Authorization and Access Control – CompTIA Security+ SY0-401: 5.2

We use many different kinds of access control to secure our networks. In this video, you’ll learn about discretionary, role-based, and mandatory access control models.

<< Previous Video: Identification, Authentication, and AuthorizationNext: Single-factor Authentication >>

The idea of access control revolves a lot around authorization. And with authorization there is policy enforcement, which means that if a user is trying to access a resource that we’ve given them exactly the right permissions they should have to access that resource. There’s also policy definition, which means we have to define what rights people get to have access to those resources. And there’s a lot of different ways to do this.

We can have these access control lists. And we can configure these to be a discretionary access control, a role based access control, or a mandatory access control.

With discretionary access control, the person who owns the resources in complete control of who might have access to that resource. It is very, very flexible. But from a security perspective it’s very weak. You have the person who owns that information now making security decisions on who gets to access it. And one small slip from the owner could give full control to everybody, and not really mean to do that.

A step up from that is role-based access control. This is where we are defining what access you may have to a resource based on the role of the user. So you may be a group of people, you may be in a department, you may be part of a team of people, and we’ll say that if you’re on this team you have the ability to read these particular files.

This role-based access control also gives you a little more control over what’s going on. It scales a little bit well. In Windows we use groups to be able to accomplish this. So you would add all of these different users to a group and you would simply assign rights to the entire group at one time.

We often see mandatory access control used in government type environments, where there are security clearance levels. And everything that you would need to access would have a label associated with it. Every document, every printer, everything would be labeled with secret, or top secret, or code blue. And your account would be given a certain level of access.

Your access may be able to access top secret, which means you can access anything labeled with top secret or secret, because that’s one level underneath. But you would not be able to access anything that was code blue. It’s an interesting approach to being able to control what’s out there, and make sure that only the certain people associated with that level of clearance would have access to those resources.

You may hear access control referred to as rule-based access control. And this is more of a high level way to describe the way that rights and permissions are given out. One type, or two types, of rule-based access control is role-based and mandatory access control, because those access control methods are determined by the system. They’re not determined by individual users setting this up.

This pre-defined rules and pre-defined processes you have in place have given access to certain people based on a group they might belong to, or based on a particular security level. And it doesn’t matter what a user wants, or what somebody else would want to reconfigure, your systems are going to make sure that everything remains as secure as possible.

Another access security concept, extremely important, is one called an implicit deny. We use this a lot there firewall module, and it makes perfect sense. That’s one where nobody has access unless you explicitly give them access. If you don’t give them certain access, by default, they are implicitly denied from accessing anything. It’s a very important part of what we do, not just firewalls, but with all of these other access methods that we have.

Since many of our organizations are also 24 hour shops, there may be a need to set rights and permissions based on the time of day. So our firewalls, and our operating systems, and some of the other devices that we use allow us to set different types of access control depending on what time of day it might be. And this is important if it’s an organization at night that needs to run a lot of backups, or you want to turn off certain access during the day, you can implement that into the operating systems you’re using or into the firewalls that you might have.