SH

Access control concepts (VOCABULARY)

Separation of Duties

  • Definition: divide up key processes into multiple parts assigned to different people.
  • Purpose: implement checks and balances to reduce the risk of fraud or error by preventing a single individual from completing critical steps alone.
  • Practical takeaway: separation of duties complements need-to-know and least privilege by ensuring no single user controls all aspects of a sensitive process.
  • Hypothetical scenario: In a purchase workflow, one person creates a purchase request, another approves it, and a third finalizes the payment. This distributes responsibility across roles to reduce misuse.

Need-to-Know vs Least Privilege

  • Core idea: both seek to limit exposure and risk, but focus on different aspects of access.
  • Need-to-know definition: restrict users' access to knowledge/data to only what is required to perform their role.
  • Least privilege definition: restrict users' actions to only those needed to perform their role, regardless of what data they could access.
  • Subtle difference:
    • Need-to-know = restrict data exposure (what you can access).
    • Least privilege = restrict actions you can perform (what you can do).
  • Practical significance: helps minimize data leakage and misuse by aligning access with job requirements.
  • Relationship to other controls: complements separation of duties and authentication/authorization practices.

Access Administration Approaches

  • Three main approaches to administering access to systems: centralized, decentralized, and hybrid.
  • Centralized approach:
    • Definition: access to multiple separate applications is managed through one centralized system.
  • Decentralized approach:
    • Definition: access to multiple applications is managed individually within each application.
  • Hybrid approach:
    • Definition: a combination of centralized and decentralized controls.
  • Notation: Let A = {\text{centralized}, \text{decentralized}, \text{hybrid}} to represent the set of approaches.

Access Control Services (IAAA)

  • There are four major services that all access control systems must provide: Identification, Authentication, Authorization, and Accountability.
  • Identification:
    • Definition: the user must assert their identity to the system.
    • Example from transcript: "my username is r witcher."
  • Authentication:
    • Definition: the system verifies the user's identity by one of the three factors of authentication: knowledge, ownership, or characteristic.
    • Authentication by knowledge (something you know): the user verifies identity by providing information they have memorized.
  • Note on factors (from transcript): the three factors are knowledge, ownership, and characteristic. Authentication by knowledge is explicitly defined as that which is memorized information.
  • Authorization and Accountability (briefly):
    • Authorization determines what an identified user is allowed to do.
    • Accountability ensures actions are traceable to an individual (auditing, logging, non-repudiation).

Identification

  • User assertion step in the access process.
  • Key example: username as the identifier (e.g., ext{username} = ext{r witcher}).
  • Significance: identifies which entity is attempting to access a system so that subsequent checks can be applied.

Authentication

  • Core concept: verification of identity after identification.
  • Factors involved:
    • Knowledge: something the user knows (e.g., password, PIN).
    • Ownership: something the user has (e.g., token, smart card).
    • Characteristic: something the user is (e.g., biometric like fingerprint).
  • Transcript highlight: Authentication by knowledge is also referred to as "something you know" and involves providing memorized information.
  • Practical note: use of multiple factors (multi-factor authentication) increases security by combining factors from different categories.

Implications and Connections

  • Security vs usability: stronger separation of duties and stricter need-to-know/least-privilege policies improve security but can impact efficiency and workflow.
  • Auditability: accountability is essential for post-incident analysis and compliance.
  • Real-world relevance: centralized vs decentralized vs hybrid models reflect organizational structure, scale, and risk tolerance; choosing the right model affects speed of onboarding, consistency of access controls, and incident response.
  • Ethical considerations: ensuring fair access policies while preventing data misuse and protecting user privacy.
  • Foundational principles: these concepts tie into defense-in-depth, risk management, and governance frameworks that organizations use to design secure systems.

Quick Reference Terms

  • Separation of duties
  • Need-to-know
  • Least privilege
  • Centralized access management
  • Decentralized access management
  • Hybrid access management
  • Identification
  • Authentication
  • Authorization
  • Accountability
  • Factors of authentication: F = {\text{knowledge}, \text{ownership}, \text{characteristic}}
  • Example identifiers: ext{username} = \text{r witcher}
  • Role of authentication factor: knowledge = something you know (memorized information)