Role of access control
Regulating who or what can view or utilise resources in a computing environment is the security approach known as access control, which is used to implement control over security management.
Access controls mostly come in three varieties. Administrative control logical access control, and physical access control.
CIA Triad In-Depth
The CIA triad stands for Confidentiality, Integrity, and Availability is the fundamental model in information security that guides policies and practices to protect data.
From the perspective of access control, each component of the CIA triad plays a crucial role in ensuring that data is appropriately protected and accessible only to authorized users. Here’s how access control contributes to each aspect of the CIA triad:
Confidentiality ensures that sensitive information is accessed only by authorized individuals and protected from unauthorized access. Authentication ensures that only authorized users can access systems and data.
Methods include passwords, biometric verification, and multi-factor authentication. Encryption of data both in transit and at rest to protect it from unauthorized access during transmission and storage.
Access Policies that define who has access to what data, ensuring that sensitive information is only accessible to those with a legitimate need. For example, only HR personnel have access to employee personal records. Sensitive financial data is encrypted and accessible only to financial analysts and managers.
Integrity ensures that data is accurate, consistent, safe, and protected from unauthorized modification. Write Permissions which control who can modify data, ensuring that only authorized users can make changes.
Logging and monitoring that tracks access and changes to data, enabling the detection and investigation of unauthorized modifications.
Checksum and hashing that verifies data integrity by comparing current data against known good values, ensuring that data has not been tampered with.
Version control, which maintains records of data versions and changes, allowing for rollback to previous states if unauthorized modifications are detected.
Examples include the implementation of only database administrators who can update the database schema. All changes to critical system files are logged and monitored for unauthorized modifications.
Availability ensures that data and resources are accessible to authorized users whenever needed, and how the resources available should be used.
Redundant Systems Implement failover mechanisms and redundancy to ensure that data is available even in case of system failures. Access Management: Manages user access efficiently to prevent bottlenecks and ensure that legitimate users can access resources without undue delay.
Disaster Recovery planning, which prepares for and quickly recovers from incidents that could disrupt access, such as natural disasters or cyberattacks.
Maintenance of operating systems and other software patches that are scheduled for maintenance during off-peak hours to minimize the impact on availability. For example, multiple backup servers are available to provide continuous access to critical applications.
Load balancers distribute traffic to ensure that no single server is overwhelmed, maintaining system performance and availability.
Primary Categories used to define access to data
The primary categories used for defining data accessibility are mainly the level of permission granted to users or a system. It helps by managing and protecting data from unauthorized users who have access to information that should be protected.
Below are the categories, with a brief explanation of each.
Directive controls are critical elements in the framework of access management and overall organizational security. These controls aim to guide, restrict, or enforce behaviour and compliance with security policies and procedures.
They include codes of conduct, security policies, and procedures designed to ensure that all actions taken by subjects (users, employees, contractors, etc.) align with the organization’s security goals and regulatory requirements.
Example A data access policy may stipulate that only authorized personnel can access sensitive customer information, and such access must be logged and monitored.
Another example of a data breach that happened to Equifax, one of the largest credit reporting agencies, was a massive data breach that exposed the personal information of approximately 147 million individuals.
The breach was attributed to a failure to patch a known vulnerability in the Apache Struts web application framework. The Equifax breach highlights the critical importance of having robust, well-enforced directive controls in place.
Preventative controls are security measures designed to stop unwanted or unauthorized activities from occurring. These controls aim to prevent security incidents by restricting access and enforcing security policies and procedures.
Preventative controls can be physical, technical, or administrative. An example of a physical preventive measure is a Mantraps Controlled entry point with interlocking doors, allowing only one person to enter at a time after verification.
Another Example of a data breach is the Target breach in 2013, a prominent example highlighting the importance of preventative controls. The breach involved the theft of credit card and personal data of millions of customers due to a compromised third-party vendor.
The Target breach of 2013 underscores the need for robust preventative measures, including physical security like mantraps, stringent third-party access controls, network segmentation, and advanced intrusion prevention systems.
Compensating controls are additional security measures implemented to mitigate the risk when primary controls are not sufficient or when there’s a heightened threat level.
These controls are designed to provide an extra layer of security to protect sensitive data and resources, especially during periods of increased risk.
Compensating controls are often temporary and are deployed to enhance the overall security posture until more permanent measures can be implemented or until the heightened threat level subsides.
Examples Additional Security Guards at stations, with more guards at key access points during heightened threat periods. Enhanced Surveillance Increase the number of surveillance cameras or improve monitoring capabilities.
An example of a data breach of Home Depot in 2014 is a notable example that highlights the importance of compensating controls. The breach resulted in the theft of payment card information for approximately 56 million customers.
The Home Depot data breach of 2014 underscores the importance of deploying additional security measures to protect sensitive data and resources.
By implementing compensating controls such as increased physical security, enhanced monitoring, temporary access restrictions, and advanced malware detection, organizations can effectively mitigate risks and maintain a robust security posture.
Corrective and recovery controls are essential components of an organization’s security strategy. They are designed to address and rectify issues after a security incident has occurred and to ensure the continuity of business operations.
These controls include updating security policies, implementing disaster recovery plans, business continuity plans, and incident response plans.
Examples of Corrective and Recovery Controls in the Disaster Recovery Plan (DRP): Description: A set of procedures to recover and protect a business IT infrastructure in the event of a disaster.
Example: Regular backups of critical data, off-site storage, and a detailed recovery process to restore systems after a cyberattack Business Continuity Plan (BCP) Description: Strategies and plans to ensure that essential business functions can continue during and after a disaster.
Example: Establishing alternate work locations, remote work capabilities, and ensuring access to key resources and data. Incident Response Plan (IRP) Description: A framework for identifying, managing, and mitigating security incidents.
Example: Steps for detecting an incident, containing the threat, eradicating the cause, and recovering affected systems, followed by a post-incident review.
In 2018, Marriott International disclosed a data breach that affected approximately 500 million guests.
The breach, which began in 2014, was discovered in 2018 and involved unauthorized access to the Starwood guest reservation database In 2014, Sony Pictures Entertainment suffered a significant cyberattack that led to the theft and public release of confidential data, including employee information, emails, and unreleased films.
The Marriott and Sony Pictures breaches highlight the importance of having robust disaster recovery plans, business continuity plans, and incident response plans.
Summary
Access control is a security approach that regulates who or what can view or utilize resources in a computing environment, which is crucial for implementing control over security management. It includes administrative control, logical access control, and physical access control.
The CIA triad—Confidentiality, Integrity, and Availability—is the fundamental model in information security that guides policies and practices to protect data. Each component plays a crucial role in access control.
Confidentiality ensures that sensitive information is accessed only by authorized individuals and protected from unauthorized access.
This is achieved through methods like authentication (passwords, biometric verification, and multi-factor authentication), encryption (protecting data both in transit and at rest), and access policies (defining who can access specific data).
For example, only HR personnel have access to employee personal records and sensitive financial data is encrypted and accessible only to financial analysts and managers.
Integrity ensures data is accurate, consistent, and protected from unauthorized modification.
This involves write permissions (controlling who can modify data), logging and monitoring (tracking access and changes), checksum and hashing (verifying data integrity), and version control (maintaining records of data versions and changes).
For example, only database administrators can update the database schema, and all changes to critical system files are logged and monitored.
Availability ensures that data and resources are accessible to authorized users whenever needed.
This includes redundant systems (implementing failover mechanisms), access management (efficiently managing user access), disaster recovery planning (preparing for incidents that disrupt access), and maintenance scheduling (performing updates during off-peak hours).
For example, multiple backup servers provide continuous access to critical applications, and load balancers distribute traffic to maintain system performance.
Primary Categories Used to Define Access to Data
The primary categories for defining data accessibility help manage and protect data from unauthorized users by defining permission levels.
Directive controls guide, restrict, or enforce behaviour and compliance with security policies and procedures. They include codes of conduct, security policies, and procedures.
An example is the Equifax breach, where failure to patch a known vulnerability led to a massive data breach, highlighting the importance of enforcing directive controls.
Preventative controls stop unwanted or unauthorized activities from occurring. These controls can be physical (like mantraps), technical, or administrative.
The Target breach of 2013, caused by a compromised third-party vendor, underscores the need for robust preventative measures like physical security, stringent third-party access controls, network segmentation, and advanced intrusion prevention systems.
Compensating controls provide additional security measures when primary controls are insufficient or during heightened threat levels.
These controls are often temporary and are implemented to enhance overall security until permanent measures can be established. An example is the Home Depot data breach of 2014, where compensating controls such as increased physical security, enhanced monitoring, and advanced malware detection were necessary.
Corrective and recovery controls address and rectify issues after a security incident and ensure business continuity. These include updating security policies, disaster recovery plans, business continuity plans, and incident response plans.
The Marriott breach in 2018 and the Sony Pictures hack in 2014 illustrate the importance of having robust corrective and recovery controls to manage and recover from security incidents.
By implementing robust access control measures, organizations can effectively protect the confidentiality, integrity, and availability of their data, aligning with the principles of the CIA triad.
Internet Source:
What is the CIA Triad and Why is it important? | Fortinet
Types Of Security Controls Explained (purplesec.us)
Case Study: Equifax Data Breach – Seven Pillars Institute
The 2013 Target Data Breach & Third-Party Risk Management | Prevalent
Home Depot Settles With States Over 2014 Data Breach | Decipher (duo.com)
Marriott Announces Starwood Guest Reservation Database Security Incident | Marriott News Center
Leave a Reply