Domain 2 · 2.5 Mitigation Techniques

2.5.2 Access Control

ACLs, permissions, least privilege.

14 min

Access control is the process of determining which authenticated users have the rights or permissions to interact with specific resources or data.

Fundamentals of Authorization While authentication verifies who a user is, authorization defines what that user can do once they are inside the network. - Least充分 Privilege: The security principle of providing users only the minimum level of access necessary to perform their job functions. - Permissions vs. Rights: Permissions are applied to resources (like files or printers), while rights are usually granted to users or groups (like the right to log on locally). - Implicit Deny: A default security posture where access is blocked unless a specific rule explicitly allows it.

Access Control Models - Role-Based Access Control (RBAC): Access is granted based on predefined organizational roles (e.g., manager, auditor, intern). Users are assigned to roles, and roles carry the permissions. - Rule-Based Access Control: Uses specific logic or conditions—such as time of day, geographic location, or device type—to allow or deny access regardless of user identity. - Discretionary Access Control (DAC): The data owner has total control over who has access to their resources. Common in standard Windows/Linux file systems but considered less secure due to user error. - Mandatory Access Control (MAC): Access is based on security labels and sensitivity levels (e.g., Secret vs. Top Secret). The system, not the user, enforces the policy.

Data Roles and Responsibilities - Data Controller: The entity or individual responsible for determining why and how personal data is processed; ensures compliance with regulations like GDPR. - Data Processor: Handles or processes data on behalf of the controller but does not own the data or define its purpose. - Data Custodian: The technical role responsible for maintaining the data, including backups, integrity checks, and implementing security controls.

Implementation and Risk - Access Control Lists (ACLs): Tables or lists that identify which users or system processes are granted access to objects. - Inherent Risk: The level of risk present before any security controls are implemented. - Residual Risk: The risk that remains after security controls and mitigations have been applied. - Control Risk: The risk that a security control will fail to perform its intended function or be bypassed.

Quick recall - Authentication: You are "at the door." - Authorization: You are "inside the box." - RBAC: Assigned by Role (job function), not the individual. - Rule-Based: Triggered by if/then conditions (e.g., "deny login after 5:00 PM"). - Least Privilege: Reduces the attack surface by limiting unnecessary access. - Control Assessment: Using an outside source to judge the effectiveness of implemented controls.