Access Control

• Locking your stuff, computers/room/datacenter/building
• Logins, passwords
• Encryption
• Digital Signatures

Who can access the data?

• Make sure admins don't use privilege accounts when not necessary

Methods for protecting data integrity

• Checksum -> Data entered, then hash algorithm computes a checksum
• If there is no data integrity loss, checksum is the same at both ends (before and after transmission or dl)

Different Items to AC

• Network Access - needs to be restricted, monitored
• System Access - shared devices
• Data Access - access and modifying files docs, and databases - should be restricted and monitored

Layers

• Admin Policies must first grant access
• Then Technical Controls
• And then Physical Controls

Administrative Access Control

• Main driver for AC in organization
• Ensured through policies and procedures

Access Rights

• Certain info must only be "read" by people so that they are aware of the info

Policies

• Hiring
• Disciplinary
• Employee Termination
• User registration for computer access

Technical Controls

Physical Controls

• Network Segregation
• Perimeter Security

Access Control Strategy

• Discretionary Access Control (DAC) - Perms and access based in owner's discretion, "need-to-know" access based on Access Control Lists (ACLs)
• Mandatory Access Controls (MAC) - Maintained by someone higher authority/clearance, data owner has no choice on access lvl
• Role-Based Access Control (RBAC) - AC granted based on roles and responsibilities based on job
• Attribute Based Access Control (ABAC) - Stuff you have like keys and the like

Network ACLs

AAA (Authentication, Authorization, Accounting) - Framework for controlling users access to computer resources

• Implementation can look like passwords, time restrictions, single access, resource access

ID and Access Management (IDAM)

• Single ID across multiple accounts