CISSP prep: Access control categories
This article is part of our CISSP certification prep series. For more CISSP-related resources, see our CISSP certification hub.
What are the 3 primary types of control mechanisms implemented?
Getting CISSP certified isn’t a stroll in the park but the required preparation guarantees that the candidate possesses all the state-of-the-art technical insight that a modern-day information security expert should have. Access control is definitely one of the most important domains of the CISSP CBK and, in order to pass the exam, an aspirant needs to be well-versed in all the concepts and paradigms it encompasses.
As the name indicates, access control is a process by which a system architect/engineer ensures that only authenticated/authorized users are allowed to access/modify/play around with important resources. Even though access control mechanisms are not known for their glamour, they are still absolutely essential to the security and integrity of a system. In this article, different access control categories will be talked about.
Administrative access control
Administrative controls are laid out by the top management of any organization. These can be looked at as those that require the most rigorous implementation. Some of the control components worth mentioning here are:
- Procedures and policy: Every organization has its own security policy, to which all the employees must adhere. It’s a high-level plan that outlines the management’s intentions of practicing security within the premises. The policy can include actions that are deemed acceptable, the level of risk the company is willing to undertake, the penalties in case of a breach, etc. The policy is normally compiled by an expert who understands the business objectives, regulations, and laws that define (and restrict) the organization.
Via a security policy, every functional section and every employee of the company is able to figure out how security needs to be implemented and what the repercussions could be in case of noncompliance.
- Supervisory structure: Almost all the organizations of the modern world make managerial staff responsible for employees and scrutinizing their activities. A supervisor is a person placed directly above an employee and, if the employee is held in contempt for some reason, the supervisor will also be held accountable.
- Personnel controls: The personnel controls describe the expectations of the organization toward its employees’ interactions with the security mechanisms. They are also often used for addressing the noncompliance issues regarding these expectations.
Change of status access controls depict the type of security actions that should be taken when employees get hired, suspended, terminated, or promoted. Separation of duties is a phenomenon, the enforcement of which is paramount so that no single employee can perform a critical duty alone (that could hurt the company in the longer run). An example is a bank teller who has to seek approval of his supervisor before cashing checks over 2000$. For a security breach to take place, more than one person would have to commit fraud and their efforts would be mutual; using separation of duties brings about exponential reductions in the probability of fraud and breaches.
- Duty rotation: Via duty rotation, employees rotate jobs often, in order to be capable of fulfilling duties of more than one position. Another benefit of this process is that if an employee intends to commit fraud within their position, the chances of detection are a lot greater if another employee also knows the tasks that are required to be performed for that particular position (and how they need to be carried out).
Some examples of administrative controls are:
- Information classification
- Personnel procedures
- Security-awareness and training
Technical access control
As the name indicates, technical controls (logical controls) are the tools and/or software that can be used to enforce restrictions on different objects for different subjects. The entities for which restrictions are enforced might be applications, protocols, core application components, OS components, add-on security packages, access control metrics, encryption mechanisms, etc. By limiting the number of subjects who have access to important entities, and by ensuring protection against unauthenticated subjects, security architects can secure the availability and integrity of important resources.
Some of the most important technical access control components are:
- Network access: These days, the network is the most exploitable part of any system. If a hacker makes their way into the internal network of a system, they have basically open the pathway that can ultimately lead them to a complete systematic takeover. Network access controls define the mechanisms that authorize access to network resources like switches, routers, bridges, firewalls, etc.
- System access: In this category, the resources’ access control depends on the data’s sensitivity, the user’s clearance level, and their permissions and rights. System access control mechanisms can be imparted using usernames/passwords, biometrics, TACACS, smartcard authentication, the Kerberos implementation, etc.
- Auditing: Such controls are used for tracking activities within a network, on network devices, or on specific computers. They especially aid in finding weaknesses in various technical controls and in making subsequent alterations based on those findings.
- Encryption (and other protocols): Cryptographic techniques, protocols and encryption are used to ensure that the information is protected as it passes through networks (or is present on devices).
- Architecture: Architecture control lays out the physical and logical layout of the network, along with the access control mechanisms present between different segments of the network.
Some technical access control tools worth mentioning are:
- Antivirus software
- Dial-up call-back systems
- Alarms and alerts
Physical access control
Not enough stress can be laid on the importance of physical access control within an organization. Where breaches in the technical (and administrative) realms can often be made using sophisticated hacking technologies, physical breaches require the use of social engineering, which is a trait normally present in abundance in IT criminals. Here are some of the components worth mentioning that are also important for the CISSP access control domain preparation:
- Network segregation: The network should be adequately segregated; a section may contain employees’ computers, whereas another one may only contain routers, switches and servers.
- Security of the perimeter: Depending on the organization, perimeter security implementation needs to be carried out to ensure that no unwarranted entrants make their way in to the premises.
Some other physical access control components can be:
- Computer controls
- Separation of work area
- Backups of data
Some examples are fences, locks, badge system, security guards, biometric systems, mantrap doors, motion detectors, closed-circuit TVs, alarms, backups, etc.
Carrying out access control
Access control needs to be implemented system-wide and should be an integral part of the standard operating procedure in every organization. The following steps can be followed during a typical access control process:
- Identification of the subject: The subject is the entity that requests access to an object to which we need to control the access. Upon receiving the request, the first step of the access control process is to identify the subject. This is a preliminary step performed before carrying out the authentication.
- Authentication: Once the identity of the subject has been figured out, the system needs to authenticate them. This can be done by matching the credentials found in the request versus those stored in the database. If the credentials aren’t found in the database, the subject is not granted access.
- Privilege ACLs: After authentication, the system checks the ACLs to figure out the exact nature of privileges that are to be granted to the specific subject. A subject will not be allowed to perform actions on the object that they don’t hold the privilege to perform.
- Audits: Periodic audits need to be performed in order to ensure that there aren’t any security vulnerabilities and/or flaws in the system.
In order to have rigorous security in the world of today, sophisticated access control mechanisms need to be implemented. This is one reason that access control is such an integral part of the CISSP CBK. Aspirants should not refer to this article as the sole resource for carrying out their CISSP exam preparation, as there is a lot of other information that also needs to be gained.