From the course: CompTIA Advanced Security Practitioner (CASP+) (CAS-004) Cert Prep

Access control

From the course: CompTIA Advanced Security Practitioner (CASP+) (CAS-004) Cert Prep

Start my 1-month free trial Buy for my team

Access control

- There are many different types of access controls out there, but in this lesson we're going to focus on the five primary types that are known as: mandatory access controls, discretionary access controls, role-based access controls, rule-based access controls, and attribute-based access controls. The first type is known as mandatory access controls, or MAC. Mandatory access control uses security labels to determine which users are authorized to access a particular resource. This type of access control is complex to configure and more expensive to maintain. Therefore, it's generally going to be reserved for high-security systems. Under this system, anything that is not specifically allowed is going to be considered forbidden and not accessible by your users. For this system to work effectively, every single user and every single resource has to be assigned a security label. If the user's level is not equal to or higher than the resource's level, that user is going to be blocked from accessing that resource. For example, if you work in the military, you have something that's been labeled as secret. And you may have a secret clearance. So you can access anything on that system that's labeled as secret, confidential, or unclassified, because your secret clearance is going to be at or above those three levels. But if you tried to access a file that was labeled as top secret in this MAC-based system, you're going to get denied, because your secret clearance is lower than that required from a top secret clearance. And therefore, you can't view that file. The second type is known as discretionary access control, or DAC. With discretionary access control, a resource's owner is going to be allowed to specify which users can access each resource. Using discretionary access control, the access is determined based on a user's identity, profile, or the role. And this is going to be considered a form of need to know access control. For example, if you decide to share a file in your computer with me over the corporate network, you could easily use discretionary access controls to add my username to that list of authorized users for that particular file that's being shared. Now, the third type is known as role-based access control. Role-based access control allows an administrator to assign each user to one or more roles and then use those roles to assign the permissions to the organization's resources. In Windows domain environments, role-based access control is normally going to be implemented by using groups. And these groups can also be set up in a structure that mimics your organization's hierarchy. For example, we might create one group for the accounting department and another group for the human resources department. Then, based on those groups or roles, we can assign each group with access to different resources. Additionally, we could put both of these groups into a higher-level group called employees. And that group might have access to other resources that every employee at the company needs access to. Role-based access control can be used to enforce minimum privileges for that subject based upon all of their associated groups. And the different users can be members of one or more groups based on the different roles they fulfill within the organization. This type of access control works really well for organizations who have a high rate of employee turnover, because those permissions are going to be based on a work role rather than on an individual's own username. The fourth type is known as rule-based access control. Now, rule-based access control allows an administrator to implement security policies across all of their users. This allows for the use of rules that may be quickly changed and frequently modified. For example, access control lists that are going to be set up on your routers or your firewalls are a great example of a rule-based access control. And this is because we're going to implement these, and it's going to affect all users on a given network segment all at once, based on the rule we put in place. The fifth type is known as attribute-based access control, or ABAC. Attribute-based access control relies on a set of characteristics of an object to make its access control decisions. User attributes include things like the username, the role, the organization, the ID, or the security clearance level. Environmental attributes can include things like the time of access, the location of the data, and the current organization's threat level. Resource attributes can include things like the creation date of the file or object, the resource owner, the file name, and the data sensitivity. Depending on these various user, environment, and resource attributes, access is going to be permitted or denied based on the individual requesting access. For example, your company's SharePoint site on your intranet may look different when you log into it versus one of your coworkers. This is based upon what access rules are being applied based on your individual accounts and where you're logging in from. Either from inside the corporate office or from your home office, over a VPN, or directly over the internet. So remember, when it comes to access control, you have five different types that you can implement: mandatory access control, discretionary access control, role-based access control, rule-based access control, and attribute-based access control. (eccentric mechanical music)

Contents