• Unit 4: Access Control

    The main goal of information security is to protect data from unauthorized disclosure. Access control models are used in an organization to provide the appropriate access to users based on individual or group privileges.

    Privileges can be granted based on clearance levels, discretion, roles, or rules. The types of access control models used to restrict access that will be reviewed in this unit are mandatory access control (MAC), discretionary access control (DAC), role-based access control (RBAC), and rule-based access control (RB-RBAC).

    Completing this unit should take you approximately 2 hours.

    • 4.1: Access Control

      Access control is the mechanism to prevent unauthorized disclosure and access to data and systems. This unit provides information on how access control protects the tenets of the CIA triad, and the role of access control in a system.

    • 4.2: Access Control Terminology

      Access control is required in information security to assure confidentiality, integrity, and availability of systems and to protect the data on systems. Access control is enforced by limiting the permissions and privileges granted to those authorized to access the systems. Authorized personnel, or subjects, are given specific rights and privileges to perform actions at an appropriate level according to the requirements of their position. Permissions are the rights given to a user or subject that can be to read, write, or execute a file. Privileges are given to a role, such as a systems administrator or SA. For instance, a subject or person given the role of SA has root access on a system and has elevated privileges.

      To maintain access control, administrative methods for personnel access such as least privilege, separation of duties, need-to-know, and privilege creep should be in place. In addition, systems use access control matrices and access control lists (ACL) to maintain access control. These terms and processes are discussed in more detail in subsequent sections in this unit.

    • 4.3: Access Control Models

      Now that you understand access control and some access control principles, we move on to some access control models. The model chosen is determined by the type of protection needed in a particular system and may depend on the type of agency where the security professional works. Therefore, it is important to understand that there are different access control models and to have a basic understanding of each model. For example, mandatory access control (MAC) is used by the military and is a more formal type of access approval based on least privilege. Role-based access control (RBAC) is used in the private sector and is based on need to know. This section will introduce access control models to include mandatory access control (MAC), discretionary access control (DAC), role-based access control (RBAC), and rule-based access control (RB-RBAC).

      • 4.3.1: Mandatory Access Control (MAC) and Discretionary Access Control (DAC)

      • 4.3.2: Role-Based Access Control (RBAC)

      • 4.3.3: Rule-Based Access Control (RB-RBAC)

    • Unit 4 Assessment

      • Receive a grade