CISSPills
Table of Contents Overview Access Control Flow Access Control Elements Authentication Factors
CISSPills
Overview
Access Controls relate to those mechanisms used to regulate how resources can be accessed by entities. They protect systems from unauthorised access.Access is the flow of information between a subject and an object. Subject: is an active entity that request access to an object or data
within an object. Subjects can be users, programs, processes, computers, etc.;
Object: is a passive element, which contains information or needed functionalities. Objects can be databases, files, printers, storage media, etc.
Sometimes the same entity could behave as a subject (requesting information), but also as an object (being accessed by a subject). The rule of thumb to distinguish the role being provided by an entity is as follows:The subject is always the active entity that receives the information or data, whilst the object is always the passive entity that provides or host the information or data.
CISSPills
Access Control Flow
CISSPills
Access Control ElementsThe security elements that work together to support access control are grouped into four types: identification, authentication, authorisation and accountability. Identification: is the mechanism by which a subject claims an identity, for
instance using a username or an account number; Authentication: is the mechanism by which a subject proves a claimed identify,
for example by providing a password; Authorisation: is the mechanism by which subjects are granted only the
privileges they are entitled to. Access Control Lists (ACLs) are a typical example of mechanism to enforce authorisation: if they determine that a subject may access the resource, they authorise the subject. It’s worth noting that just because a subject is authenticated, it is not given access to anything and everything.
Accountability: is accomplished by implementing auditing, which helps keeping track of the subject’s activities (e.g. when a subject accesses, modifies or deletes an object). Audit trails support accountability by logging the activities performed by a subject over an object.
All the four elements above must exist for an access control system to be effective.
CISSPills
Access Controls Elements (cont’d)
Identification
Authentication
Accountability
Subject
Authorisation
e.g. Username
e.g. Password
e.g. ACLs
e.g. audit logs
Object
Access
CISSPills
Autenthication Factors
Type 1: is something you know. It’s any string of characters that can be memorised and typed on a keyboard (e.g. passwords, PINs, etc.);
Type 2: is something you have. It’s a physical device users must have in their possession during the authentication (e.g. tokens, smart cards, etc.);
Type 3: is something you are. It’s a trait, either physical or behavioural, that uniquely identifies a person (e.g. fingerprints, retina patterns, keystroke dynamics, etc.)
Strong Authentication (also known as multifactor authentication) is when two out of the three factors are used during the authentication.
CISSPills
That’s all Folks!We are done, thank you for the interest! Hope you have enjoyed these pills as much as I have had fun writing them.For comments, typos, complaints or whatever your want, drop me an e-mail at:
cisspills <at> outlook <dot> comMore resources: Stay tuned on for the next issues; Join ”CISSP Study Group Italia” if you are preparing your exam.
Brought to you by Pierluigi Falcone. More info about me on
Contact Details
Top Related