9 Access Control

 

This chapter covers

  • Identification, authentication, authorization, and accountability
  • Identity and access management (IAM) systems and their lifecycle
  • Privileged access management (PAM)
  • Principles of least privilege, separation of duties, dual control, and need-to-know

In the normal operation of a business, data and other assets need to be accessed for viewing, processing, updating, or sharing. A key aspect of security is managing who can access what and what operations are allowed. Granting and denying access to assets is important because legitimate users need to be able to access resources to do their jobs. At the same time, it is important to protect against unauthorized access to prevent assets from being stolen, damaged, or misused.

The systems that manage access to an organization's assets-including data, systems, and networks—are known as access control systems. Effective access control aims to protect the confidentiality, integrity, and availability of information. Confidentiality is maintained by preventing the disclosure of sensitive information to unauthorized individuals or through inappropriate processes. Integrity is maintained by preventing unauthorized changes to data, thereby preserving its accuracy and consistency. Availability ensures that authorized users have reliable and timely access to information when they need it.

9.1 Subjects, Objects, and Rules

9.2 Identification, Authentication, Authorization, and Accountability

9.2.1 Identification

9.2.2 Authentication

9.2.3 Authorization

9.2.4 Accountability

9.3 Identity and Access Management (IAM)

9.4 Account Types

9.5 Privileged Access Management (PAM)

9.6 Principles of Access Control

9.6.1 Least Privilege

9.6.2 Segregation of Duties (SoD)

9.6.3 Two-Person Control

9.6.4 Need-to-Know

9.6.5 Defense-in-Depth

9.7 Summary