Module 1

Introduction to Access Control Framework

Chapter 1 : Topics
This chapter covers the following topics and concepts:

• What access control is

• What the principal components of access control are

• What the three stages of access control are

• What logical access controls are

• What the three authentication factors are

1
 Chapter 1 Goals

When you complete this chapter, you will be able to:

a) Identify the principal components of access control

b) Define the three stages of access control

c) Choose the best combination of authentication factors for a

given scenario

Access Control framework - Introduction

Organizations rely upon ACCESS CONTROLS to grant and restrict user access to information, systems, and other

resources. Access control systems, when properly designed, implement business rules, often direct implementations of policy,

in such a manner that individuals have access to the information and resources needed to perform their responsibilities but no

more.

The consequences of weak or nonexistent access controls range from inconvenient to downright disastrous, depending on

the nature of the resources being protected.

For the average user, it may be annoying and inconvenient to have someone else reading your e-mail. On the other end of

the scale, without strong access controls, companies could lose billions of dollars when disgruntled employees bring down

mission-critical systems. Identity theft is a major concern in modern life, because so much of our private information is stored

in accessible databases.

The only way that information can be both useful and safe is through strong access controls.

2
 Fundamental concepts
What Is Access?
• Access refers to the ability of a subject to interact with an object. That interaction is the basis of everything
we do, both in the information technology (IT) field and in life in general.

• Access can be defined in terms of social rules, physical barriers, or informational restrictions.

For example, consider a busy-executive(HoD) with an administrative assistant who serves as a gatekeeper,
deciding who will be allowed to interact personally with the busy-executive(HoD) and who must leave a message
with the administrative assistant.

In this scenario, the “visitor is the subject” and the “busy-executive(HoD) is the object”.

The “administrative assistant serves as the access control system”, restricting what individuals (subjects) may
access the executive (object).

Scenario

Consider another scenario that is a bit closer to home.

When you leave your house, you lock the doors. The locked door physically restricts
access by anyone without a key to the assets stored inside your house - your TV,
computer, and stereo system. When you come home, you unlock the door and replace
the physical restriction of the locking mechanism with a human gatekeeper who
decides whether or not to let someone enter the house.

3
 What Is Access Control?

Access control is the formalization of rules for allowing or denying access.

Access controls define the allowable interactions between subjects and objects.

It is based on the granting of rights, or privileges, to a subject with respect to an object.

Principal Components of Access Control

There are three principal components of any access control scenario:

• Policies — The rules that govern who gets access to which resources

• Subjects — The user, network, process, or application requesting access to a resource

• Objects — The resource to which the subject desires access (e.g., files, databases, printers)

• Any time you have to decide whether to allow or deny access by a subject to a resource, you have
entered the access control problem domain.

4
 Access Control Systems - elements

A well-defined access control system consists of three elements:

1. Policies—Clear statements of the business requirements regarding access to

resources

2. Procedures—Non-technical methods used to enforce policies

3. Tools—Technical methods used to enforce policies

Organizations typically use procedures and tools together to enforce policies.

For example,

Most companies have strict policies to determine who has access to personnel records. These
records contain sensitive and confidential information, if those records were compromised then it
could be used to inflict serious harm on individual employees and the whole company.

The policy may state that only employees within the human resources department, with a specific
need for the information contained within a given record, may have access to it.

5
To enforce this policy, the company has procedures that state that a record can be given only to
employees with the proper credentials (the authentication process) who fill out a form stating
their specific need for the information contained in the record they request.

When the request is approved, the employees may be given a username and password to
access the employee records intranet site (the authorization process).

The intranet site, along with the username and password, is the tool required to grant access to
personnel records.

Access Control - Subjects

The subject in an access control scenario is a person or another application requesting access to a resource such as
the network, a file system, or a printer.

There are three types of subjects when it comes to access control for a specific resource:

• Authorized—Those who have presented authenticated credentials and have been approved for access to the
resource

• Unauthorized—Those who have presented authenticated credentials but are not approved for access to the
resource

• Unknown—Those who have not presented authenticated credentials

6
 AAA
Every individual who initially approaches an access control system is unknown until he or she attempts to

authenticate. For example, someone might be asked to provide a username and password.

1) If the user’s password is correct, the system knows with certainty who the user is and now it must check, if the

user is authorized to access the requested resource.

1a) Someone allowed to access the resource moves to the “authorized” state.

1b) Otherwise, the user is still known, but now moves to the “unauthorized” state.

2) If the user does not provide the correct password, the system still does not know who the user is and he or she

retains “unknown” status.

This process is known as AAA (or “triple A”) security and involves three components:

• Authentication—Ensuring users are

who they claim to be

• Authorization—Ensuring that an
authenticated user is allowed to
perform the requested action

• Accounting—Maintaining records of
the actions performed by authorized
users

7
Users are not the only subjects in access control systems.
Technological Resources may also serve as subjects in access control systems.

Examples of Technological Resources are:

• Networks—A network is a subject when a resource on one network requests

access to a resource on another network. A firewall rule that authorizes access to
the Internet might use the internal network as a subject, with the Internet as the
object.

• Systems—A system is a subject when one system requests access to resources

on another system or on the network. This usually happens when a PC attempts
to access a printer across the network.

Examples of Technological Resources are:

• Processes—A process is most commonly a subject when an application

process requests low-level access to the file system.

• Applications—An application can be a subject when it attempts to access

other resources on the same computer or over the network.

8
 Access control - process

There are three steps to the access control process:

1. Identification—The process by which a subject identifies itself to

the access control system

2. Authentication—Verification of the subject’s identity

3. Authorization—The decision to allow or deny access to an object

Identification
The first step in any access control process is identification.

• The system must be able to apply labels to the two parts of the access equation: the subject and the object.
In this case, a label is a purely logical description that is easy for the computer to understand. A human
might easily recognize that “Beth” and “Elizabeth” are the same individual, but a computer cannot
necessarily make that logical connection.

• To make things simpler, you can assign a universal label to each subject and object. That label remains with
that individual or resource throughout the life cycle of the privileged interaction with the object. The object
also has a label to distinguish it from other resources. For example, a network might have six printers
available, labeled “printer1,” “printer2,” and so on. A person’s label might be a user ID, his or her e-mail
address, his or her employee ID, or some other unique identifier.

9
References
• Chapple, M., Ballad, B., Ballad, T., Banks, E. (2013) , Access Control, Authentication, and Public
Key Infrastructure, Jones & Bartlett Learning. ISBN: 9781284031607

• Todorov, Dobromir (2007), Mechanics of User Identification and Authentication:

Fundamentals of Identity Management, Auerbach Publications Routledge Taylor & Francis
Group ISBN: 9781420052190
•
• Boonkrong, Sirapat (2021), Authentication and Access Control: Practical Cryptography
Methods and Tools, Apress Publishing ISBN:
• 9781484265703

10