Access Control Concepts in Cybersecurity

Access controls are vital for any information security program; they dictate who can access organizational assets such as buildings, data, and systems.
Access controls not only restrict access but also determine the appropriate level of access.
The overall aim is to grant access to authorized users while denying access to unauthorized individuals.

Definition: A subject is any entity that requests access to assets (e.g., user, client, process, program).
Characteristics of a Subject:
- Active: Initiates service requests.
- Requires clearance: Must have permission levels suited for the requested resource.
- Examples:
- Users (human actors)
- Processes (automated requests)
- Devices (endpoints, smartphones)

Definition: An object is any entity that can be accessed or used, such as buildings, computers, files, databases, etc.
Characteristics of an Object:
- Passive: Does not initiate action; waits for a request from a subject.
- Must have access controlled by external systems like identity and access management.
- Examples:
- Physical forms (servers, databases)
- Virtual forms (software tasks, program threads)

Definition: An access rule is an instruction for allowing or denying access based on the validated identity of the subject against an access control list.
Example: A typical firewall access control policy starts by denying all traffic and must have explicit rules to allow certain traffic (e.g., allowing traffic from an internal network to the outside).
Key components of an access rule include:
- Comparison of attributes: Evaluates whether access should be granted.
- Level of access defined: Determines how much access is allowed.
- Time-based access specification: Access can be limited to certain times.

Definition: A security strategy that employs multiple layers of security controls (people, technology, processes) to minimize risks from cyberattacks.
Rationale: While defense in depth does not guarantee an attack can be thwarted, it significantly increases security by creating hurdles that attackers must overcome.
Technical Measures: Examples include multi-factor authentication (MFA) with different layers of verification (something you know + something you have).
- For instance, requiring a password and a code sent to a user's mobile device.
Non-Technical Measures: Physical security measures for secure data centers, including locks and administrative policies.

Securing sensitive information may require multiple firewalls based on the information’s sensitivity level.
Example of least privilege principle: Users get access strictly necessary for their roles (e.g., billing personnel can view financial records but not alter them).

Tangible systems that physically restrict unwanted entry to areas or assets.
Examples:
- Security personnel, surveillance cameras, motion detectors, locked doors.

Electronic mechanisms that control access to systems based on identity verification processes.
Examples:
- Password systems, biometric authentication, token systems.

Definition: Access permissions are assigned based on the role assigned to a user within the organization.
Features:
- Users receive permissions aligned with their job functions (e.g., HR staff access to personnel data).
- Effective in environments with high staff turnover, as access can be easily managed through role assignments.
- Challenges of privilege creep, where permissions are not adjusted after a role change, necessitating ongoing monitoring.

Definition: A specific type of access control focusing on managing accounts that have elevated privileges above that of normal users.
Importance: Reduces risk by ensuring access rights are only active when necessary (just-in-time access).
Examples of Privileged Users:
- System administrators, IT support staff, and security analysts.
- Monitoring requirements for privileged accounts are more stringent, requiring detailed logging and auditing.

Implement additional security features:
- Stricter background checks and audits for individuals with privileged access.
- More robust authentication processes for accessing sensitive accounts.
- Just-in-time access to limit when elevated privileges can be used.

Definition: The process of recording security-related events and maintaining logs for compliance and forensic investigations.
Importance: Protects logs from manipulation and ensures they serve legal and organizational requirements.
Schema for logs may include timestamps, user actions, and security alerts.

Components include:
- Intrusion alarms for unauthorized access attempts.
- Fire alarms that activate upon detecting heat or smoke.
- Panic buttons that signal for emergency personnel.

Requirement for a systematic review of logs to identify unusual activities (e.g., gaps in logs, unexpected file access).
Develop procedures for retention of logs that consider legal and business needs, ensuring compliance with regulations (e.g., PCI DSS mandates).

Organizations face legal responsibilities around data protection and user privacy. Non-compliance can result in severe penalties.
Implementing these access control measures requires balance: sufficient security versus usability for legitimate users.
Each organization must tailor their access control strategy based on specific asset sensitivities and operational needs to minimize risk effectively.

Access control serves as foundational to cybersecurity, requiring a layered approach integrating administrative, physical, and logical controls to ensure data integrity and security. Efficient management of access roles, permissions, monitoring, and response capabilities plays a crucial role in protecting organizational assets and sensitive information.