December 15, 2022
CISSP Study Guide: Access Control and Accountability
December 15, 2022
Access control and accountability are imperative to understanding computer and network security. These two methods are used to secure property, data and networks from intended or unintended corruption. In combination with Auditing, these two concepts are used to sustain the Confidentiality, Integrity, and Availability (CIA) security concept, and access to networks and equipment using Remote Authentication Dial-In User Service (RADIUS) and Terminal Access Controller Access Control System (TACACS/TACACS+).
Access control is the process of administering user permission of resources and services. Devices such as a smart card or a user name and password are examples of how access control is implemented. Routers are another example; virtual private networks (VPNs), remote access points such as remote access servers (RAS), or the use of wireless access points (WAPs). It can also be a document or shared service via a network operating system (NOS).
The three main constructs of access control are:
- Discretionary Access Control (DAC)
- Mandatory Access Control (MAC)
- Role-Based access control (RBAC)
Discretionary Access Control (DAC)
Discretionary Access Control (DAC) allows the owner of a system or device to manage access control at his or her own discretion. The holder programs access authorization at his or her personal discretion. With Mandatory Access Control (MAC) and Role-Based Access Control (RBAC), access to the information is in compliance with an established set of rules. This is the common set-up for access control and includes setting permissions on files, folders, and shared information.
Access control is implemented in every mode or forum that information is found in your organization. This consists of electronic data as well as hard-copy files, photographs, displays, and communication packets. With DAC, an access control list (ACL) is the file that lists the users who have authorized access to resources and the type of access they are permitted.
In the case of discretionary authentication, an ACL can become extensive if individual users are added which may complicate system management. There several risks associated with DAC:
- Software might be used or updated by unauthorized personnel.
- Classified information could be exposed accidentally or deliberately by users who don’t have authorized access.
- Auditing of files might be problematic.
Mandatory Access Control (MAC)
Mandatory Access Control (MAC) is typically included in the operating system being used. MAC controls are present across most Windows, Unix, Linux, and popular Operating Systems.
Mandatory access control technically performs as multilevel security. Users are placed into categories and tagged with security labels to show what level of clearance they’re operating with. It permits licensed or cleared persons a certain level of access. Mandatory controls are usually fixed codes, and individually assigned to each object or resource.
MAC techniques control the need for ongoing maintenance of ACLs because authorization decisions are built into the hierarchy. When establishing a MAC policy, clients are not authorized to change permissions or rights associated with objects.
Role-Based Access Control (RBAC)
Role-Based Access Control (RBAC) integrates mandatory and discretionary formats with advanced applications. Access to information is based on the specific role a user is assigned within the organization. For instance, employees who work in product development would be permitted access to confidential information while someone in another department would be denied access.
RBAC is a level up from DAC and MAC allowing administrators to enforce security policies that reflect the structure of an organization. RBAC classifies users by common functions and access needs. When structuring a system of user groups, you can program the access levels for various resources within the system.
Access to different resources / user group permissions are assigned as roles. When roles are correlated to a resource, the resource name verifies that role then determines if access is granted to proceed. A role-based system provides a more comprehensive form of systematic controls. It requires more development and is a higher investment, but has wider flexibility in comparison to MAC.
Let's build your cybersecurity career together
Accelerate in your role, prepare for certifications, and develop cutting edge skills with the most in-demand training in the industry.
2,000+learning activities led by highly experienced cybersecurity professionals