technology to implement access control.

Preventive technical controls include

Detective technical controls include

 Cross-Reference   Technical controls are the focus of this chapter; we also discuss them in Chapters 5 through 9.

Physical controls

Physical controls ensure the safety and security of the physical environment. These can be preventive or detective in nature.

Preventive physical controls include

Detective physical controls include

 Cross-Reference   We discuss physical controls in Chapter 13.

 Instant Answer   When a control failure results in no accesses permitted, this is called fail closed. When a control failure results in all accesses permitted, this is called fail open.

Access control services

Access control systems provide three essential services:

Authentication

Authentication (who can log in) is actually a two-step process consisting of identification and authentication (I&A). Identification is the means by which a user claims a specific identity to a system. Authentication is the process of verifying that identity. For example, a username/password combination is one common technique (albeit a weak one) that demonstrates the concepts of identification (username) and authentication (password).

 Instant Answer   Authentication determines who can log in.

Authorization

Authorization (also referred to as establishment) defines the rights and permissions granted to a user account or process (what you can do). After a user is authenticated, authorization determines what that user can do with a system or resource.

 Instant Answer   Authorization (or establishment) determines what a subject (either a person or a system) can do.

Accountability

Accountability is the ability to associate users and processes with their actions (what they did). Audit trails and system logs are components of accountability. An important security concept that’s closely related to accountability is non-repudiation. Non-repudiation means that a user (user-name Madame X) can’t deny an action because her identity is positively associated with her actions.

 Instant Answer   Accountability determines what a subject did.

Non-repudiation means that a user cannot deny an action.

Категории