WEBVTT

00:00:00.980 --> 00:00:04.650
Let's take a look at logical access controls as part of the Access

00:00:04.650 --> 00:00:08.960
Controls Concepts for the Certified in Cybersecurity course.

00:00:09.860 --> 00:00:14.300
We looked at the concepts and theory behind access control at the beginning,

00:00:14.500 --> 00:00:18.020
what we're trying to do with least privilege and need to know,

00:00:18.240 --> 00:00:23.060
and to make sure that only authorized users can perform authorized functions.

00:00:23.200 --> 00:00:27.300
We then implemented a lot of these access control concepts in a

00:00:27.300 --> 00:00:31.000
physical environment using physical access controls,

00:00:31.110 --> 00:00:36.080
but now let's look at how we implement them through logical access controls.

00:00:36.820 --> 00:00:40.950
Logical are often known as technical access controls.

00:00:41.340 --> 00:00:47.400
These are access controls that we implement or build into our various systems,

00:00:47.410 --> 00:00:52.180
networks, applications using some type of technology.

00:00:52.430 --> 00:00:56.160
We're all very familiar with these, we encounter them everyday.

00:00:56.160 --> 00:00:58.960
A password, for example,

00:00:58.960 --> 00:01:02.390
that I have to enter to get onto a system is a type

00:01:02.390 --> 00:01:04.670
of a technical access control.

00:01:05.260 --> 00:01:10.180
We also have controls that determine whether or not I can even get on a

00:01:10.180 --> 00:01:13.720
network through things like a network access controller,

00:01:14.050 --> 00:01:16.400
and when I want to connect to a wireless,

00:01:16.690 --> 00:01:19.660
sure there are some wirelesses that are completely open,

00:01:19.660 --> 00:01:23.340
you can just log in without any type of a password or ID,

00:01:23.870 --> 00:01:30.380
but many other times that wireless requires us to know the correct key

00:01:30.380 --> 00:01:33.690
to be able to log on to that wireless access point.

00:01:34.140 --> 00:01:37.880
That's a type of logical access control that determines

00:01:37.880 --> 00:01:40.630
whether or not I'm allowed to use that service.

00:01:41.660 --> 00:01:43.880
A very good example is a firewall.

00:01:44.140 --> 00:01:47.690
We put a firewall on our network to protect network

00:01:47.690 --> 00:01:53.070
traffic from one network to another, and that firewall is an access control,

00:01:53.070 --> 00:01:54.540
you could call it a gateway.

00:01:54.990 --> 00:01:58.680
It can control what traffic is allowed through and prohibit

00:01:58.690 --> 00:02:02.270
other types of unwanted or undesirable traffic.

00:02:03.180 --> 00:02:08.030
So what I'm going to put in some type of an access control.

00:02:08.780 --> 00:02:14.440
I need to have a justification for what rules I'll put in place,

00:02:15.070 --> 00:02:19.820
and this often comes down to what we'll call logical access theory.

00:02:20.620 --> 00:02:25.240
Theory is based on two primary types of access control,

00:02:25.430 --> 00:02:29.710
discretionary access control or mandatory access control.

00:02:30.170 --> 00:02:32.790
So when I put a firewall in, for example,

00:02:32.880 --> 00:02:37.240
I'm very often putting in a type of discretionary access control.

00:02:37.540 --> 00:02:42.400
It's by far the most common type of access control methodology

00:02:42.400 --> 00:02:48.820
or theory we are using and what this allows us to do is set the

00:02:48.820 --> 00:02:51.890
rules or permissions by the owner.

00:02:52.280 --> 00:02:55.530
The owner can say what traffic should be allowed and what shouldn't.

00:02:55.950 --> 00:02:59.220
And let's say, for example, if I have access,

00:02:59.350 --> 00:03:02.220
I could even grant that access to somebody else,

00:03:02.230 --> 00:03:04.230
I can delegate that access.

00:03:04.800 --> 00:03:09.840
So discretionary is used in a lot of our systems to enforce

00:03:09.850 --> 00:03:14.760
access control rules according to the decision made by or at

00:03:14.760 --> 00:03:19.110
the discretion of the owner, and we have this,

00:03:19.110 --> 00:03:20.510
so we're all familiar with this.

00:03:20.510 --> 00:03:21.970
We can put, for example,

00:03:21.970 --> 00:03:26.160
a password on our computer system, and you could share your password,

00:03:26.160 --> 00:03:28.330
though, I don't recommend it, with somebody else.

00:03:29.100 --> 00:03:33.390
You could grant somebody else access to your system as long as you

00:03:33.390 --> 00:03:36.240
have administrator or owner‑level privileges.

00:03:37.070 --> 00:03:38.800
And the idea, of course,

00:03:38.800 --> 00:03:42.850
with this is that it's a common yet very practical and

00:03:42.850 --> 00:03:48.090
usable form of access control, but we have something else

00:03:48.100 --> 00:03:50.880
and that is mandatory access control.

00:03:51.310 --> 00:03:54.790
This was defined already back in the 1970s,

00:03:54.940 --> 00:03:59.640
especially for high security, such as military types of systems.

00:03:59.640 --> 00:04:03.460
It's very expensive to implement and maintain,

00:04:03.820 --> 00:04:08.490
and it requires a few things that were not required by discretionary.

00:04:08.980 --> 00:04:14.700
Discretionary access control could have labels and separation of duties,

00:04:14.700 --> 00:04:17.570
but it was not mandated or not required.

00:04:17.810 --> 00:04:22.260
However, in a mandatory access control world, it is.

00:04:22.780 --> 00:04:25.760
So we have a number of access control models that

00:04:25.760 --> 00:04:29.700
are based on this ACF2 top secret, for example,

00:04:30.850 --> 00:04:36.170
and these types of implementations are then used to ensure that

00:04:36.180 --> 00:04:40.760
access is only granted as mandated by the policy,

00:04:41.040 --> 00:04:45.100
even the owner cannot circumvent the policy that says no

00:04:45.100 --> 00:04:47.020
such people should not have access.

00:04:47.700 --> 00:04:49.340
So that's why, in fact,

00:04:49.340 --> 00:04:52.310
it was originally called mandatory access control

00:04:52.320 --> 00:04:54.860
because it was mandated by policy.

00:04:55.440 --> 00:05:00.790
So in this case, access would only be granted if the owner said yes,

00:05:00.790 --> 00:05:04.450
you can have access and that was in compliance or in

00:05:04.450 --> 00:05:06.700
agreement with the policy as well.

00:05:07.630 --> 00:05:13.290
When I'm granted access according to a mandatory access control world,

00:05:13.300 --> 00:05:17.670
I cannot delegate or grant that access to somebody else.

00:05:19.150 --> 00:05:22.150
So those were the two theories,

00:05:22.230 --> 00:05:26.730
but we are now going to implement access control through a

00:05:26.730 --> 00:05:30.260
number of different common methods. For example,

00:05:30.260 --> 00:05:34.610
rule‑based access control, role‑based access control,

00:05:34.770 --> 00:05:37.090
attribute‑based access control,

00:05:37.100 --> 00:05:41.890
and temporal access control are implementations of the

00:05:41.890 --> 00:05:45.160
theories of either discretionary or mandatory,

00:05:45.510 --> 00:05:49.440
and each of these implementations, such as role‑based is a good example.

00:05:50.560 --> 00:05:56.050
Role‑based was originally mandatory, but for most cases today,

00:05:56.050 --> 00:05:57.030
it's discretionary.

00:05:57.640 --> 00:05:59.460
So what it is,

00:05:59.470 --> 00:06:05.350
it's a way to implement according to either discretionary or mandatory world.

00:06:05.420 --> 00:06:09.310
The implementation can be of either theoretical model.

00:06:10.500 --> 00:06:14.020
Let's look at what role‑based access control does.

00:06:14.420 --> 00:06:18.270
We look at individuals and what that individual's job

00:06:18.270 --> 00:06:21.080
responsibilities and job position are.

00:06:22.620 --> 00:06:27.530
What we do then is we create a job role so that everybody that

00:06:27.530 --> 00:06:33.530
has that same type of job fits into that role or that category

00:06:33.600 --> 00:06:35.830
and all get the same access.

00:06:36.200 --> 00:06:41.120
It's a cost‑effective way to implement the ideas of such need to know.

00:06:41.880 --> 00:06:44.240
If you don't need to see it, you can't see it,

00:06:44.240 --> 00:06:48.090
it's not part of the permissions granted to your role,

00:06:48.100 --> 00:06:48.830
for example.

00:06:49.920 --> 00:06:53.120
One of the advantages of a role‑based, or RBAC,

00:06:53.120 --> 00:06:57.800
system is that it works really well in a large enterprise

00:06:57.900 --> 00:07:00.270
where you've got a lot of business units,

00:07:00.270 --> 00:07:03.790
you have a lot of people with similar job responsibilities,

00:07:04.070 --> 00:07:07.090
and if you have a lot of turnover, say in a call center.

00:07:07.870 --> 00:07:12.260
All I have to do to grant a person access is make them a member of that role

00:07:12.270 --> 00:07:16.810
and they then inherit all of the access granted to that role.

00:07:17.620 --> 00:07:18.850
When a person leaves,

00:07:18.850 --> 00:07:23.540
I just remove them from that role and all of their access is taken away.

00:07:24.390 --> 00:07:27.530
So this is something we see very commonly implemented,

00:07:27.530 --> 00:07:33.570
but like with anything else, it requires careful management and keep it correct,

00:07:33.580 --> 00:07:34.520
for example.

00:07:35.290 --> 00:07:38.700
The next one is rule‑based access control.

00:07:38.890 --> 00:07:41.850
This is where we have a set of rules, for example,

00:07:41.850 --> 00:07:46.540
a person is standing at the doorway to a large event,

00:07:47.070 --> 00:07:51.630
and if I want to get into that large event,

00:07:51.740 --> 00:07:55.210
I need to have then my name on the list.

00:07:55.660 --> 00:07:58.840
There is a list of rules that says who's allowed and

00:07:58.840 --> 00:08:00.420
nobody else would be allowed in.

00:08:01.020 --> 00:08:02.700
So we could say, in this case,

00:08:02.700 --> 00:08:08.350
what we've implemented is a way to ensure that we have a

00:08:08.350 --> 00:08:13.020
whitelist or we could say here a list that shows what is

00:08:13.020 --> 00:08:15.860
permitted and everything else is excluded.

00:08:16.660 --> 00:08:18.810
The other, of course, could be the opposite.

00:08:19.280 --> 00:08:23.310
We have a person that stands at the door and watches

00:08:23.310 --> 00:08:25.790
people come in and everybody can go in,

00:08:25.800 --> 00:08:28.990
except a person whose name is on that list.

00:08:29.450 --> 00:08:30.880
We've seen this, for example,

00:08:30.880 --> 00:08:36.179
in a casino where certain people are prohibited from entering that casino,

00:08:36.179 --> 00:08:39.700
and if they showed up at the door, the guard would say no sorry,

00:08:39.710 --> 00:08:43.669
your name is on my blacklist here, you're not permitted to enter.

00:08:44.100 --> 00:08:47.120
So the list can be either whitelisting, what's allowed,

00:08:47.130 --> 00:08:50.610
or blacklisting, what's not allowed, and the idea,

00:08:50.610 --> 00:08:55.510
of course, with the rule‑based is I can be very granular or very specific.

00:08:55.670 --> 00:09:01.590
I can say exactly to a low level what should be allowed or what should not

00:09:01.600 --> 00:09:04.820
be allowed or else I could even do it at a higher level.

00:09:04.820 --> 00:09:06.470
You take, for example, a firewall.

00:09:06.470 --> 00:09:12.640
A firewall can have a rule that says you can not go to this site and that

00:09:12.640 --> 00:09:18.230
applies to everybody or it could have a situation that says yes,

00:09:18.440 --> 00:09:21.360
these people are allowed certain things,

00:09:21.360 --> 00:09:22.200
but others aren't.

00:09:22.830 --> 00:09:26.880
So rules can be adjusted according to what is,

00:09:26.890 --> 00:09:31.320
should we say, best for the interests of the organization,

00:09:31.800 --> 00:09:35.340
and we put in a lot of rule‑based access controls,

00:09:35.350 --> 00:09:38.040
but if I have thousands of users and I have to set

00:09:38.040 --> 00:09:40.030
up different rules for each one,

00:09:40.270 --> 00:09:43.590
that can be an awful lot of an administrative nightmare as well.

00:09:44.160 --> 00:09:48.320
The next is ABAC, attribute‑based access control.

00:09:49.160 --> 00:09:53.730
What this does is it adds another layer of access control.

00:09:53.930 --> 00:09:58.560
We show a person using a proximity card to try to get into a room,

00:09:58.960 --> 00:10:04.040
and that proximity card is based on certain rules that say whether

00:10:04.040 --> 00:10:06.560
or not that person is allowed to enter or not,

00:10:07.050 --> 00:10:11.530
but we could add in a second rule and that is yes,

00:10:11.530 --> 00:10:12.720
you're allowed to enter,

00:10:12.820 --> 00:10:16.780
but only at this time of day. If you try to get into

00:10:16.780 --> 00:10:20.030
that room at 2:00 in the morning, you would not be allowed to,

00:10:20.240 --> 00:10:23.970
so that is where we're adding a further condition.

00:10:24.440 --> 00:10:30.760
You're allowed to enter, but only under these attributes or conditions.

00:10:31.270 --> 00:10:33.350
This allows a lot of flexibility.

00:10:34.230 --> 00:10:37.200
We can turn around and grant a person access,

00:10:37.200 --> 00:10:41.690
but only under certain circumstances and restricted at other times,

00:10:41.880 --> 00:10:44.580
it's not just an either/or decision.

00:10:45.310 --> 00:10:47.930
The decision is quite often based on maybe the

00:10:47.930 --> 00:10:50.370
clearance or attribute of the subject.

00:10:50.870 --> 00:10:56.070
Do you have secret clearance and then you might be able to see this or maybe

00:10:56.070 --> 00:10:59.650
you have to have top secret clearance in order to see this.

00:10:59.910 --> 00:11:02.230
So it looks at the attribute of the subject,

00:11:02.500 --> 00:11:05.520
but it also looks at the attribute of the object.

00:11:05.850 --> 00:11:08.240
What is the classification of the object?

00:11:08.250 --> 00:11:10.430
Is this a secret document?

00:11:10.430 --> 00:11:12.030
A top secret document?

00:11:12.140 --> 00:11:13.450
A public document?

00:11:13.960 --> 00:11:19.040
And so, a person's clearance, if they only have secret,

00:11:19.400 --> 00:11:24.320
would then not allow them access to an application or an

00:11:24.320 --> 00:11:27.190
object which was classified as top secret,

00:11:27.810 --> 00:11:33.300
so we look at those attributes in order to manage those access permissions.

00:11:33.840 --> 00:11:34.610
As we said,

00:11:34.610 --> 00:11:40.880
we could also base it on things like environment and things like time so that a

00:11:40.880 --> 00:11:44.460
person can only access the system if they are in the office,

00:11:44.460 --> 00:11:46.250
they can't access it remotely.

00:11:46.850 --> 00:11:50.510
Sensitive data could only be accessed under certain conditions.

00:11:50.660 --> 00:11:56.490
So this sets up those formal relationships or rules that allow our

00:11:56.500 --> 00:12:00.700
access permissions to be even more exact and precise.