Access Control

Content

Access Access
Access Access
Access control control control in
control control Types
Objectives cybersecurity
Access & Control
• Access
What it means: Being able to use or enter
something such as information, systems, or physical
spaces.
Example: If you have access to a room, you can go
inside.
• Control
What it means: The power or authority to manage
regulate, or guide the use of something.
or decide what happens .
Example: Having control over a game means you
decide what happens next.
 Access control
• refers to the methods and policies used to restrict access to resources,
ensuring that only authorized users can access specific data or systems.

• Protecting resources using authentication and authorization requires

application of security controls. Security controls used for accessing
resources are known generically as access management controls or
access controls.
1. Definition
A security technique that regulates who can view or use resources in a
computing environment.
2. Purpose
To protect sensitive information from unauthorized access.
To ensure that users have the necessary permissions to perform their tasks.
Access control in Information Security VS Cyber
Security
Summary
Cybersecurity:
Focuses on protecting digital assets and addressing cyber threats.
Information Security:
Broader in scope, protecting all types of information, both digital and
physical.
How they are implemented?
We have three types
• Administrative • Technical/logical
1. Access control policies, procedures 1. Authentication mechanism(MFA,2FA)
2. ACLs(Access control lists)
2. Password policies
3. Encryption
3. User account management 4. Firewalls
4. BRAC 5. VPNS
5. Awareness & training 6. IDS/IPS
6. Auditing and monitoring 7. SIEM
7. IRP 8. Antivirus
8. BCP
9. Data classification
• Physical Access Control
1. Physical barriers
2. Fences/gates
3. Access cards
4. Biometric systems(finger
print)
5. Security cameras
6. Security Guards
7. Alarms systems
8. Physical access logs
Access Control Types
• Access controls:
are mechanisms that regulate who or what can view
or use resources in a computing environment. They
are essential for protecting data, systems, and
networks. There are several types of access controls,
and they can be categorized into
• Five main types:
1. DAC(Discretionary Access Control)
2. MAC(Mandatory Access Control)
3. RBAC(Role-Based Access Control)
4. ABAC(Attribute-Based Access Control)
5. RUBAC(Rule-Based Access Control)
Discretionary Access Control (DAC)
• How it works:
In DAC, the owner or administrator of the •
resource determines who can access it. This
means the owner has complete control over
permissions and can grant or revoke access
to anyone, often based on user identities or
groups.
• Example:
A file owner may decide which users can
read or modify the file. In operating systems •
like Windows, the file owner can modify the
access control list (ACL) to define
permissions.
Mandatory Access Control (MAC)
How it works:
In MAC, access is granted or restricted based on
rules established by a central authority, often
the system itself. Users cannot alter these
controls. Each resource is given a classification
label (e.g., "Confidential," "Top Secret") and
users are assigned clearances. A user can only
access a resource if their clearance level
matches the classification.
Example:
Used in government and military systems,
where users with a certain security clearance
can access classified information, but lower-
level employees cannot.
Role-Based Access Control (RBAC) Attribute-Based Access Control (ABAC)
• How it works:
RBAC assigns permissions based on a user’s
role in an organization. Instead of assigning
permissions to individuals, users are
grouped into roles, and permissions are
assigned to roles. If a user changes jobs,
their role and the associated permissions are
updated accordingly.
• Example:
In an organization, a "Manager" role might
have permissions to view financial reports,
while a "Sales" role can access customer
data but not financial reports.
• How it works:
ABAC uses attributes (such as user
characteristics, environment conditions,
resource attributes) to grant or deny
access. A complex logic evaluates these
attributes, allowing highly dynamic and
granular access control decisions.
• Example:
A user can only access a resource if they
are in a specific location, using a
particular device, and it’s during business
hours.
Rule-Based Access Control(RUBAC)
• is an access control model that defines
permissions based on a set of rules
predetermined by the system
administrator or the organization.
• Access is granted or denied based on
these predefined rules, which are applied
to users, resources, and operations.
– Decisions are made based on
predefined rules and policies
– (e.g., firewall rules).
 Mandatory Access Control (MAC):
Discretionary Access Control (DAC):
1. File sharing among colleagues.
1. database access by clearance level.
2. Email attachment access control.
2. Access to critical infrastructure
3. Personal folder sharing. systems.
4. Shared network drive access. 3. Access to sensitive security logs.
5. Social media post privacy settings.
6. File Transfer Protocol (FTP) access 4. Vulnerability management system
permissions. access.
7. Document sharing in collaborative 5. Access to penetration testing results.
projects.
Role-Based Access Control (RBAC): Attribute-Based Access Control (ABAC):

1. HR department access to employee 1. Location-based access to company systems.

records. 2. Device-based access to corporate networks.
2. IT administrator access to system 3. Clearance level and time-based data access.
settings. 4. User group and resource sensitivity-based
access.
3. Finance department access to
accounting software. 5. Project team-based document access.
4. Call center application for customer
service roles.
Rule-Based Access Control (RUBAC):

1. Time-restricted access to systems.

2. IP address whitelisting.
3. Multifactor authentication for unrecognized
devices.
4. Department-based restrictions.
5. Device-specific data access.
6. Encryption rule for file downloads.
7. Approval required for high-risk actions.
8.
Thank you