Access Control
• Access control is a critical component of information security that
governs who is allowed to access specific resources, systems,
or data within an organization.
• It encompasses a set of policies, procedures, technologies,
and practices that regulate and restrict access to protect
sensitive information, prevent unauthorized activities, and
maintain the confidentiality, integrity, and availability of data.
ArfanShahzad.c
Access Control
cont…
• Access control is a fundamental concept in cybersecurity and
plays a vital role in safeguarding an organization's digital
assets.
• Here are key aspects of access control:
ArfanShahzad.c
Access Control
cont…
• Identification: Access control starts with the identification of
users or
entities seeking access to a system or resource.
• This process typically involves the use of unique identifiers
such as usernames, employee IDs, or biometric data
(e.g., fingerprint or facial recognition).
ArfanShahzad.c
Access Control
cont…
• Authentication: Once identified, users must prove
their identity
through authentication methods.
• Common authentication factors include:
• Something you know (passwords),
• Something you have (smartcards or tokens), or
• Something you are (biometrics).
ArfanShahzad.c
Access Control
cont…
ArfanShahzad.c
Access Control
cont…
• Authorization: After authentication, the
system determines what
actions or resources the authenticated user is allowed to
access.
• Authorization is based on predefined policies and
permissions.
• Role-based access control (RBAC) and attribute-based
access control
ArfanShahzad.c
Access Control
cont…
• Access Control Models: Different access control models
define how permissions are granted and managed.
• The most common models are discretionary access
control (DAC), where resource owners determine
access, and mandatory access control (MAC), where
access is determined by system administrators based on
classification levels.
ArfanShahzad.c
Access Control
cont…
• Access Control Lists (ACLs): ACLs are lists associated with
resources, specifying the users or groups allowed or
denied access and the type of access they have (read,
write, execute).
• They are commonly used in file systems, network
devices, and databases.
ArfanShahzad.c
Access Control
cont…
• Access Control Policies: Organizations define access
control policies to determine how access is granted or denied
based on rules and conditions.
• Policies consider factors like user roles, data sensitivity,
and the context of access attempts.
ArfanShahzad.c
Access Control
cont…
• Access Control Mechanisms: Technologies like firewalls,
IDS, IPS, etc. enforce access control by monitoring and
filtering network traffic based on predefined rules.
• Physical Access Control: Physical access control restricts
entry to buildings, rooms, and facilities.
ArfanShahzad.c
Access Control
cont…
• Privilege Escalation: Ensuring that users
cannot escalate their privileges beyond what is
necessary for their tasks is crucial.
• This prevents unauthorized access and potential abuse.
ArfanShahzad.c
Access Control
cont…
• Continuous Monitoring: Regularly
monitoring access attempts and permissions helps
detect anomalies or unauthorized access.
• Logging and auditing access events contribute to
accountability and security incident investigation.
ArfanShahzad.c
