Access control

Access control is the monitoring and control of access to certain resources . The goal of access control is to ensure the integrity, confidentiality and availability of information.

One of the most important foundations of information security is the way in which resources can be accessed and how these resources are protected by the access mechanisms. Thus, access control is not just about technical aids.

The division of the three areas of administrative, physical and technical access control is seen as complementary. This means that the areas can be described by a layer model in which the individual layers complement each other.

Administrative access control

The administrative controls are at the top of the hierarchy. They describe how an organization wants to handle access to its information. Aspects of access control at this level are:

Safety rules and procedures

• The security regulation can specify requirements for the access control, but this does not have to be mandatory. To create the safety regulations, an organization must determine which information is worth protecting and which, e.g. B. financial value of the respective resource (e.g. company secrets such as construction plans in the automotive sector, account information in the banking sector, etc.). Furthermore, the security regulation is also shaped by regulatory requirements (data protection law, banking secrecy, standards to be met, etc.). Depending on the industry in which the organization operates, there may be patent protection, IP ( intellectual property ) or the like

Access control for employees

• Which roles have to be separated ( dual control principle , segregation of duties )
• Which roles and persons have access to which information
• What qualities these people have to meet to gain access
• How these properties can be verified on a regular basis
• How a person's rights can be withdrawn

Control structure of an organization

• Who controls which data for integrity
• Which indicators can be used for control
• Who is responsible for which actions in an organization

Testability of the access controls

• How the specified controls can be verified (audit)

Physical access control

The physical access control is access controls that can be requested through physical measures. This means access control such as:

• Construction and architecture of buildings or fenced areas relating to access or access control
• Locks, Bluetooth (cell phone) or biometric access control in rooms (server rooms, safes )
• Floodlights, alarm systems or video surveillance.
• Protection service, guard dogs, fences etc.

The physical division of a network can also be counted towards the physical access control, since a physical spatial division of a network takes place and thus the access to the network is protected. If the backup of a system is kept in a fireproof safe, it is also a physical control, namely access protection against fire and theft.

Technical access control

Technical access control, sometimes also called logical access control , is the restriction of access by software and hardware. These are components of operating systems, software applications, network devices or protocols.

This is done by means of authorization and assignment of access rights . Control is normally achieved via passwords , the granting of privileges or the provision of attributes (see file attributes ). Three questions have to be answered:

• Granularity: What is the smallest protectable unit? One file or a lot of files?
• Operations: Which operations (read, write, delete, execute, etc.) can be differentiated when assigning rights?
• Access: How is the authorization carried out? Common methods after successful authentication are: Assigning a user ID and assigning it to a user class .

Various access models have been implemented technically, which can also be used for organizational and physical access control.

Alternatives

The information required for access control could be stored in an access matrix. However, access matrices are unsuitable for implementation because they are very large and generally sparsely populated. An alternative could be a triple list, in which there is an entry for each right assigned to an object by a user.

Examples

• Basic models:
  • Discretionary Access Control (DAC)
  • Mandatory Access Control (MAC)
    • Type Enforcement (TE)
    • Multi-Level Security (MLS)
  • Role Based Access Control (RBAC)
  • Attribute-based access control (ABAC)
  • Context-Based Access Control (CBAC)
• Methods and standards:
  • Access Control List (ACL)
  • Password Authentication Protocol (PAP), RFC 1334
  • Extensible Authentication Protocol (EAP), RFC 3748
  • Challenge Handshake Authentication Protocol (CHAP), RFC 1994
  • Authentication Header Protocol (AH), IPsec
  • Encapsulated Security Payload (ESP), IPsec
  • Internet Key Exchange (IKE), IPsec
  • Lightweight Extensible Authentication Protocol (LEAP)
  • Link Control Protocol (LCP)
  • Host Access Protocol RFC 802
  • Port Based Network Access Control IEEE 802.1X
  • EXtensible Access Control Markup Language (XACML)
• Media Access Control
  • Sensor Media Access Control
  • Berkeley Media Access Control
  • Media Access Control timeout
  • Zebra Media Access Control
• Basic Access Control - for travel documents

See also

• Access right : Control / protection is based on access rights
• Authentication : Ensuring the identity of the accessing party
• Authorization concept : system that describes the structure and procedures for access rights and access control