Welcome to Access Control; another important domain from the eight domains that the CISSP exam will challenge your knowledge in.
And apart from the exam, understanding access control is essential for your work as a security professional. So, bring your coffee… and your attention as well.
What is Access Control?
Access control refers to the process of managing how individuals and hosts get access to other systems and resources.
Why Access Control?
Access control helps ensure that only authorized users and systems gets access to the systems and resources they need access to.
This means that unauthorized users and systems are prevented from accessing organization’s properties, premises, systems, and resources.
If you refer to the first security principle we discussed here in this series; the CIA Triad, you may remember that one of the protective countermeasures that helps protect both Confidentiality and Integrity was using access control. That sounds logical? Sure! Confidentiality means ensuring the secrecy of data, i.e. only authorized people can see organization’s classified data, and this is exactly what access control attempts to do. The same remains true for Integrity which cares about unauthorized alteration of data. Access control which aims to prevent unauthorized access will ensure data integrity at the end. Furthermore, if an attacker is denied access to a system or resource (by the existence of an access control mechanism), it will be much more difficult for him to hinder operation or deny access to that system/resource. What does this mean? Ah, it means that access control can also protect availability.
Introducing Commonly-used Terms
Before going deeply into the details of access control, its methods, technologies, and how it is implemented, we need to understand some important concepts and get familiar with the commonly-used terms. This is what we are going to discuss in this section.
Subjects and Objects
A subject is a user, process, or host that requests access to a system or resource.
An object is the resource or system that the subjects need access to. An object could be a file, directory, database, an open tcp/udp port, or a host (computer).
Identification can be defined as the process or method in which a subject provides or claims an identity before being allowed access to a requested object.
Consider a system administrator establishing an SSH connection to a UNIX/Linux server. The system admin in this case is the subject, and the server he needs to open secure shell on is the object. When the admin initiates the connection with the server, the server prompts the admin to enter a username. This username is an identity, and the process of providing this identity is what we call identification.
Other identification methods include using smart cards, fingerprints, and retina scan.
The AAA (pronounced triple A) stand for Authentication, Authorization, and Accounting.
Authentication is the process of proving the identity claimed by a subject. As we said above, the identification process is a claim without proof in most cases. You can insert your debit card in the ATM machine. This is a claim. To prove you are the actual owner of the card, you need to enter your “secret” PIN number. Similarly, in the SSH connection example, the administrator types his username when prompted to do. But, will that prove he is trusty? Definitely, no; anybody can initiate such connection and provide the username (The username is echoed to the screen when the user types it, so there is big chance that somebody catches it over the shoulder of the admin). In this case, a password is required to authenticate the connecting user. In the special case of the biometric methods (like fingerprint and retina), the same method serves both as identification and authentication means.
The authorization process determines what a subject is allowed to do with an object. This comes after successful authentication. Authorization usually depends on an access control matrix that specifies the rights of each subject versus each object.
Each subject must be accountable for his actions. Accounting is done by collecting logs and audit trails.
Nonrepudiation means a subject can’t repudiate or deny his responsibility for a specific action that he truly did.
To achieve this, strong authentication, strict authorization, and detailed auditing is needed.
- A subject is an active user, process, or host that requests access to a system or resource.
- An object is the system or resource that subjects attempt to access.
That was about definitions. In the next article, we will go deep into the details of Access Control. See you.