Module 1

Introduction to Access Control Framework

Chapter 1 : Topics
This chapter covers the following topics and concepts:

• What access control is

• What the principal components of access control are

• What the three stages of access control are

• What logical access controls are

• What the three authentication factors are

Chapter 1 Goals

When you complete this chapter, you will be able to:

a) Identify the principal components of access control

b) Define the three stages of access control

c) Choose the best combination of authentication factors for a

given scenario
 Access Control framework - Introduction
Organizations rely upon ACCESS CONTROLS to grant and restrict user access

to information, systems, and other resources.

Access control systems, when properly designed, implement business rules,

often direct implementations of policy, in such a manner that individuals have

access to the information and resources needed to perform their responsibilities but

no more.

The consequences of weak or nonexistent access controls range from

inconvenient to downright disastrous, depending on the nature of the resources

being protected.

The only way that information can be both useful and safe is through strong

access controls.
 Fundamental concepts
What Is Access?
• Access refers to the ability of a subject to interact with an object. That interaction is the basis of everything
we do, both in the information technology (IT) field and in life in general.

• Access can be defined in terms of social rules, physical barriers, or informational restrictions.

For example(Scenario), consider a busy-executive(HoD) with an administrative assistant who serves as a

gatekeeper, deciding who will be allowed to interact personally with the busy-executive(HoD) and who must leave a
message with the administrative assistant.

In this scenario, the “visitor is the subject” and the “busy-executive(HoD) is the object”.

The “administrative assistant serves as the access control system”, restricting what individuals (subjects) may access
the executive (object).
 Scenario (example)

Consider another scenario that is a bit closer to home.

When you leave your house, you lock the doors.

The locked door physically restricts access by anyone without a key to the assets stored
inside your house - your TV, computer, and stereo system.

When you come home, you unlock the door and replace the physical restriction of the
locking mechanism with a human gatekeeper who decides whether or not to let someone
enter the house.
 What Is Access Control?

Access control is the formalization of rules for allowing or denying access.

Access controls define the allowable interactions between subjects and objects.

It is based on the granting of rights, or privileges, to a subject with respect to an object.

 Principal Components of Access Control

There are three principal components of any access control scenario:

• Policies — The rules that govern who gets access to which resources

• Subjects — The user, application, process, or network requesting access to a resource

• Objects — The resource to which the subject desires access (e.g., files, databases, printers)

Any time you have to decide whether to allow or deny access by a subject to a resource, you have entered
the access control problem domain.
 Access Control Systems - elements
A well-defined access control system consists of three elements:

1. Policies—Clear statements of the business requirements regarding access to

resources

2. Procedures—Non-technical methods used to enforce policies

3. Tools—Technical methods used to enforce policies

Organizations typically use procedures and tools together to enforce policies.

 Access Control – Subject Types

The subject in an access control scenario is a person or another application requesting access to a resource such as
the network, a file system, or a printer.

There are three types of subjects when it comes to access control for a specific resource:

• Authorized—Those who have presented authenticated credentials and have been approved for access to the
resource

• Unauthorized—Those who have presented authenticated credentials but are not approved for access to the
resource

• Unknown—Those who have not presented correct authenticated credentials

 authorized – unauthorized - unknown
Every individual who initially approaches an access control system is unknown until he or she attempts to

authenticate. For example, someone might be asked to provide a username and password.

1) If the user’s password is correct, the system knows with certainty who the user is and now it must check, if the

user is authorized to access the requested resource.

1a) Someone allowed to access the resource moves to the “authorized” state.

1b) Otherwise, the user is still known, but now moves to the “unauthorized” state.

2) If the user does not provide the correct password, the system still does not know who the user is and he or she

retains “unknown” status.

Users are not the only SUBJECTS in access control systems.
Technological Resources may also serve as SUBJECTS in access control systems.

Four Examples of Technological Resources are:

• Applications—An application can be a subject when it attempts to access other resources on the
same computer or over the network.

• Processes—A process is most commonly a subject when an application process requests low-
level access to the file system.

• Networks—A network is a subject when a resource on one network requests access to a resource
on another network. (A firewall rule that authorizes access to the Internet might use the internal
network as a subject, with the Internet as the object.)

• Systems—A system is a subject when one system requests access to resources on another system
or on the network. (This usually happens when a PC attempts to access a printer across the
network)
 AAA (or “triple A”) security
AAA (or “triple A”) security process involves three components:

1. Authentication: Ensuring users are who they claim to be

2. Authorization: Ensuring that an authenticated user is allowed to perform

the requested action.

3. Accounting: Maintaining records of the actions performed by authorized

users
Access Control Process

There are three steps to the access control process:

1. Identification—The process by which a subject identifies itself to

the access control system

2. Authentication—Verification of the subject’s identity

3. Authorization—The decision to allow or deny access to an object

References
• Chapple, M., Ballad, B., Ballad, T., Banks, E. (2013) , Access Control, Authentication, and Public
Key Infrastructure, Jones & Bartlett Learning. ISBN: 9781284031607

• Todorov, Dobromir (2007), Mechanics of User Identification and Authentication:

Fundamentals of Identity Management, Auerbach Publications Routledge Taylor & Francis
Group ISBN: 9781420052190
•
• Boonkrong, Sirapat (2021), Authentication and Access Control: Practical Cryptography
Methods and Tools, Apress Publishing ISBN:
• 9781484265703