Access Controls

Security Controls and more…

What is a Security Control?

A control is a safeguard or countermeasure designed to preserve

the CIA of data / assets.
About Access Controls

Determining who has access to what and why…

Access control involves limiting what objects can be available to

what subjects according to what rules.
Importance of Access Controls

● Prevent unauthorized access to resources

● Prevent unapproved modification of data
● Maintain confidentiality
● Minimize noise (People getting irrelevant data that they do
not need)
Definition of terms : Subject

A subject is an entity that needs access to an asset. E.g a client,

a process, a program etc.

Since the subject initiates a request for a service /data , it is

referred to as active.

A subject should have the needed authorization to access the

requested service / data.
Definition of terms: Object

An object is anything that a subject attempts to access. Could be a device,

a process, a person, a program etc. that responds to a request for a service.
They are passive (take no action until called upon).
Objects don’t have their own access control logic, should be protected from
unauthorised access.
Every object has an owner who decides who or what can access it.
Definition of terms: Rules

A rule is an instruction developed to allow or deny access to an

object by comparing the identity of a subject to an access
control list.
You can use rules to define how much access is allowed and also
apply time-based access.
Types of Access Controls
Physical access controls (PAC)

Items you can physically touch.

Deployed to prevent, monitor or detect direct contact with

assets.

E.g

Security guards, fences, motion detectors, turnstiles, mantraps,

laptop locks, badges e.t.c
Logical access controls (LAC)

Implemented through technological means

Limits who can get logical access to an asset even if the person
has physical access already.

E.g passwords, biometrics, token readers / badge readers

connected to a system.
Access Control Models
Discretionary Access Control

Gives the user almost the same access as the owner.

The user can pass it on to other subjects, grant privileges to

other users, change security attributes, change rules governing
access control etc.

Owner can grant or revoke access to a user.

Mandatory Access Control
Rules governing access to data / resources are usually set by the
company (company’s admin). These rules will usually apply to
everyone within the organization. E.g Can’t share company
documents with users outside your company’s organization,
Can’t open documents that are above your job grade etc

Users don’t have a say in the permissions or rights they get. To

access a resource, they’ll need to get clearance from an admin.
Role Based Access Control

Permissions are given based on roles. E.g Doctors can access patients
data but accountants can’t

Each role represents users with a similar set of permissions e.g

managers.

Privilege creep: When you temporarily allow permissions for a role

and then you forget to revoke them. A new person is hired in that role
and gets permissions they should not have. That’s why you should have
standard roles and enable permissions for a specific user only.
Attribute Based Access Control

Permissions are given based on meeting certain attributes or

criteria.

E.g Location, time of day,

Further Reading resources

https://nvlpubs.nist.gov/nistpubs/specialpublications/nist.sp.800-
162.pdf
Group work

Instructions:
Research about the following models, what they are about and how
they work.
Make sure to note down your answers and pick someone to present
later.

-Bell Lapadula Model

-Biba Model
-John Watson Model
Thanks!