A well-defined access control system consists of three elements:

• Policies—Clear statements of the business requirements regarding access to resources
• Procedures—Nontechnical methods, such as business processes and background checks, used to enforce policies
• Tools—Technical methods, such as file system access controls and network firewalls, used to enforce policies

Organizations typically use procedures and tools together to enforce policies. For example, most companies have strict policies to determine who has access to personnel records. These records contain sensitive and confidential information that could be used to inflict serious harm on individual employees and the company as a whole if those records were compromised. The policy may state that only employees within the human resources department, with a specific need for the information contained within a given record, may have access to it.

To enforce this policy, the company has procedures that state that a record can be given only to employees with the proper credentials (the authentication process) who fill out a form stating their specific need for the information contained in the record they request. When the request is approved, the employees may be given a username and password to access the employee records’ Intranet site (the authorization process). The Intranet site, along with the username and password, is the tool required to grant access to personnel records.

The subject in an access-control scenario is a person or another application requesting access to a resource such as the network, a file system, or a printer.

There are three types of subjects when it comes to access control for a specific resource:

• Authorized—Those who have presented authenticated credentials and have been approved for access to the resource
• Unauthorized—Those who have presented authenticated credentials but are not approved for access to the resource
• Unknown—Those who have not presented authenticated credentials

Every individual who initially approaches an access control system is unknown until he or she attempts to authenticate. For example, someone might be asked to provide a username and password. If the user does not provide the correct password, the system still does not know who the user is and he or she retains unknown status. On the other hand, if the user’s password is correct, the system now knows with certainty who the user is and must check to see if the user is authorized to access the requested resource. Someone allowed to access the resource moves to the “authorized” state. Otherwise, the user is still known, but now moves to the “unauthorized” state.

This process is known as AAA (or “triple A”) security and involves three components:

• Authentication—Ensuring users are who they claim to be
• Authorization—Ensuring that an authenticated user is allowed to perform the requested action
• Accounting—Maintaining records of the actions performed by authorized users

Users are not the only subjects in access control systems. Technological resources may also serve as subjects. For example:

• Networks—A network is a subject when a resource on one network requests access to a resource on another network. A firewall rule that authorizes access to the Internet might use the internal network as a subject, with the Internet as the object.
• Systems—A system is a subject when one system requests access to resources on another system or on the network. This usually happens when a PC attempts to access a printer across the network.
• Processes—A process is most commonly a subject when an application process requests low-level access to the file system.
• Applications—An application can be a subject when it attempts to access other resources on the same computer or over the network.

Technology subjects may use password authentication or may rely on other forms of identification and authorization. For example, a network may be authenticated by its IP address.

There are three main categories of objects to be protected by access controls:

• Information—Any type of data asset
• Technology—Applications, systems, and networks
• Physical location—Physical locations such as buildings and rooms

Information is the most common asset in terms of IT access controls. You put passwords on databases and applications to ensure that only authorized users can access the information they contain. Technology objects are just as important because a malicious user can easily compromise the integrity of data by attacking the technology that stores and uses it. If an unauthorized user gains access to a file server, that user can easily steal, delete, or change the data stored on the file server.

Physical security is the process of ensuring that no one without the proper credentials can access physical resources, including hardware and physical locations. If all of the servers require a password to log on, why bother restricting who can enter the server room? The answer is simple—if a malicious user’s goal is to bring down a server, he or she doesn’t need to log in. All the person needs to do is unplug it, steal it, or destroy it.

Most server and network systems have “backdoors” that are available to anyone with physical access to the machine. These backdoors allow system administrators to take control of a server that has been corrupted. For example, an individual who is able to gain physical access to a network router can almost always take control of that device, even without knowledge of the correct password. Some locations, such as a server room, are controlled-access locations for the reasons just described. Others must have uncontrolled access in order to be useful.