CISSP For Dummies
Access control, in the context of information security, is the ability to permit or deny the use of an object (a passive entity such as a system or file) by a subject (an active entity such as an individual or process). Such use is normally defined through a set of rules or permissions: read, write, execute, list, change, and delete.
Control types
Access control is achieved through an entire set of controls that, identified by purpose, include preventive (which reduce risk) and detective (which identify violations and incidents) controls. Other types of controls include corrective (which remedy violations and incidents and improve existing preventive and detective controls), deterrent (which discourage violations), recovery (which restore systems and information), and compensating (alternative controls).
Tip Access controls can be administrative, technical, or physical.
Administrative controls
Administrative controls include the policies and procedures that an organization implements as part of its overall information security strategy. Administrative controls ensure that technical and physical controls are understood and properly implemented in accordance with the organization’s security policy. The purpose of administrative controls is often both preventive and detective. These may include
-
Policies and procedures
-
Security awareness training
-
Asset classification and control
-
Employment policies and practices (background checks, job rotations, and separation of duties and responsibilities)
-
Account administration
-
Account, log, and journal monitoring
-
Review of audit trails
Cross-Reference We discuss administrative controls in Chapters 6 and 10.
Technical controls
Technical (or logical) controls use hardware and software technology to implement access control.
Preventive technical controls include
-
Encryption: Data Encryption Standard (DES), Advanced Encryption Standard (AES), Merkle-Hellman Knapsack.
-
Access control mechanisms: Biometrics, smart cards, and tokens.
-
Access control lists
-
Remote access authentication protocols: Password Authentication Protocol (PAP), Challenge Handshake Authentication Protocol (CHAP), Remote Authentication Dial-In User Service (RADIUS), Lightweight Directory Access Protocol (LDAP).
Detective technical controls include
-
Violation reports
-
Audit trails
-
Network monitoring and intrusion detection
Cross-Reference Technical controls are the focus of this chapter; we also discuss them in Chapters 5 through 9.
Physical controls
Physical controls ensure the safety and security of the physical environment. These can be preventive or detective in nature.
Preventive physical controls include
-
Environmental controls (for example: heating, ventilation, and air conditioning [HVAC])
-
Security perimeters (fences, locked doors, and restricted areas)
-
Guards and dogs
Detective physical controls include
-
Motion detectors
-
Video cameras
-
Environmental sensors and alarms (to detect heat, smoke, fire, and water hazards)
Cross-Reference We discuss physical controls in Chapter 13.
Instant Answer When a control failure results in no accesses permitted, this is called fail closed. When a control failure results in all accesses permitted, this is called fail open.
Access control services
Access control systems provide three essential services:
-
Authentication
-
Authorization
-
Accountability
Authentication
Authentication (who can log in) is actually a two-step process consisting of identification and authentication (I&A). Identification is the means by which a user claims a specific identity to a system. Authentication is the process of verifying that identity. For example, a username/password combination is one common technique (albeit a weak one) that demonstrates the concepts of identification (username) and authentication (password).
Instant Answer Authentication determines who can log in.
Authorization
Authorization (also referred to as establishment) defines the rights and permissions granted to a user account or process (what you can do). After a user is authenticated, authorization determines what that user can do with a system or resource.
Instant Answer Authorization (or establishment) determines what a subject (either a person or a system) can do.
Accountability
Accountability is the ability to associate users and processes with their actions (what they did). Audit trails and system logs are components of accountability. An important security concept that’s closely related to accountability is non-repudiation. Non-repudiation means that a user (user-name Madame X) can’t deny an action because her identity is positively associated with her actions.
Instant Answer Accountability determines what a subject did.
Non-repudiation means that a user cannot deny an action.
Категории