SH

Chapter 1-2: Access Controls and Identity Verification

Access controls: overview

  • Access controls are the collection of mechanisms that work together to protect the assets of an organization.

  • They can be physical controls (e.g., bots) and logical controls (e.g., logging mechanisms to access an operating system).

  • Access controls enable management to specify which users can access what resources, what operations they can perform, and to provide individual accountability.

  • Fundamentally, every access control system is about controlling a subject's access to an object through some form of mediation.

  • This mediation is based on a set of rules, and all this is logged and monitored.

  • This is known as the reference monitor concept. The implementation of the Reference Monitor Concept (RMC) is known as a security kernel. Thus, every access control system is a security kernel.

Three major principles applied in access control (mind map)

  • Separation of duties: divide up key processes into multiple parts assigned to different people.

  • Need to know and least privilege are very similar, but have subtle differences:

    • Need to know: focused on restricting users' access to knowledge/data to only what is required for them to perform their role.

    • Least privilege: focused on restricting the users' actions to only those required to perform their role.

    • Subtle difference: need to know restricts access to data, while least privilege restricts actions.

Administration approaches to adding, modifying, and removing users

  • Three main approaches: centralized, decentralized, and hybrid.

  • Centralized approach: access to multiple separate applications is managed through one centralized system, covering authentication, authorization, and accountability.

  • Decentralized approach: (not described in the transcript, but implied as an alternative) separate control points for each application.

  • Hybrid approach: a combination of centralized and decentralized elements.

Identification, authentication, and access control foundations

  • Identification: the user must assert their identity to the system.

    • Example: a user states their username (e.g., my username is r Witcher).

  • Authentication: the system verifies the user's identity by one of the three factors of authentication.

    • The three factors are:

    • Knowledge: something you know (e.g., passwords, PINs).

    • Ownership: something you have (e.g., security token, smart card).

    • Characteristics: something you are (e.g., biometrics).

    • Authentication by knowledge is specifically referred to as a factor of authentication where the user provides information they have memorized.

Example mentioned in the transcript

  • Identification example: "my username is r Witcher" (identification step).

  • Authentication example: authentication by knowledge, where the user verifies their identity by providing memorized information.

Key takeaways and implications

  • The security kernel concept ties the enforcement of access control to a centralized or systemic mediating component.

  • Properly distinguishing need to know vs least privilege helps in designing access control policies that both protect data and constrain user actions appropriately.

  • Choosing between centralized, decentralized, and hybrid administration approaches affects scalability, consistency, and accountability across applications.

  • Understanding the three-factor model of authentication (knowledge, ownership, characteristics) informs the selection of credentials and verification mechanisms.

  • The integration of identification, authentication, authorization, and accountability forms a complete access control lifecycle that supports traceability and governance.