Chapter 2 – Access Controls

Publisher Summary This chapter explores the access controls of the Systems Security Certified Practitioner exam. Access control encompasses the security controls, processes, or procedures whereby access to specific objects is either granted or denied based on pre-established policies or rules. Access control is made up of many different parts but at its roots is a very simple concept—that is, to allow objects to be accessed (limiting the manner in which they are accessed) by authorized users while denying access to unauthorized users. Access controls are understood by breaking them into individual parts. First, there are the objects that need to be accessed. These objects are referred to as access control objects because they are objects that need to have controlled access. Objects consist of data, hardware devices, data networks, and buildings. Another part of access control are access control subjects that are the users, programs, and processes that request permission to access control objects. The final part of access control, called the access control systems, is the procedures, processes, and controls in place that verify the authenticity of the request and the identity of the access control subject and determines the levels of access that should be granted to the object. This chapter describes the three parts of access control and how they work together. The chapter also discusses different access control systems, how they are implemented, and how they operate. Finally, the chapter examines the dark side of information security by showing how these controls can be bypassed or overridden by intruders.