INTRODUCTION TO INFORMATION SECURITY

Module 4 – Access Control

Learning Objectives

After completing this module, you are expected to:

▪ know what access control is all about
▪ know the different types of access control
▪ learn how access control works
▪ understand the importance of having access control

Study Questions:
• Who should access an organization’s data and resources?
• Those who attempt access to the organization’s data – have they actually been granted
that access?
• If a user has access privileges, can he/she still be denied access?
• How does an organization ensure that its assets and data are safe from unauthorized
access?

4.1 What is Access Control?

The National Institute of Standards and Technology, US. Department of Commerce (NIST)
offers several definitions for “access control” in several of its published guidance or documents1,
as follows:
The process of granting or denying specific requests to: 1) obtain and use information
and related information processing services; and 2) enter specific physical facilities (e.g.,
federal buildings, military establishments, border crossing entrances). - NIST SP 800-12
Rev. 1 under Access Control FIPS 201-2

The process of permitting or restricting access to applications at a granular level, such

as per-user, per-group, and per-resources. - NIST SP 800-113 under Access Control

1
Source: https://csrc.nist.gov/glossary/term/access_control
 Procedures and controls that limit or detect access to critical information resources. This
can be accomplished through software, biometrics devices, or physical access to a
controlled space. - NIST SP 800-192 under Access Control, NISTIR 7316 under Access
Control

To ensure that an entity can only access protected resources if they have the
appropriate permissions based on the predefined access control policies. - NISTIR
7497 under Access Control

As used in this Recommendation, the set of procedures and/or processes that only allow
access to information in accordance with pre-established policies and rules. - NIST SP
800-57 Part 2 Rev.1 under Access control

ISACA also provides its own definition: access control refers to the processes, rules and
deployment mechanisms that control access to information systems, resources and physical
access to premises.2

ISO 27001’s Annex A.9 provides for limiting access to information and information processing
facilities. It has four sections –
• addressing the business requirements of access controls
• user access management
• user responsibilities and
• system and application access controls

Access control is a way for organizations to ensure that only the individuals (or groups) who are
granted access rights can access its sensitive data, applications, technologies, assets,
resources, and critical infrastructure.

Access control consists of two key components3:

• authentication - a technique used to verify that someone is who they claim to be; it
involves verifying someone’s identifying information (for example, a username and
password) against the information appearing on file.

2
Source: https://www.isaca.org/resources/glossary
3
Source: Daniel Crowley, head of research for IBM’s X-Force Red, which focuses on data security
 • authorization - refers to granting someone the ability to access, use, or modify some
type of asset or resource.

4.2 Types of Access Control

Access control can be divided into two main categories:

• Physical access control - limits access to physical locations, buildings, structures,
rooms, and other physical assets. Examples:
• key to unlock a filing cabinet
• proximity card to enter an office
• physical access card to open a door
• security guards with access lists
• biometric readers (such as for facial, retinal, and fingerprint scans) to
access a secure room
• Logical access control - limits access to computers, networks, files and other sensitive
data. Examples:
• login credentials (such as usernames and passwords)
• PINs and one-time passwords (OTPs)
• virtual private network (VPN) access to internal networks
• digital authentication certificates and digital keys

4.3 Access Control Models

The purpose of access control is to restrict access. This is why access control models follow
the principle of least privilege and the default deny principle.

Principle of least privilege (POLP) - requires each subject in a system be granted the most
restrictive set of privileges (or lowest clearance) needed for the performance of authorized
tasks.4
Default deny principle – requires that access be denied unless it is specifically allowed; the
inverse of default allow.5

4
US Department of Defense, Department of Defense Trusted Computer System Evaluation Criteria, USA, 1985
5
https://www.isaca.org/resources/glossary
Access control models can be categorized into 4 types:

1. Attribute-based access control (ABAC)

2. Discretionary access control (DAC)
3. Mandatory access control (MAC)
4. Role-based access control (RBAC)

Attribute-based access control (ABAC) - Access is based on a set of attributes and

environmental conditions, such as age and location, assigned to both users and resources. The
user has to prove claims about their attributes to the access control engine. An attribute-
based access control policy specifies which claims need to be satisfied to grant access to the
resource. In ABAC, it is not always necessary to authenticate or identify the user; they just need
to have the attribute.

Discretionary access control (DAC) - In this type, the owner or administrator of the protected
system, data, or resource sets the policies for who is allowed access. The systems rely on
administrators to limit the propagation of access rights. DAC has a limitation: lack of centralized
control.

Attribute-based access control (ABAC) - Access is based on a set of attributes and

environmental conditions, such as age and location, assigned to both users and resources. The
user has to prove claims about their attributes to the access control engine. An attribute-
based access control policy specifies which claims need to be satisfied to grant access to the
resource. In ABAC, it is not always necessary to authenticate or identify the user; they just need
to have the attribute.

Discretionary access control (DAC) - In this type, the owner or administrator of the protected
system, data, or resource sets the policies for who is allowed access. The systems rely on
administrators to limit the propagation of access rights. DAC has a limitation: lack of centralized
control.
4.4 How Access Control Works

Access control identifies users by verifying various login credentials, which can include user
names and passwords, PINs, biometric scans, and security tokens.

Many access control systems also include multifactor authentication, a method that requires
multiple authentication methods to verify a user’s identity. The user may be required to know
something (for example, a password), or be something (for example, biometrics), or have
something (a two-factor authentication code from smartphone mobile apps).

Once a user is authenticated – identifying the user (or computer) and verifying they are who
they claim to be - access control authorizes the appropriate access level and allowed actions
associated with that user’s username, IP address, or other audit system to help with digital
forensics if required.

4.5 Why is Access Control Important?

Access control keeps confidential information, including customer data, personally identifiable
information, and intellectual property, from falling into the wrong hands.

Access control reduces the risk of unauthorized access to physical and computer systems,
forming a foundational part of information security, data security and network security.

Access control may be a regulatory compliance requirement. For example:

• HIPAA6 requires covered entities and their business associates to prevent the
unauthorized disclosure of protected health information; the requirement includes the
use of physical and electronic access control.
• PCI DSS7 requires organizations to restrict physical access to their buildings for onsite
personnel, visitors and media, as well as to have adequate logical access controls to
mitigate the risk of malicious individuals stealing sensitive data.

6
Health Insurance Portability and Accountability Act of the USA
7
Payment Card Industry Data Security Standard