WEBVTT

00:00:00.970 --> 00:00:04.730
Congratulations on completing the Access Controls Concepts

00:00:04.740 --> 00:00:07.760
for the Certified in Cybersecurity course.

00:00:08.380 --> 00:00:11.990
Let's take a look at the important things we covered in this domain.

00:00:12.790 --> 00:00:15.820
We've often said that in actual fact,

00:00:15.830 --> 00:00:19.300
access control is the heart of a security program.

00:00:19.370 --> 00:00:24.250
On the exam, it's worth 22% of the final exam content,

00:00:24.460 --> 00:00:28.390
but the concepts covered here are important so we understand

00:00:28.390 --> 00:00:33.170
how to limit that only authorized people can perform

00:00:33.180 --> 00:00:35.910
authorized functions on our systems.

00:00:36.250 --> 00:00:39.500
We divided this into three main areas,

00:00:39.900 --> 00:00:42.870
the concepts of access controls themselves,

00:00:42.970 --> 00:00:48.540
and then we looked at both physical access and logical access types of controls.

00:00:49.260 --> 00:00:52.190
When we looked at the access controls concepts,

00:00:52.250 --> 00:00:56.580
we understood the important terms we've often used here.

00:00:56.680 --> 00:00:58.030
For example,

00:00:58.260 --> 00:01:03.650
we've said that the purpose of this is to ensure that

00:01:03.660 --> 00:01:07.920
authorized people can only perform authorized functions,

00:01:07.920 --> 00:01:10.600
unauthorized people can't do anything,

00:01:10.940 --> 00:01:15.800
and even authorized people cannot perform an unauthorized function.

00:01:16.170 --> 00:01:17.150
As we saw,

00:01:17.150 --> 00:01:24.250
this is really why it's quite fair to say access controls are the heart and

00:01:24.250 --> 00:01:29.000
center of our security strategy or our security program.

00:01:30.490 --> 00:01:34.490
Some of the key points we looked at include things like describing

00:01:34.490 --> 00:01:37.980
how access permissions or privileges are set up,

00:01:38.310 --> 00:01:41.860
including concepts like least privilege,

00:01:41.860 --> 00:01:45.080
need to know, and separation of duties.

00:01:45.390 --> 00:01:50.120
We saw how least privilege meant a person was limited to only the

00:01:50.120 --> 00:01:53.680
things they needed to do in order to do their job.

00:01:53.690 --> 00:01:56.820
Based on concepts like business need to know,

00:01:56.820 --> 00:01:57.740
for example,

00:01:57.760 --> 00:02:00.860
we tried to make sure that people couldn't see things

00:02:00.860 --> 00:02:03.160
that they shouldn't need to see even.

00:02:03.850 --> 00:02:07.690
And separation of duties made sure that no one controlled a

00:02:07.690 --> 00:02:11.780
sensitive transaction all the way through the process.

00:02:12.000 --> 00:02:17.660
Instead, we broke it up with things like dual control and mutual exclusivity.

00:02:17.850 --> 00:02:20.430
So if one person had to input something,

00:02:20.530 --> 00:02:23.300
somebody else had to review and approve it.

00:02:24.430 --> 00:02:27.270
When we looked at physical access controls,

00:02:27.310 --> 00:02:31.480
we know that this is actually more important than we often recognize.

00:02:31.850 --> 00:02:32.960
In many ways,

00:02:32.970 --> 00:02:38.620
physical access control is as important or more so than a logical control

00:02:38.880 --> 00:02:42.710
because it doesn't matter if you have a 15‑character password,

00:02:42.720 --> 00:02:46.150
a logical control, if a person can steal the server.

00:02:46.580 --> 00:02:49.840
Then your password does you no good.

00:02:50.320 --> 00:02:52.460
And if they steal the server,

00:02:52.460 --> 00:02:56.490
they've got enough time now to work on breaking that password anyway.

00:02:57.370 --> 00:03:01.490
So, we often see physical access controls deployed through

00:03:01.490 --> 00:03:05.560
something we call layered defense or defense in depth.

00:03:05.600 --> 00:03:08.810
So even if a person gets through that first control,

00:03:08.930 --> 00:03:12.540
there is still subsequent controls that could try to stop them

00:03:12.540 --> 00:03:14.740
from getting to something of true value.

00:03:16.010 --> 00:03:18.460
When we looked at logical access,

00:03:18.550 --> 00:03:21.390
we looked at a number of things that we do to try and

00:03:21.390 --> 00:03:23.520
control and protect our systems.

00:03:23.780 --> 00:03:26.730
We protect not only the system itself,

00:03:26.740 --> 00:03:29.920
but the networks that allow these systems to communicate

00:03:29.930 --> 00:03:34.140
and the data that traverse these networks or are stored or

00:03:34.140 --> 00:03:35.820
processed on these systems.

00:03:36.500 --> 00:03:40.130
That meant we had to protect all of the elements of our

00:03:40.130 --> 00:03:43.370
systems, that meant the endpoints we connect,

00:03:43.540 --> 00:03:48.690
the ability to have remote access, the idea of wireless access,

00:03:48.910 --> 00:03:49.720
and, of course,

00:03:49.720 --> 00:03:53.760
we put in concepts like single sign‑on to try to reduce the

00:03:53.760 --> 00:03:57.580
complexity for people trying to come onto our systems to

00:03:57.580 --> 00:03:59.600
perform authorized functions.

00:04:00.540 --> 00:04:04.810
We also looked at the value of having an access control policy,

00:04:05.130 --> 00:04:09.190
and we very often would mandate that everyone had to follow that

00:04:09.190 --> 00:04:13.790
policy whether or not that was based on a concept like discretionary

00:04:13.790 --> 00:04:18.970
access control where a person could change the permissions and grant

00:04:18.980 --> 00:04:25.020
access to somebody else or mandatory access control where things were

00:04:25.020 --> 00:04:28.720
mandated by policy, and even if one person had access,

00:04:28.720 --> 00:04:31.480
they couldn't grant that to anybody else.

00:04:32.550 --> 00:04:37.080
We very often enforce rules, and these rules determine what a

00:04:37.080 --> 00:04:40.280
person is allowed or not allowed to do.

00:04:41.080 --> 00:04:43.460
But in order to make this simpler,

00:04:43.810 --> 00:04:47.570
we often group people according to what their job responsibilities,

00:04:47.570 --> 00:04:50.180
or we could say job roles are,

00:04:50.530 --> 00:04:54.390
and everyone has identical or similar job roles

00:04:54.410 --> 00:04:59.310
could be under the same rule set, and we call this role‑based access control,

00:04:59.320 --> 00:05:03.130
very good in a situation where you've got a lot of turnover,

00:05:03.130 --> 00:05:06.190
a lot of people with really similar responsibilities.

00:05:07.140 --> 00:05:09.340
But we also know there is something else,

00:05:09.660 --> 00:05:12.140
attribute‑based access control,

00:05:12.150 --> 00:05:16.390
and attribute‑based access control tries to make sure that yes,

00:05:16.390 --> 00:05:18.030
a person can have access,

00:05:18.120 --> 00:05:22.430
but we could maybe limit that by another layer of control that says yeah,

00:05:22.430 --> 00:05:25.730
but only during normal business hours.

00:05:25.760 --> 00:05:30.550
So that time would be an attribute that we put on this,

00:05:30.560 --> 00:05:33.200
should we say, access permission as well?

00:05:35.080 --> 00:05:39.010
The next steps. Well, this is an important domain,

00:05:39.020 --> 00:05:42.890
and understanding these concepts is really important, and

00:05:42.890 --> 00:05:45.000
that means that we should review them.

00:05:45.120 --> 00:05:47.320
Do I really understand them well?

00:05:47.500 --> 00:05:49.340
Could I explain them to somebody else?

00:05:49.590 --> 00:05:53.580
Not just memorize definitions, but memorize and

00:05:53.580 --> 00:05:57.320
understand how to use those terms as well.

00:05:58.260 --> 00:06:02.660
We can verify and validate our understanding by doing the sample questions

00:06:02.660 --> 00:06:05.900
in the study guide and then proceed to the next domain,

00:06:06.260 --> 00:06:11.260
Network Security for the Certified in Cybersecurity Certification.