Did you know Cybrary's video training is FREE? Join more than 2,500,000 IT and cyber security professionals, students, career changers, and more, growing their careers on Cybrary.
Access Controls Welcome to the Access Control lesson of the Chapter on Authentication Services. In today's lesson not only do we explore the different types of Access Control, but we also look explain the Access Control life cycle and what that process looks like both server and client site. We'll define for you what authentication is, how that differs from authorization and what an Access Control list is. You'll learn the difference between mandatory and discretionary access, what Rule vs. Role Based Access is, if the two ever work together, and why that is important. [toggle_content title="Transcript"] Welcome, my name is John Oyeleke, subject matter expert for the CompTIA Security Plus. Today we will be looking at different types of access controls. First, we start with...to access a system a user needs to identify themselves to the system and this is the stage called identification. When you identify, you simply provide your identity to the system. It could be in the form of a username, a user id or an email that is the identification stage. The first process. Next the system has to verify, this credentials that you are giving. You also need to provide an authentication factor. What is authentication? Authentication is a process. It is the process by which the system verifies that you are who you say you are. You have identified yourself as user a, with a password you also have you provide for the authentication step. You provide your username and your password. The system will then compare that to what in the database. If there is a match, you are granted access. If there is a mismatch, access denied you get an error message after authentication is done the next step is authorization. Authorization has to do with the system checking your permissions. The system will check your permission. Something like having [inaudible] the access control list, to see what you are allowed to do or not allowed to do on the system once you are granted access. These three steps must happen in that fashion. One, two and three. We don't need or we don't want these steps happening authentication happening before identification or even before authorization before authentication. They must happen identification, authentication then authorization. The access control lists are simply list of permissions associated to objects. Basically the access control list, they specify the type of access that a user could have or a group of users could have on a specific object or groups of objects. All of these are very important so that we can have accountability whose had what access, who did what and when. We are now going to discuss some access control models. We have mandatory access. This is an access control model based on the security labels. Usually, you have the objects are granted security labels and the subjects are also granted security labels. The subject is the entity trying to access the object so the system will see. The system will check what is the security label of the subject trying to access the object. The system effects, simply checks the security labels to determine if access should be granted. In the mandatory access control, access control is based on security labels. It is put in effect by the system. For discretionary access control we use...the discretionary access control depends on the discretion of the owner of the object. The owner is usually, it could be the head of the department, that person will approve or deny access to it could be a database, it could be a facility...most cases a database. The owner gives the discretion. The owner's discretion will grant access or deny access to the object. The most important thing is to remember the owner of the resource permits or denies access or grants access or denies access to the resource. Next we look at is rule based access control. This is access control based on a set of rules. In many cases we implement our firewalls using rule based access control. You implement the rules, you dictate the rules on the firewall and the firewall is able to filter traffic based on the rules you set. Where you set no rules your firewall will allow all traffic. When you set the rules, the firewall will inspect the traffic and based on the rules you have determine when to drop the traffic or allow the traffic. Next we have role based access control. What role do you play? This type of access control depends on the role you play on the organization. What you access on the database depends on the role you play. Where you can go in the facility depends on the role you play. What you can do on the network depend on the role you play. The role you play dictates what you have access to. Say we have a basic user in the HR department. The user can see probably my date of employment but not my date of birth. The HR director could see my date of birth and everything else about me because of the role they play. The role you play dictates the level of access you have for role based access control. Please bear in mind for the exam do not confuse rule-->based with role-->based. It's very often a little trick. You could fall for that. We have rule based access control, role based access control. The principles are clearly different from each other. Lastly, we have something called time of day restrictions. With time of day restrictions, we have the ability to restrict access to a facility, network devices, PCs based on the day of the week or the time of the day for the individual users or a collective group of users. We could restricts access to a facility on certain days of the week, certain time of the day, we could use this on a network to restrict access to printers, restrict access to computers based on the time of the day or the day of the week for specific users. We use this as a form of access control. You could implement this on a server to ensure your users can only sign on a specific date at a specific time. They can only stay logged on for a specific duration. We refer to this as time of day restriction. [/toggle_content]
CISSP CISM CISA CHFI CSXF CEH, Cyber Security Specialist & Trainer
Subscribe to become an Insider Pro and get access to premium content such as: