InfoSec - Access Controls

Authentication

process by which you verify a claimed identity

or

ability of a system to confirm the identity of a sender

Authorization

process of establishing if the user is permitted to have access to a resource. Authorization determines what a user is and is not allowed to do

Access Control

process of enforcing the required security for a particular resource

Three priorities essential for access control

1. Always invoked; validates every access attempt

2. Credential/Token used to claim identity is Immune from tampering

3. Access decision is assuredly correct

Effective access control policy must define:

Subject (who) is requesting access

The Object (what) they want to access

Mode of access (how).

The policy then makes a simple "Yes" or "No" decision

Attribute-Based Access Control (ABAC)

Defines rules using attributes of the user, the information asset, and the environment.

e.g: a policy might grant access only if a user's department attribute is "sales" and the resource's region attribute matches the user's sales region attribute

Role-Based Access Control (RBAC)

A common implementation of ABAC where access is controlled based on a user's assigned role (e.g., administrator, manager, student).

While easier to implement for smaller organizations, RBAC is less scalable than a full ABAC system

Nonrepudiation and Accountability

The ability of a system to confirm that a sender cannot convincingly deny having sent something

Auditability

ability of a system to trace all actions related to a given asset