Spotlight article: Domain 2, Access Control

This article has been depreciated. See below for updated information.

Editor's note: This article has been depreciated and is no longer up to date. For accurate information, see our...

updated Domain 2 spotlight article.

Access controls enable the protection of security assets by restricting access to systems and data by users, applications and other systems. In the upcoming CISSP Essentials Security School video presentation, Domain 2, Access Control, featuring expert CISSP trainer Shon Harris, learn how access controls support the core security principles of confidentiality, integrity and availability by inducing subjects to positively identify themselves, prove they possess appropriate credentials, and the necessary rights and privileges to obtain access to the target resource and its information.

Access control principles
The four key access control principles are as follows:

  • Identification: process of a subject providing the first piece of a credential set.
  • Authentication: the act of verifying the identity of a subject requesting the use of a system, application, data, resource or network.
  • Authorization: the act of granting an authenticated subject access to an object.
  • Accountability: obligations held by an identified individual who is responsible for the safeguarding of specific assets or for their supporting activities

Credentials used in identification are discussed, (e.g. user name, personal identification numbers, smart cards, digital signatures, etc.), as are authentication methods such as passwords and phrases, cryptographic keys and tokens. Once identified and authenticated, access control matrixes are typically used to determine if the subject is authorized -- equipped with the appropriate rights or privileges -- for access to the target object. By using all three of these security controls, accountability for the use of the resource can be traced and therefore assured.

Access control administration and practices
Access control administration and practices depend greatly on the structure of the organization -- its technology infrastructure and workforce behavior. The concept of the trusted security domain is presented and a variety of approaches are explored. Centralized and de-centralized (distributed) administration approaches are contrasted, and the increased challenges of the latter approach -- and of hybrid approaches -- are covered in brief. A list of recommended access control practices is included.

Access control models and technologies
Three types of access control models are discussed that dictate how subjects access objects. Security labeling is explored as part of the highly restrictive mandatory access control model in stark contrast to the discretionary model that allows the creator/owner of an object to grant access as she sees fit. The benefits of the role-based access control mode are presented, which provides access to resources based on profiles connected to a user's role in an organization. The (often confused) concept of lattice-based access (sensitivity level based) strategies are also included.

The range of available technologies is explored. These include role based (subject oriented), rule based (object action oriented), restricted interfaces (user option oriented), content-dependent controls, capability tables (subject oriented), access control lists (object oriented) and the combination of the latter two, action control matrixes.

Access control methods, types and techniques
The bulk of this domain focuses on the variety of access controls available -- their strengths and weaknesses, when to use them and the methods used to implement them.

A "defense-in-depth" approach is taken, describing the various administrative, physical and technical controls that can be applied to the vulnerable technology layers of an information infrastructure. Administrative controls covered include policies and procedures, personnel controls (including separation and rotation of duties), supervisory structures, security awareness training and testing. Physical controls cover topics such as network segregation, TEMPEST shielding, white noise masking, perimeter security, computer controls, work area separation, data backups and cabling. Technical (logical) controls topics include system access, network architecture, network access, encryption protocols, control zone definition, and auditing. The specific controls useful to these areas are categorized according to the six types of access controls: preventive, detective, corrective, deterrent, recovery and compensating. Finally emphasis is placed on the importance of protecting audit data and logging information.

A variety of access control methods are explored. Strong access control methods, such as biometrics (which include electronic imaging of body parts such as fingerprinting, hand, retinal and iris scans, etc.), and behavioral-based signatures (such as keyboard dynamics and voice print), are contrasted by their level of effectiveness and their current level of social acceptability.

Authentication through password management is covered in detail, including the characteristics of strong passwords, cognitive passwords, responsible password management and policy, and restricting login attempts. Technologies useful in automating password administration, such as password checkers, password generators and automated programs, that manage password aging or limit logins are covered. Rigorous password methods, such as one time passwords and token devices (both synchronous and asynchronous) are detailed, along with cryptographic keys (a.k.a. digital signatures), smart cards and memory cards.

Authorization is particularly challenging, because of the variety of methods that are simultaneously used. Users can be restricted by physical access to resources required for access to desired information (as in restricting building access) by membership in access control groups whose rights of access are limited, by the access control lists applied to the target object itself, by time of day and by transaction type. This section provides strategies that can help reduce conflicts between these methods, including defaulting to no access, restricting access on a need to know basis and by using single sign-on methods that manage permissions logically by reference.

Single sign-on can be an effective and efficient means of controlling access within organizations. Approaches covered include scripting, the Sesame and Kerberos single sign-on systems, the latter currently used by the vast majority of organizations. Kerberos is covered in depth. Essentially a traffic cop for the transfer of messages between users and system, it positively identifies a message sender and recipient, and dispenses cryptographic keys that uniquely bind a message to the transaction between them.

Access control threat monitoring
Ultimately the purpose of access control is to protect assets from unauthorized use. Threats specific to access control include dictionary, war dialing and brute-force attacks that use software to guess valid passwords and spoofing at login, which tricks users into logging into a fake screen. Countermeasures for each are explored.

However, by far the most effective means of protecting against unauthorized access is operational control and monitoring. Strategies presented include implementing intrusion-detection technology (knowledge, signature, behavior-based or statistical), embedding IDS network sensors, monitoring network traffic for aberrations, employing network sniffers and the use of honeypots to mislead intruders to decoy sites and systems and away from valuable assets.

CISSP® is a registered certification mark of the International Information Systems Security Certification Consortium, Inc., also known as ISC(2). 

This was last published in September 2008

Dig Deeper on CISSP certification