Introduction

Access controls are security features that control the communication and interaction of users and systems with the other users and systems. Access control is more than simply requiring usernames and passwords when users want to access resources. There is much more to it. There are multiple methods, techniques, technologies and models that can be implemented; there are different ways to administer controls and there are a variety of attacks that are launched against many of these access control mechanisms.

Definitions

Here are  some basic definitions of terms that are most frequently used in access control:
  • Subject Active entity that requests access to an object or the data within an object. The subject is the actor.
  • Object Passive entity being accessed, or the item being acted upon.
  • Access Ability of a subject to do something, such as read, create, delete or modify. Access is also considered the flow of information between a subject and object.
  • Access control Security features that control how subjects and objects communicate and interact with each other and the flow of information.

Access Control Properties

There are three important features of access control:

  • Identification
  • Authentication
  • Authorization

 
Identification describes a method of ensuring that a subject (user, program or process) is the entity it claims to be. Some examples of identification mechanisms are username, account number and memory card.
 
Authentication is the second part of a credential set to verify the identity of the subject. These mechanisms could be passphrases, passwords, cryptographic keys, PIN numbers or tokens.

Authorization is the process of determining what this identified subject can actually access and what operations it can carry out. Authorization is based on some type of predefined criteria, which is enforced through access control lists, security labels, capabilities tables or user profiles.

Identification and Authentication

In IT Security Management, Identification is usually providing a public piece of information (username and account number) and authentication is providing a private piece of information (PIN number, passphrase and digital signature). Three important characteristics of the mechanisms that can be used for authentication are as follows:

  • Subject must prove something s/he knows, for example password
  • Subject must prove something s/he has, for example smart card
  • Subject must prove something s/he is, for example fingerprint

If one mechanism providing one of these characteristics is used, it is referred to as one-factor, if two mechanisms are being used, it is known as two-factor and, yes you guessed it, an authentication process that requires all three is referred to as three-factor. For the authentication process to be considered as strong it must be at least two-factor.

Authorization

Authorization is a process of assigning authenticated subjects access and the right to carry out specific operations, depending upon their preconfigured access rights and permissions outlined in access criteria. An access criterion is developed by the administrator or security officer, to support and carry out the organization’s security policy. Criteria can be based on one or both of the following aspects:

Clearance
 The security level the subject holds, which directly dictates the objects that are accessible to it.
Need-to-Know
 The formal access level approved that correlates to what information should and should not be available to a subject.

In a mandatory access control (MAC) model, users do not have the discretion of determining who can access objects as in a DAC model. An operating system that is based upon a MAC model greatly reduces the amount of rights, permissions and functionality a user has for security purposes. MAC environments use clearances, classifications and need-to-know to determine if a subject can access an object and what are the operations that can be carried out. Discretionary Access Control (DAC) environments use access control lists (ACLs), which are developed strictly based on the subject’s need-to-know.

It is important to only give the subject access to the objects (resources, devices and information) that are required for it to complete its tasks. This concept is referred to as least privilege. This reduces the possibility of fraud and damaging accidents by limiting access to objects based purely on business needs.
It is best for mechanisms that are making access decisions to default to “no access”. This means that if a subject is not explicitly allowed, it is implicitly denied.

Our Cyber Security Certifications Duration And Fees

Cyber Security Certifications typically range from a few weeks to several months, with fees varying based on program and institution.

Program NameDurationFees
Caltech Cybersecurity Bootcamp

Cohort Starts: 25 Mar, 2024

6 Months$ 8,000
Post Graduate Program in Cyber Security

Cohort Starts: 27 Mar, 2024

6 Months$ 3,000
Cyber Security Expert6 Months$ 2,999

Learn from Industry Experts with free Masterclasses

  • Boost Your Cybersecurity Career 2X: PGP with MIT SCC Modules - Masterclass by Ron Sharon

    Cyber Security

    Boost Your Cybersecurity Career 2X: PGP with MIT SCC Modules - Masterclass by Ron Sharon

    24th May, Wednesday10:00 PM IST
  • Career Masterclass: The Post Graduate Program in Cyber Security

    Cyber Security

    Career Masterclass: The Post Graduate Program in Cyber Security

    5th Dec, Monday9:00 PM IST
  • Career Masterclass: Why Cybersecurity Should Be Your Career Move in 2023

    Cyber Security

    Career Masterclass: Why Cybersecurity Should Be Your Career Move in 2023

    14th Dec, Wednesday9:00 PM IST
prevNext