Select Page

Access Control

CISSP

  • Access: Refers to the flow of information between a subject (e.g., a user or program) and an object (e.g., a file or database).
  • Control: Encompasses security features that determine how subjects (users, systems) interact with objects (resources like files, databases).
  • Subject: An active entity (e.g., user, program) that requests access to an object.
  • Object: A passive entity containing information (e.g., file, database, computer).

These concepts form the foundation for various access control models and techniques that govern how access is granted or restricted based on different criteria.

Access control administration:

  1. Centralized Administration:
    • Control: A single, central authority is responsible for configuring and managing access controls.
    • Advantages: Ensures strict, uniform control over access rights, consistent policies, and easier enforcement of security policies.
    • Disadvantages: Can become a bottleneck, as all changes must go through the central authority, potentially slowing down processes.
  2. Decentralized Administration:
    • Control: Individual data owners or creators manage access to their own resources.
    • Advantages: Allows for flexibility and quicker changes, as owners can manage access directly.
    • Disadvantages: Can lead to inconsistent security practices and difficulties in maintaining a comprehensive view of system-wide access control.
  3. Hybrid Administration:
    • Control: A combination of centralized and decentralized approaches, where centralized control is applied to some resources while others are managed in a decentralized manner.
    • Advantages: Balances the need for strict control with the flexibility of decentralized management, allowing for a more tailored approach to different types of information.
    • Disadvantages: Complexity increases as it requires careful coordination between centralized and decentralized elements to avoid conflicts or security gaps.

This understanding is crucial for designing and managing access control systems that meet the specific needs and security requirements of an organization.

Latest Post:

Pin It on Pinterest