Chapter 4

Access Control

In This Chapter

Understanding access control concepts

Discovering identification and authentication techniques

Knowing access control services and categories

Testing access control mechanisms

Access control is at the heart of information security. For that matter, access control is at the heart of all security. During medieval times, castles were built to provide safety and security. The castle was normally built in a strategic location with towering walls surrounded by a moat. Battlements were positioned along the top of the wall with bastions at the corners. A heavily fortified and guarded entrance was secured by a drawbridge to control entry to (and departure from) the castle. (See Chapter 13 for more information about building a secure castle, uhh, facility.) These measures created a security perimeter, preventing hostile forces from freely roaming through the castle grounds and attacking its inhabitants. Breaching the perimeter and gaining entry to the castle was the key to victory for an attacking force.The castle’s inner defenses were relatively simple; after getting in, the attackers were free to burn and pillage. Hard and crunchy on the outside, chewy in the middle!

Similarly, computer security requires a strong perimeter and elaborate defenses. Unfortunately, a drawbridge doesn’t suffice for access control in computer security. Threats to computer security are much more sophisticated and prevalent than marauding bandits and the occasional fire-breathing dragon. Access control is still critical to securing a perimeter, but it’s not limited to a single point of entry. Instead, security professionals must protect their systems from a plethora of threats, including Internet-based attacks, viruses and Trojan horses, insider attacks, covert channels, software bugs, and honest mistakes. And the perimeter now extends well beyond a corporate firewall and has become more of a virtual boundary that typically includes laptops, tablets, mobile devices, and other endpoints that people can use — and that you must secure — from virtually anywhere, including home offices, airport terminals, hotel rooms, and coffee shops!

Finally, you need to ensure that the drawbridge operator (the firewall administrator) is properly trained on how and when to raise or lower the drawbridge (following policies and procedures), and you must be sure that he or she isn’t sleeping on the job (that he or she is actually monitoring your logs).

The Certified Information Systems Security Professional (CISSP) candidate must fully understand access control concepts (including control types and authentication, authorization, and accounting), system access controls (including identification and authentication techniques, methodologies and implementation, and methods of attack), and data access controls (including access control techniques and models) within centralized and decentralized computing environments.