Friday, May 11, 2007

The Process of Accountability: Identification

Identification is the process by which a subject professes an identity and accountability is initiated. A user providing a username, a logon ID, a personal identification number (PIN), or a smart card represents the identification process. Providing a process ID number also represents the identification process. Once a subject has identified itself, the identity is accountable for any further actions by that subject. Information technology (IT) systems track activity by identities, not by the subjects themselves. A computer doesn’t know one human from another, but it does know that your user account is different from all other user accounts.

The Process of Accountability

One important purpose of security is to be able to hold people accountable for the activities that their online personas (i.e., their user accounts) perform within the digital world of the computer network. The first step in this process is identifying the subject. In fact, there are several steps leading up to being able to hold a person accountable for online actions: identification, authentication, authorization, auditing, and accountability.

Access Control in a Layered Environment

No single access control mechanism is ever deployed on its own. In fact, combining various types of access controls is the only means by which a reasonably secure environment can be developed. Often multiple layers or levels of access controls are deployed to provide layered security or defense in depth. This idea is described by the notion of concentric circles of protection, which puts forth the concept of surrounding your assets and resources with logical circles of security protection. Thus, intruders or attackers would need to overcome multiple layers of defenses to reach the protected assets. Layered security or defense in depth is considered a more logical approach to security than a traditional fortress mentality. In a fortress mentality security approach, a single giant master wall is built around the assets like the massive rock walls of a castle fortress. The major flaw in such an approach is that large massive structures often have minor weakness and flaws; are difficult if not impossible to reconfigure, adjust, or move; and are easily seen and avoided by would be attackers (i.e., they find easier ways into the protected area).

In a layered security or concentric circles of protection deployment, your assets are surrounded by a layer of protection provided for by administrative access controls, which in turn is surrounded by a layer of protection consisting of logical or technical access controls, which is finally surrounded by a layer of protection that includes physical access controls. This concept of defense in depth highlights two important points. First, the security policy of an organization ultimately provides the first or innermost layer of defense for your assets. Without a security policy, there is no real security that can be trusted. Security policies are one element of administrative access controls. Second, people are your last line of defense. People or personnel are the other focus of administrative access control. Only with proper training and education will your personnel be able to implement, comply with, and support the security elements defined in your security policy.

Thursday, May 10, 2007

Types of Access Control

Access controls are necessary to protect the confidentiality, integrity, and availability of objects (and by extension, their information and data). The term access control is used to describe a broad range of controls, from forcing a user to provide a valid username and password to log on to preventing users from gaining access to a resource outside of their sphere of access.

Access controls can be divided into the following seven categories of function or purpose. You should notice that some security mechanisms can be labeled with multiple function or purpose categories.

Preventative access control A preventative access control is deployed to stop unwanted or unauthorized activity from occurring. Examples of preventative access controls include fences, locks, biometrics, mantraps, lighting, alarm systems, separation of duties, job rotation, data classification, penetration testing, access control methods, encryption, auditing, presence of security cameras or closed circuit television (CCTV), smart cards, callback, security policies, security awareness training, and antivirus software.

Deterrent access control A deterrent access control is deployed to discourage the violation of security policies. A deterrent control picks up where prevention leaves off. The deterrent doesn't stop with trying to prevent an action; instead, it ges further to exact consequences in the event of an attempted or successful violation. Examples of deterrent access controls include locks, fences, security badges, security guards, mantraps, security cameras, trespass or intrusion alarms, separation of duties, work task procedures, awareness training, encryption, auditing, and firewalls.

Detective access control A detective access control is deployed to discover unwanted or unauthorized activity. Often detective controls are after-the-fact controls rather than real-time controls. Examples of detective access controls include security guards, guard dogs, motion detectors, recording and reviewing of events seen by security cameras or CCTV, job rotation, mandatory vacations, audit trails, intrusion detection systems, violation reports, honey pots, supervision and reviews of users, incident investigations, and intrusion detection systems.

Corrective access control A corrective access control is deployed to restore systems to normal after an unwanted or unauthorized activity has occurred. Usually corrective controls have only a minimal capability to respond to access violations. Examples of corrective access controls include intrusion detection systems, antivirus solutions, alarms, mantraps, business continuity planning, and security policies.

Recovery access control A recovery access control is deployed to repair or restore resources, functions, and capabilities after a violation of security policies. Recovery controls have more advanced or complex capability to respond to access violations than a corrective access control. For example, a recovery access control can repair damage as well as stop further damage. Examples of recovery access controls include backups and restores, fault tolerant drive systems, server clustering, antivirus software, and database shadowing.

Compensation access control a compensation access control is deployed to provide various options to other existing controls to aid in the enforcement and support of a security policy. Examples of compensation access controls include security policy, personnel supervision, monitoring, and work task procedures.

Compensation controls can also be considered to be controls used in place of or instead of more desirable or damaging controls. For example, if a guard dog cannot be used because of the proximity of a residential area, a motion detector with a spotlight and a barking sound playback device can be used.

Directive access control A directive access control is deployed to direct, confine, or control the actions of subject to force or encourage compliance with security policies. Examples of Directive access controls include security guards, guard dogs, security policy, posted notifications, escape route exit signs, monitoring, supervising, work task procedures, and awareness training.

Access controls can be further categorized by how they are implemented. In this case, the categories are administrative, logical/technical, or physical.

Administrative access controls Administrative access controls are the policies and procedures defined by an organizations security policy to implement and enforce overall access control. Administrative access controls focus on two areas: personnel and business practices (e.g., people and policies). Examples of administrative access controls include policies, procedures, hiring practices, background checks, data classification, security training, vacation history, reviews, work supervision, personnel controls, and testing.

Logical/technical access controls Logical access controls and technical access controls are the hardware or software mechanisms used to manage access to resources and systems and provide protection for those resources and systems. Examples of logical or technical access controls include encryption, smart cards, passwords, biometrics, constrained interfaces, access control lists (ACLs), protocols, firewalls, routers, intrusion detection systems, and clipping levels.

Physical access controls Physical access controls are the physical barriers deployed to prevent direct contact with systems or portions of a facility. Examples of physical access controls include guards, fences, motion detectors, locked doors, sealed windows, lights, cable protections, laptop locks, swipe cards, guard dogs, video cameras, mantraps, and alarms.

CIA Triad

The essential security principles of confidentiality, integrity, and availability are often referred to as the CIA Triad. All security controls must address these principles. These three security principles serve as common threads throughout the CISSP CBK. Each domain address these principles in unique ways, so it is important to understand them both in general terms and within each specific domain:
  • Confidentiality is the principle that objects are not disclosed to unauthorized subjects.

  • Integrity is the principle that objects retain their veracity and are intentionally modified by authorized subjects only.

  • Availability is the principle that authorized subjects are granted timely access to objects with sufficient bandwidth to perform the desired interaction.

Different security mechanisms address these three principles in different ways and offer varying degrees of support or application of these principles. Objects must be properly classified and prioritized so proper security access controls can be deployed.

Wednesday, May 9, 2007

Access Control Overview

Controlling access to resources is on of the central themes of security. Access control address more than just controlling which users can access which files or services. Access control is about the relationships between subjects and objects. The transfer of information from and object to a subject is called access. However, access is not just a logical or technical concept; don't forget about the physical realm where access can be disclosure, use, or proximity. A foundational principle of access control is to deny access by default if access is not grated specifically to a subject.


Subjects are active entities that, through the exercise of access, seek information about or data from passive entities, or objects. A subject can be a user, program, process, file, computer, database, and so on. An object can be a file, database, computer, program, process, file, printer, storage media, and so on. The subject is always the entity that alters information about or data stored within the object. The object is always the entity that provides or hosts the information of data. The roles of subject and object cans switch as two entities, such as a program and a database or a process and a file, communicate to accomplish a task.