InfoSec Notes
Comprehensive overview of access control concepts, models, and mechanisms for controlling who can access resources in information systems.
What is Access Control?
Access control is a security technique that regulates who or what can view, use, or modify resources in a computing environment. It is a fundamental component of information security that implements the principle of least privilege.
Access Control Components
| Component | Description | Example |
|---|---|---|
| Subject | Entity requesting access | User, process, device |
| Object | Resource being accessed | File, database, API |
| Policy | Rules governing access | "Managers can approve expenses" |
| Mechanism | Technical enforcement | ACLs, RBAC engine, IAM |
Access Control Models
1. Discretionary Access Control (DAC)
- Resource owner decides who gets access
- Flexible but less secure
- Used in: Windows NTFS, Unix file permissions
2. Mandatory Access Control (MAC)
- System enforces access based on security labels
- Rigid but very secure
- Used in: Military/government systems, SELinux
3. Role-Based Access Control (RBAC)
- Access based on organizational roles
- Scalable and manageable
- Used in: Enterprise applications, cloud IAM
4. Attribute-Based Access Control (ABAC)
- Access based on attributes of subject, object, environment
- Most flexible and granular
- Used in: Cloud platforms, modern zero-trust architectures
Access Control Implementation Strategies
| Layer 1 | Physical Access |
| Layer 2 | Network Access |
| Layer 3 | System Access |
| Layer 4 | Application Access |
| Layer 5 | Data Access |
The Principle of Least Privilege
Every subject should have only the minimum access necessary to perform their function:
| Bad Practice | Good Practice |
|---|---|
| All developers have admin access | Devs have read-only prod access |
| Service account has DB owner role | Service account has specific table permissions |
| Everyone shares one admin password | Individual accounts with appropriate roles |
| Root/admin used for daily tasks | Standard user + sudo for specific commands |
Interview Questions
- What is the difference between authentication and authorization?
- Authentication verifies identity (who you are). Authorization determines permissions (what you can do). Authentication must happen before authorization. Example: Logging in = authentication. Accessing admin panel = authorization.
- Explain the principle of least privilege with a real example.
- A web application's database connection should use a user with only SELECT, INSERT, UPDATE permissions on specific tables — not a DBA account. If the application is compromised, the attacker's damage is limited to those specific operations.
- Compare DAC and MAC access control models.
- DAC: Owner controls access, flexible, risk of over-sharing (Windows NTFS). MAC: System enforces labels, rigid, prevents unauthorized sharing (SELinux, classified data). MAC is more secure but less flexible; DAC is practical for most business use.
- What is separation of duties and why is it important?
- No single person should control all aspects of a critical process. Example: The person who creates purchase orders shouldn't also approve them. This prevents fraud and reduces insider threat risk.
- How does Zero Trust differ from traditional perimeter-based access control?
- Traditional: Trust users inside the network, verify at perimeter only. Zero Trust: Never trust, always verify — every request is authenticated and authorized regardless of network location. Assumes breach and minimizes blast radius.
Summary
Access control is the cornerstone of information security, determining who can access what resources and under what conditions. Proper implementation requires understanding different models (DAC, MAC, RBAC, ABAC), applying least privilege, implementing defense in depth, and regularly reviewing and auditing access rights.
Exam Focus
Revise definitions, diagrams, examples, and short-answer points for Introduction to Access Control.
Interview Use
Prepare one clear explanation, one practical example, and one common mistake for this Information Security topic.
Search Terms
information-security, information security, information, security, access, control, introduction, introduction to access control
Related Information Security Topics