Module 7: access control models

This
lesson covers the following topics:

• Access control
• Authentication, authorization, and accounting
• Access control policies
• Access control Models

Lesson Proper:

Access control is the ability to permit or deny the privileges that a user has when accessing resources on a
network or computer. Access control involves three entities:

• Objects are data, applications, systems, networks, and physical space.

Objects are passive entities that contain or receive information. These are the resources or assets
that need to be protected.

• Subjects are users, applications, or processes that need access to objects.

Subjects are active entities that request access to resources. Typically, subjects are users or
processes acting on behalf of users.

• The access control system includes policies, procedures, and technologies that are implemented to
control subjects' access to objects.

Access control rules or policies are the set of guidelines or criteria that determine the level of access subjects
have to objects. These rules are often defined by the organization’s security policy.

Authentication, Authorization, and Accounting

Access control includes the following processes:

• Identification specifies the name used to identify the subject. Examples include a user name or a user
ID number.
• Authentication is the process of validating a subject's identity. It includes the identification process, the
user providing input to prove identity, and the system accepting that input as valid.
• Authorization is granting or denying an authenticated subject's access to an object based on the
subject's level of permissions or the actions allowed with the object.
• Auditing, also referred to as accounting, is maintaining a record of a subject's activity within the
information system.

Access Control Policies

An access control policy defines the steps and measures that are taken to control subjects' access to objects.
Access controls can be classified according to the function they perform:

• Preventive access controls deter intrusion or attacks. These include separation of duties and dual-
custody processes.

Preventive access controls are security measures designed to stop unauthorized access to systems,
data, or physical locations before any breach or damage occurs. These controls aim to reduce the
likelihood of a security incident by enforcing rules and restrictions proactively.
 • Detective access controls search for details about the attack or the attacker. These include intrusion
detection systems.

Detective access controls are security measures that are designed to identify and alert when
unauthorized access or suspicious activity has already occurred or is happening. They do not stop the
activity, but they help in detecting incidents, gathering evidence, and triggering responses.

• Corrective access controls implement short-term repairs to restore basic functionality following an
attack.

Corrective access controls are security measures designed to respond to and fix issues after a
security incident or unauthorized access has been detected. Their main goal is to restore systems back to
normal, minimize damage, and prevent recurrence.

• Deterrent access controls discourage attack escalation.

Deterrent access controls are security measures intended to discourage or deter potential attackers
or unauthorized users from attempting to access a system, area, or data. These controls don't actively
block access, but they serve as a psychological or visible warning that security measures are in place and
consequences will follow.

• Recovery access controls restore the system to normal operations after the attack and the short-term
stabilization period.

Recovery access controls are security measures designed to restore systems, data, and operations
after a major security incident, disaster, or failure. They go beyond just fixing the immediate issue (like
corrective controls) — their focus is on getting the system fully operational again, often after severe
disruptions.

• Compensative access controls are alternatives to primary access controls.

Compensative (or Compensating) access controls are alternative security measures put in place to
satisfy the requirements of a primary control that cannot be implemented due to practical limitations, such
as cost, system compatibility, or organizational constraints.

These controls do not replace the original control but instead provide an equivalent level of security to
reduce risk.

Access control measures can also be classified based on how they restrict or control access:

• Administrative controls (also called managerial controls) are policies, procedures, and
guidelines created by management to influence how access to systems, data, and resources is
handled. They focus on people and processes, not technology or hardware.
They are policies that describe accepted practices. Examples include directive policies and employee
awareness training.

• Technical controls (also called logical controls) are security measures implemented through
hardware, software, or system configurations to protect digital resources and manage access.
These controls focus on automating security enforcement using technology. They are computer
mechanisms that restrict access. Examples include encryption, one-time passwords, access control
lists, and firewall rules.

• Physical controls are security measures designed to prevent unauthorized physical access to
facilities, equipment, or information. These controls are tangible protections that secure the physical
environment of an organization. These also restrict physical access. Examples include perimeter
security, site location, networking cables, and employee segregation.
On a computer network, a directory service is an example of a technical access control system that you use to
manage and enforce access control policies. Within the directory service:

• A user account is created for each subject.

• Identification is performed during logon when the user supplies a valid user account name.
• Authentication is performed during logon when the user password or other credentials are verified.
• Authorization to use network resources, such as files, printers, or computers, is controlled by
permissions or rights.
• Auditing is performed by the operating system as it tracks subjects' actions tow

Access Control Best Practices

Access control best practices take into consideration the following security principles and concepts:

Principle Description

Principle of least The principle of least privilege states that users or groups are given only the
privilege access they need to do their jobs and nothing more. Common methods of
controlling access include:

• Implicit deny denies access to users or groups who are not specifically
given access to a resource. Implicit deny is the weakest form of privilege
control.
• Explicit allow specifically identifies users or groups who have access.
Explicit allow is a moderate form of access control in which privilege has
been granted to a subject.
• Explicit deny identifies users or groups who are not allowed access.
Explicit deny is the strongest form of access control and overrules all
other privileges granted.

When assigning privileges, be aware that it is often easier to give a user more
access when the user needs it than to take away privileges that have already
been granted. Access recertification is the process of continually reviewing a
user's permissions and privileges to make sure the user has the correct level of
access.
Need to know Need to know describes the restriction of data that is highly sensitive and is
usually referenced in government and military context. Important facts about the
need to know include:

• Even if an individual is fully cleared, the information will not be divulged

unless the person has a need to know the information to perform official
duties.
• Need to know discourages casual browsing of sensitive materials.
• In a classified environment, a clearance into a top-secret compartment
allows access to only certain information within that compartment. This is
a form of mandatory access control (MAC).

Separation of Separation of duties is the concept of having more than one person required to
duties complete a task. This is a preventive principle primarily designed to reduce
conflicts of interest. It also prevents insider attacks because no one person has
end-to-end control and no one person is irreplaceable. Important facts to know
about separation of duties include:

• System users should have the lowest level of rights and privileges
necessary to perform their work and should have those privileges only for
the shortest length of time possible.
 Principle Description

• To achieve a separation of duties, a business can use the principle of

split knowledge. This means that no single person has total control of a
system's security mechanisms; no single person can completely
compromise the system.
• In cases of sensitive or high-risk transactions, a business can use two-
man controls. This means that two operators must review and approve
each other's work.

Job rotation Job rotation is a technique where users are cross-trained in multiple job positions.
Responsibilities are regularly rotated between personnel. Job rotation:

• Cross trains staff in different functional areas in order to detect fraud.

• Exchanges positions of two or more employees to allow for oversight of
past transactions.
• Can be used for training purposes.

Defense-in-depth Defense-in-depth is an access control principle which implements multiple access

control methods instead of relying on a single method. Multiple defenses make it
harder to bypass security measures.

Identification Identification is the act of claiming an identity, such as telling someone your
name. Important facts to know about identification include:

• In the computer world, a username is a form of identification.

• Because anyone could pretend to be the user, identification by itself is
not very secure.
• To substantiate identity, the person must provide some form of identity
verification.

Multi-Factor Multi-Factor Authentication is the process of using more than one way to verify
Authentication identity. In the computer world, Multi-Factor Authentication is achieved by
requiring two or more methods that only the user can provide. Five categories of
computer system authentication include:

• Something you are, such as biometric information (e.g., fingerprint or

retina scan).
• Something you have, such as smart cards, RSA tokens, or security key
fobs.
• Something you know, such as passwords and PINs.
• Somewhere you are, such as a geographical location.
• Something you do, such as how you type a sentence on a keyboard.

Mutual Mutual authentication is when two communicating entities authenticate each

authentication other before exchanging data. It requires not only the server to authenticate the
user, but the user to authenticate the server. This makes mutual authentication
more secure than traditional, one-way authentication.

Transition Best Practices

Organizations should follow strict guidelines when an employee transitions out of a position or into a new
position.
Creeping privileges occur when a user's job position changes and the user is granted a new set of access
privileges, but the user's current access privileges are not removed or modified, resulting in privilege
escalation. As a result, the user accumulates privileges that are not necessary for the current work tasks. The
principle of least privilege and separation of duties are countermeasures against creeping privileges.

To avoid creeping privileges and to best protect the security of information, the following precautions should
be taken in each stage of the account's life cycle:

Event Precautions

Account When an account is created, apply the appropriate access rights based on the job role
creation as implemented in the access control system. Use the principle of least privilege and
grant only the minimum privileges required to perform the duties of the position.

Active During the life of an account:

accounts
• Modify access rights as job roles and circumstances change.
• Monitor password resets and lockouts to ensure account security.
• Re-evaluate access rights on a periodic basis.

Old accounts When an account is no longer needed, take appropriate actions to:

• Delete accounts that will no longer be used.

• Rename accounts to give new users in the same job role the same access
privileges.
• Lock accounts that will not be used for extended periods to prevent them from
being used.
• Remove unnecessary rights from accounts that will be kept on the system.
• Archive important data or files owned by the user, or assign ownership to
another user.
• Prohibit the use of generic user accounts, such as the Guest or Administrator
users on Windows systems.

End-of-life procedures should include not only deactivating or deleting unused

accounts, but also destroying data that might remain on storage media. This will
prevent sensitive data from being accessible to unauthorized users.

Access Control Models

Access control is the process by which resource and service use is granted or denied. The following table lists
the most commonly used access control models, also known as access control schemes.

Model Description

Attribute-based Attribute-based access control restricts access by assigning attributes to

access control resources.
(ABAC)
• Attributes can be things like a user's role, position, or current project.
• The set of attributes assigned to a resource constitutes a policy that
uses Boolean logic to determine who can access the resource.
• An example of a file access policy might include the following attributes:
role = manager, department = development, and project = NewApp.
Only users who possess all three attributes can access the file.
 Model Description

• ABAC uses a special markup language called eXtensible Access

Control Markup Language (XACML) to define access control policies.

Role-based access Role-based access control allows access based on a role in an organization; it is
control not user specific. Role-based access control is also known as non-discretionary
(RBAC) access control.

• Roles are defined by job description or security access level.

• Users are made members of a role and receive the permissions
assigned to the role.
• RBAC is similar to group-based access control. Group-based access
control uses a collection of users; RBAC uses a collection of
permissions.

Rule-based access Rule-based access control uses rules applied to characteristics of objects or
control subjects to restrict access.

• Access control entries identify a set of characteristics that are examined

for a match.
• If all characteristics match, access is either allowed or denied based on
the rule.
• An example of a rule-based access control implementation is a router
access control list that allows or denies traffic based on characteristics
within the packet, such as IP address or port number.
• Because rule-based access control does not consider the identity of the
subject, a system that uses rules can be viewed as a form of mandatory
access control.

Mandatory access Mandatory access control uses labels for both subjects (users who need access)
control (MAC) and objects (resources with controlled access, such as data, applications,
systems, networks, and physical space). Every operation performed is tested
against a set of authorization policies to determine if the operation is allowed.

• Classification labels, such as secret or top secret, are assigned to

objects by their owner, who is usually a managerial or governmental
entity.
• Clearance labels are assigned to subjects.
• When a subject's clearance lines up with an object's classification and
the user has a need to know (referred to as a category), the user is then
granted access.
• Access control is mandatory because access is based on policy (the
matching of the labels) rather than identity. Owners can only assign
labels; they cannot grant access to specific subjects.

Discretionary Discretionary access control assigns access directly to subjects based on the
access control owner's discretion.
(DAC)
• Objects have a discretionary access control list (DACL) with entries for
each subject.
• Owners add subjects to the DACL and assign rights or permissions. The
permissions identify the actions the subject can perform on the object.
• With discretionary access control, subjects can pass permissions on to
other subjects.
 Model Description

Many computer systems use discretionary access control to limit access to

systems or other resources.
Conditional access Conditional access is a way to enforce access control while also encouraging
users to be productive Conditional access wherever they are. Conditional access
isn’t intended to be the first point of security. Instead, it steps in after the first-
factor authentication has been granted. Conditional access policies work by
asking a user to complete an action in order to access a resource. Depending on
the level of security of the requested resource, the user may be required to
complete more actions. For policy decisions, conditional access can be
configured to consider many different factors including:

• Implement control at the user or group level.

• Permit or deny access based on an IP address or an IP range.
• Permit or deny access to users who are using specific applications.
• Permit, restrict, or deny access to users who are using specific devices
or device states.

Laboratory Activity #5: Access Control

Laboratory Activity: Configuring and Testing Access Control Mechanisms

Title: Implementing Access Control in a Local Environment
Objective:
✓ To understand and apply access control mechanisms using a personal computer.
✓ To analyze how access control secures data in a real-world scenario.

Learning Outcomes:
Configure user accounts and permissions on a local system.
Apply and test access control models such as Role-Based Access Control (RBAC) and Discretionary Access
Control (DAC).
Identify potential vulnerabilities in access control configurations and recommend improvements.

Instructions
Part 1: Preparation
1. Use a personal computer running an operating system with built-in access control features (Windows or
macOS).
2. Create folders or directories representing sensitive data (e.g., “Confidential Files,” “Public Files”).
3. Set up multiple user accounts (e.g., Admin, Manager, Employee).

Part 2: Activity Tasks

Configuring Access Control
Windows/macOS:
1. Create three user accounts with varying levels of permissions.
2. Assign folder permissions using file properties (right-click a folder → Properties → Security/Permissions
tab).

Example setup:
Admin: Full control over all folders.
Manager: Read/Write access to “Confidential Files,” no access to “Admin Files.”
Employee: Read-only access to “Public Files.”

Testing Access Control

1. Log in to each user account and attempt actions such as creating, modifying, or deleting files in restricted
folders.
2. Document observed behavior (e.g., access denied, permissions error).

Analyzing Security

1. Introduce a hypothetical issue by incorrectly configuring permissions (e.g., granting Employee write
access to “Confidential Files”).
2. Test the impact of the issue and resolve it by restoring appropriate permissions.

Part 3: Reflection and Documentation

Report:

1. Document the steps taken to configure permissions for each user.

2. Include screenshots showing the access control configurations and testing results.
3. Discuss any issues encountered and how they were resolved.

Discussion Questions:

1. What are the potential risks of misconfigured access control?

2. How does proper access control contribute to overall system security?
3. What additional methods can be used to strengthen access control?

- Tools/Software Required:
A personal computer with a built-in file system and user account management features.
Text editor for documentation (e.g., Notepad, Word).
Estimated Time: 2-3 hours
- Submit the report with:
• Step-by-step documentation.
• Screenshots of configurations and tests.
• Answers to reflection and discussion questions.
Laboratory Rubric (Total: 50 points)
Criteria Excellent (5 pts)
1. User Accounts Created 3 user accounts
Creation correctly with clearly
defined roles.
2. Folder Setup Correct folders created and
well-organized.
3. Permission Assigned correct
Configuration permissions to each
account precisely.
4. Access Testing Thoroughly tested all user
actions; documented
outcomes fully.
5. Documentation Steps clearly and logically
of Steps explained with full details.
6. Screenshots Screenshots fully support
the documentation and
show all steps/results.
7. Issue Clearly introduced an
Introduction access control error and
described it well.
8. Issue Testing & Accurately tested and
Resolution corrected the introduced
issue.
9. Reflection on Strong analysis of risks
Risks with examples.
10. Answers to All questions answered
Discussion insightfully and thoroughly.
Questions
Good (4 pts)
Created 2-3 accounts with
minor role errors.
Folders created but minor
naming/organization issues.
Assigned permissions but
with minor errors.
Tested most actions;
documentation mostly
clear.
Steps mostly clear with
minor missing info.
Most screenshots included
but minor missing
elements.
Error introduced with minor
clarity issues.
Tested and corrected with
minor mistakes.
Good analysis but missing
examples.
Questions answered, some
minor gaps.
Fair (3 pts) Needs Improvement
(1-2 pts)
Created only 1 Accounts missing or
account correctly; improperly set up.
others unclear.
Some folders Folders not properly
missing or created.
disorganized.
Attempted Permissions
permissions setup improperly assigned
but multiple errors. or missing.
Some testing done; Little to no testing
results incomplete. done or poorly
documented.
Steps provided but Steps missing or very
confusing or unclear.
incomplete.
Few screenshots Very few or no
provided; screenshots
incomplete view. provided.
Error introduced but No error introduced
poorly explained. or poorly done.
Testing or correction No proper testing or
attempted but correction shown.
incomplete.
Basic risk Risks vaguely or not
identification with discussed.
limited insight.
Answers provided Incomplete or
but lack depth. shallow answers.