An Intro To Access Control: The Gatekeeper of Information Security
Welcome back to my cybersecurity blog! It’s been a hot afternoon, and I was feeling quite lazy. But as a cybersecurity enthusiast, I knew I had to stick to my routine and continue learning. In my previous blogs, I shared my journey learning about incident response, business continuity, and disaster recovery. Today, I want to take you on another exciting journey as I dive into the world of “Access Control.”
As we know, information security professionals are like gatekeepers who control who gets access to which systems and data and why they get certain permissions or not. In this journey, we will explore access control concepts and learn how they are essential in preserving the confidentiality, integrity, and availability of data.
So, what are security controls, and why are they crucial in the world of cybersecurity? Security controls are safeguards or countermeasures designed to preserve the CIA triad — Confidentiality, Integrity, and Availability of data. Access control involves limiting what objects can be available to what subjects according to what rules.
Let’s take a closer look at these three elements — Subjects, Objects, and Rules. A subject can be defined as any entity that requests access to an asset. The entity requesting access may be a user, a client, a process, or a program. On the other hand, anything that a subject attempts to access is referred to as an object. An object can be a building, a computer, a file, a database, a printer or scanner, a server, a communication resource, a block of memory, or even a person.
Rules, on the other hand, are instructions developed to allow or deny access to an object by comparing the validated identity of the subject to an access control list. A rule can compare multiple attributes to determine appropriate access, allow access to an object, define how much access is allowed, deny access to an object, or apply time-based access. For example, a firewall access control list is an example of a rule that can be used to allow or deny access to an object.
As cybersecurity professionals, our primary responsibility is to control who gets access to organizational assets such as buildings, data, systems, etc., and what they can do when they get access. It can be argued that access controls are the heart of an information security program.
In conclusion, access control is a crucial aspect of cybersecurity that helps in safeguarding data, systems, and networks. As we have seen today, cybersecurity professionals have a significant burden to bear in controlling who gets access to particular data, why they get access, and how. Thank you for joining me on this journey, and I look forward to sharing more exciting insights on cybersecurity in my next blog.
