Domain 3 Domain 3 Agenda

Access Control Concepts Module 1: Access Control Concepts

Module 2: Physical Access Controls
Module 3: Understand Logical Access
Controls
Module 4: Summary
 Security Control
A control is a “safeguard” or “countermeasure”
designed to preserve Confidentiality, Integrity and
Availability of data (CIA Triad).

3
 Subject, Object and Rules

Subject

(Rule)
4
 Security Controls and Risk Reduction

Risk reduction depends on the effectiveness of the

control. It must apply to the current situation and
adapt to a changing environment.

5
 Defense in Depth

The application of multiple

Countermeasures / Security
Controls in a layered fashion to
fulfill security objectives.

⦿ Administrative controls
⦿ Technical controls Layered Security Controls Examples
⦿ Physical Controls

6
 Least Privilege Need to Know
The principle that users and Grant users access only to the
programs should have only the data they need to perform their
minimum privileges necessary job and no more.
to complete their tasks.

Top Secret Secret Internal

Read Edit Deleted

7
Privileged Access Management (PAM)
(Privileged Identity Management)

• The process of identifying, controlling

and monitoring privileged accounts and
their associated activity.
• Privileged accounts are typically high-
level administrator accounts that have
broad access rights across an
organization's IT systems.

8
 Before using Privileged Access Management
(PAM) Example

Admin 1

Admin 2

9
 After using Privileged Access
Management (PAM) Example

Admin 1

Admin 2

10
 Segregation of Duties (SoD)
(A core element of authorization)

• Also known as Separation of Duties

• No one person should control an entire high-
risk transaction from start to finish
• Segregation of duties breaks the
transaction into separate parts and
requires a different person to execute each
part of the transaction.

❑ Separation of duties means that for someone to steal

something, it requires Collusion.
Collusion: An agreement between multiple people to perform an
unauthorized or illegal action.
11
Two-Person Integrity
A security strategy that requires a minimum of two
people to be in an area together, making it
impossible for a person to be in the area alone.
In addition, team members need to review each
other’s work

Goal: reduce insider threats (prevents single

person access) and peer review

Dual Control
A procedure that uses two or more entities (usually
persons) operating in concert to protect a system
resources, such that no single entity acting alone
can access that resource.

Goal: reduce insider threats (prevents single

person access)

12
 Users Provisioning
(Onboarding, Role Change and Offboarding)

Network
Admin

System
Admin

13
Domain 3 Domain 3 Agenda
Access Control Concepts Module 1: Access Control Concepts
Module 2: Physical Access Controls
Module 3: Logical Access Controls
Module 4: Summary
 Access Controls Types

Preventative Detective Corrective Recovery Deterrent Compensating

Controls Controls Controls Controls Controls Controls

3
 Physical Access Controls
• Controls implemented through a tangible
mechanism.
Examples include walls, fences, guards, locks, etc.

• Many physical control systems are linked to

technical/logical systems, such as badge readers
connected to door locks.

4
Why Physical Controls!
Prevent unauthorized individuals from
entering a physical site to protect not only
physical assets such as computers

Protect the health and safety of the

personnel inside.

5
 Physical Security Controls
(Perimeter Defenses)
➢ Fences (range from 1M to 2.4M with barbed wire on top)

2–4-foot fence (Deterrent Control) 8-foot fence (Preventative Control,

but can be still Deterrent Control)

6
Physical Security Controls
➢ Gates (Deterrent, Preventative)

Gates range from Class I gates (home)

"deter" access to Class IV gates (airports,
prison) gates designed to "prevent" cars
from crashing through.

They should be placed at control

points at the perimeter.

7
 Physical Security Controls
➢ Bollards (Preventative) ➢ Lights (Detective and
Deterrent)
A strong post designed to stop
a car but allows foot traffic to Light should be bright enough
pass. to illuminate desired area.

8
 Physical Security Controls
➢ Mantraps: preventative ➢ Turnstiles: form of gate that
physical control with two doors. prevents more than one person
The first door must close at a time from gaining entry
before the second door can and often restricts movement
open. in one direction.

9
 Why Turnstiles and Mantraps!

Tailgating (or piggybacking) is a

physical security failure wherein
an unauthorized party enters a
facility by closely following an
authorized party.

Physical Security Controls:

• Turnstiles
• Mantraps
10
 Physical Security Controls
➢ Closed circuit television (CCTV)
A Detective control used to aid guards in detecting presence of
intruders.

11
 Lock picking is the
Locks art of opening a lock
(Can be Preventative or Deterrent) without keys

Key Locks Combination locks

12
 Guards
Security guard Guard dog

13
 Access Cards types

Bar code & QR code Magnetic stripe cards Proximity Card

Smart Card Hybrid Card

14
 Crime Prevention through
Environmental Design (CPTED)

An architectural approach aims to

direct the flow of people, using
passive techniques to signal who
should and should not be in a space
and providing visibility to otherwise
hidden spaces, the likelihood that
someone will commit a crime in that
area decreases.

15
Domain 3 Domain 3 Agenda
Access Control Concepts Module 1: Access Control Concepts
Module 2: Physical Access Controls
Module 3: Logical Access Controls
Module 4: Summary and Review
 Access Controls Categories

(Logical Controls)
3
 Access Controls Types

Preventative Detective Corrective Recovery Deterrent Compensating

Controls Controls Controls Controls Controls Controls

4
 Technical (Logical) Access
Controls
Logical access controls are electronic methods that
limit someone from getting access to systems, and
sometimes even to tangible assets or areas

5
 Federated Identity

Federated identity is a method of

linking user’s identity across
multiple separate identity
management systems. It allows
users to quickly move between
systems while maintaining
security.

Example: Single Sign-On (SSO)

6
 Access Controls Models

Attribute-Based Access Control (ABAC)

Discretionary Access Control (DAC) Rule-Based Access Control (RuBAC)

Role-Based Access Control (RBAC) Mandatory Access Control (MAC)

7
 Discretionary Access Control (DAC)
(Restricting access to objects based on the identity of subjects)

• Most information systems in the world are

DAC systems
• The object owner assigns the access to
subjects. (based on owner’s discretion)
• DACs are discretionary because the object
owners can transfer, change, or extend each
object.
• DAC uses object-level permissions
• Rule-based access control systems are
usually a form of DAC.
• DACs are not very scalable
• Used when Availability is important
8
 Discretionary Access Control (DAC)
In DAC, the Subject can do one or more of the following:

• Pass the information to other subjects or objects

• Grant its privileges to other subjects
• Change security attributes on subjects, objects, information systems or system
components
• Choose the security attributes to be associated with newly created or revised objects;
and/or
• Change the rules governing access control; mandatory access controls restrict this
capability

9
 Discretionary Access Control (DAC)

Access Control List for File 1

File 1 File 2

User 1 Read, Write Read Capability List for User 1

User 2 Read Read

10
 Mandatory Access Control (MAC)
(Restricting access to system resources based on the sensitivity of the information)

• The system administrator controls the

access.
• Clearance and labels are used to grant
access
- Clearance is for Subjects
- Label is for Objects
• Subjects can grant other subjects access to
their files
• MAC policy is enforced across all subjects
and objects
• Mostly used in Military and sensitive
environments
• Used when Confidentiality is important
11
Mandatory Access Control (MAC)
Labels and Classifications

12
 Mandatory Access Control (MAC)

In MAC, subject is constrained from doing any of the following:

• Granting its privileges to other subjects
• Changing one or more security attributes on subjects, objects, the
information system or system components
• Choosing the security attributes to be associated with newly created or
modified objects
• Changing the rules governing access control

13
 Role-Based Access Control (RBAC)
(The access to is based on an individual's role and a “need to know” )

• A role is created and assigned the access

required for personnel working in that
role
• RBAC sets up user permissions based on
roles.
• Each role represents users with similar
or identical permissions.
• If a user leaves that role, the
administrator removes that user and
then access for that user associated with
that role is removed RBAC works well in an environment with high
staff turnover and multiple personnel with
similar access requirements.
14
 Rule-Based Access Control (RuBAC)

Rule-based Access Control manages access to areas, devices, or

databases according to a predetermined set of rules (Time, Date,
Location) or access permissions regardless of their role or position
in an organization.

15
 Attribute-based access control
(ABAC)
(A detailed approach to role-based access control, but more granular and much
secure)

Access is granted based on subjects, objects,

Actions and environmental conditions
(attributes or characteristics). Such as:

• Subject attributes: User ID, job role,

department membership and hierarchy level.
• Object or resource attributes: The object
type, location and classification or sensitivity.
• Action attributes: Read, write, copy, edit, view,
approve and delete.
• Environmental attributes: Communication
protocol, encryption strength and other
dynamic aspects of access control.

16
 Administrative Controls
Policies, procedures, or guidelines that define personnel or business practices in
accordance with the organization's security goals.

Administrative Controls Examples:

• Job Rotation: rotating employees among numerous job positions (provides
knowledge redundancy and helps in detecting errors and frauds)
• Mandatory Vacations: prevents an operator from having exclusive use of a system
(helps in detecting errors and frauds)
• Non-Disclosure Agreement (NDA): an agreement to protect the confidential
information within an organization from being disclosed by a former employee
• Background Checks: screening employees to verify that an individual is who they
claim to be, and this provides an opportunity to check and confirm the validity of
someone's criminal record, education, employment history, and other activities from
their past.
17
Domain 3 Domain 3 Agenda
Access Control Concepts Module 1: Access Control Concepts
Module 2: Physical Access Controls
Module 3: Logical Access Controls
Module 4: Summary and Review
 Quiz
Domain 3 Review Questions
Q1. A safeguard or countermeasure designed to preserve
Confidentiality, Integrity and Availability of data is:

A. Firewalls
B. Mandatory Access Controls
C. Policy
D. Security Control

5
Q2. An entity that requests access to our assets:

A. Object
B. Application
C. Subject
D. User

6
 Q3. An organization would like to implement an authorization mechanism
that would simplify the assignment of various system access permissions
for many users with similar job responsibilities. Which type of
authorization mechanism would be the BEST choice for the organization
to implement?

A. Rule-based Access Control

B. Content-dependent Access Control
C. Discretionary access control (DAC)
D. Role-based access control (RBAC)

7
 Q4. Which of the following statements BEST describes least
privilege principle in a cloud environment?

A. A single cloud administrator is configured to access core functions.

B. Internet traffic is inspected for all incoming and outgoing packets.
C. Routing configurations are regularly updated with the latest
routes.
D. Network segments remain private if unneeded to access the
internet.

8
Q5. Within a large organization, what business unit is BEST
positioned to initiate provisioning and deprovisioning of user
accounts?
A. Internal audit
B. Training department
C. Human resources
D. Information technology (IT)

9
Q6. Which of the following is the PRIMARY purpose of installing a
mantrap within a facility?

A. Control traffic
B. Prevent piggybacking
C. Control air flow
D. Prevent rapid movement

10
Q7. The addition of multiple firewalls to separate untrusted
networks with different security requirements is called:

A. Defense in Depth
B. Patching
C. Least Privilege
D. Access Control

11
Q8. An architectural approach to the design of buildings and
spaces which emphasizes passive features to reduce the
likelihood of criminal activity.

A. Network Protection
B. Monitoring
C. Crime Prevention through Environmental Design (CPTED)
D. Security Guards

12
 Q9. Which of the following is MOST important to follow when
developing information security controls for an organization?

A. Use industry standard best practices for security controls in the

organization.
B. Exercise due diligence with regard to all risk management
information to tailor appropriate controls
C. Review all local and international standards and choose the most
stringent based on location.
D. Perform a risk assessment and choose a standard that addresses
existing gaps.
13
Q10. What is the BEST way to restrict access to a file system on
computing systems?

A. Restrict access to all users.

B. Use least privilege at each level to restrict access.
C. Allow a user group to restrict access.
D. Use a third-party tool to restrict access.

14