Access Controls - CompTIA Security+ SY0-701 - 4.6

00:01

Once someone authenticates to a network,

00:04

we still need to provide them with access

00:06

to the resources they need to be able to perform their job

00:09

function.

00:09

We refer to this as access control,

00:12

and it's a process of enforcing the policies that

00:14

would allow or disallow someone access to data.

00:17

This access control can be associated with an individual

00:20

or a group of individuals.

00:22

There's usually a process that defines the policy of what

00:25

someone may need access to, and then the IT team

00:28

needs to take that policy and change it

00:30

into the process required by the operating system to allow

00:34

or disallow rights to data.

00:36

There are very broad access control models,

00:39

and we'll look at those models in this video.

00:41

There are slight differences between these different types

00:43

of access controls, and different organizations

00:46

can choose the access control that's best for them.

00:50

We'll first start with a security

00:51

best practice that can be applied across any

00:54

of these access controls, and that best practice

00:57

is least privilege.

00:58

Least privilege means that we will

01:00

assign rights and permissions to a user that

01:02

gives them exactly what they need to perform their job.

01:05

We don't give them additional rights and permissions,

01:08

and we certainly wouldn't provide them

01:10

with administrator access.

01:12

This means, by default, every user

01:14

will have limited privileges to the operating system.

01:17

If a user does happen to run malicious software,

01:20

that software would only have the rights and permissions

01:22

associated with that user and would hopefully

01:25

limit the scope of any damage.

01:28

If you're working in a highly secure area,

01:30

you may be working with an access control called

01:32

a mandatory access control.

01:35

Mandatory access control assigns a label to each resource

01:38

that someone may need access to.

01:40

So a particular file or folder may

01:42

be tagged as confidential, secret, top secret,

01:45

or a number of other types of mandatory access control

01:49

labels.

01:50

One important aspect of a mandatory access control

01:53

is that the administrator of the system

01:56

is the one that defines what type of rights and permissions

01:59

a user might have.

02:00

So a user in the shipping and receiving department

02:02

may have access to confidential data.

02:04

But someone who's higher up in the management chain

02:07

might have access to top secret data.

02:10

One very common type of access control

02:12

is a discretionary access control.

02:15

With a discretionary control model,

02:17

the user that creates the data has the control

02:20

on who can access the data and how they

02:22

can access that information.

02:24

For example, if you create a spreadsheet,

02:26

you get to decide who else has access to that spreadsheet.

02:29

And you can also set different permissions

02:31

to the users who may have access,

02:33

where some people can modify the spreadsheet

02:36

and others might only be read-only.

02:38

This allows the owner of the data

02:40

to have complete control on who can access that information.

02:43

This access control gives the owner of the data

02:46

great deal of flexibility when determining

02:48

who has access to that data.

02:49

Unfortunately, this also means that this level of access

02:53

is also less secure because you're

02:55

relying on each individual user to set the appropriate security

02:59

controls for every piece of data they create.

03:03

A more centralized control model would be a role-based access

03:07

control.

03:08

This access control is based on your job function.

03:10

So if you are a manager, you have a certain type of rights

03:13

and permissions to data.

03:15

If you're a director, you have a different set

03:17

of rights and permissions.

03:18

And if you're a team lead or project manager,

03:21

there are different sets of permissions for those roles

03:23

as well.

03:24

This starts with the administrator

03:26

of the system creating a number of different groups.

03:29

There might be a manager group, a director group, a team lead

03:32

group, and a project manager group.

03:34

They would then assign rights and permissions

03:37

to the group itself, knowing that managers

03:39

have a certain type of rights and permissions,

03:41

director have a completely different set, and so on.

03:44

Once this group is created by the administrator

03:47

and rights are assigned to the group,

03:49

the administrator will add users to that group.

03:51

Each user added to the group receives

03:54

the rights and permissions associated with that group.

03:56

So we don't have to assign specific permissions directly

03:59

to a user.

04:00

We can simply add that user to the group,

04:03

and they receive all of those permissions implicitly.

04:06

In Windows, this is referred to as groups,

04:09

and you can associate a role-based access control

04:11

to each group.

04:12

For example, you might have a group

04:14

for shipping and receiving, and you

04:15

can associate rights and permissions

04:17

to the shipping software for anyone

04:20

who might be in that group.

04:21

You might also have a group for managers

04:23

of shipping and receiving, and managers

04:26

might have additional access that allows

04:28

them to view the shipping logs.

04:30

Some access control methods have a list of rules,

04:34

and those rules are associated with rights and permissions.

04:37

We refer to this as a rule-based access control

04:40

because there are a number of system-enforced rules

04:43

that are created by the system administrator.

04:45

This means the user does not control

04:47

any of the rights and permissions

04:49

or create any of the rules.

04:50

The administrator is responsible for configuring and assigning

04:54

all of those permissions.

04:55

With a rule-based access control,

04:57

we would first create a rule, and then we

04:59

would associate that rule with a specific object.

05:02

Each user that accesses that object

05:05

is then checked in the rule base to see if any of those rules

05:08

might apply to that individual.

05:10

For example, there might be a user

05:12

that needs to access data that's located in a lab.

05:15

But there is a rule associated with that data that

05:18

says you can only gain access if the time is between 9:00 AM

05:22

and 5:00 PM.

05:23

And if somebody tries to access the data that's

05:26

outside of that schedule, that rule would not allow access.

05:30

Or the rule might be that a form on a web page

05:33

can only be filled out by someone using the Chrome

05:36

browser.

05:36

This rule-based access control allows an administrator

05:40

to set any type of criteria and associate that criteria

05:44

with a specific object.

05:46

A more modern style of access control

05:48

is the attribute-based access control.

05:51

With an attribute-based access control,

05:53

there are many different criteria

05:55

that you can use to determine whether someone would

05:57

have access to data or not.

05:59

This allows administrators to create very complex rule

06:03

sets that determine whether certain types of data

06:05

are accessible or not.

06:07

You can think of this as a next generation of an authorization

06:10

model.

06:11

So a type of access control that takes into account

06:14

a number of different criteria may

06:16

be evaluating the IP address of the person making

06:20

the request, the time of day, the desired

06:22

action, whether they're writing or reading information,

06:25

and what relationship they might have to the data.

06:28

The administrator can combine many different criteria

06:31

together to determine exactly what type of control someone

06:35

might have over any object.

06:38

One type of restriction that can be applied across many

06:41

of these different control models

06:43

is a time of day restriction.

06:45

This means an administrator can allow or disallow access

06:48

to a certain type of data or resource object

06:51

based on what time of the day it happens to be.

06:54

This may not be the only access control method,

06:57

but it does provide the administrator with options when

07:00

configuring access to data.

07:02

Of course, when you're working with the time of day

07:04

or the day of the week, this can become very complicated

07:07

if you are a worldwide organization.

07:10

So an administrator might include

07:12

not just the time of day restriction

07:14

but what time zone is native for that particular user.

07:18

So a good example of some time of day restrictions

07:20

might be that a training room network

07:22

is inaccessible between the hours of midnight and 6:00 AM.

07:26

Or it may be that conference room access

07:28

is limited after 8:00 PM.

07:30

And if you want to access certain types of data,

07:33

the R&D databases are only available between the hours

07:36

of 8:00 AM and 6:00 PM.