ACCESS CONTROL TECHNIQUES

CONTROL TYPES

Controls apply to threat events
Preventative => avoid
Detective =>identify
Deterrent =>discourage
Corrective => Fix
Recovery => restore


CONTROL CATEGORIES

• Physical preventative control
• Badges and access cards
• Technical preventative control
• Database views
• Encryption
• Antivirus software
• Administrative detective control
• LOGS , EVENTS ETC.
  

SECURITY LABELS

• Assign classification levels to objects
• A subject must hold a clearance at or above the classification level of an object to access it
• Security systems use labels in access tables or in runtime evaluation rules

DISCRETIONARY ACCESS CONTROLS

• Identity-based access control
• Owner specifies which subjects can access objects
• Most common access control in commercial systems

MANDATORY ACCESS CONTROLS

• Rule-based access control
• Each resource and user has a specific label
• Subject's security clearance is compared to object's security label

NONDISCRETIONARY ACCESS CONTROLS

• Role-based access control
• Access is granted based on user's job description
• Lattice-based access control
• Access is granted based on both subject's role and the task

Common in environments with frequent personnel changes


ACCESS CONTROL LISTS

• Specific about which users can access which objects
• Subjects mahy be users , roles or groups