Case Study

profilekrishi37
AccessControlAuthenticationandPublicKeyInfrastructureSecondEdition.pdf

World Headquarters

Jones & Bartlett Learning

5 Wall Street

Burlington, MA 01803

978-443-5000

[email protected]

www.jblearning.com

Jones & Bartlett Learning books and products are available through most bookstores and online booksellers. To contact Jones & Bartlett Learning directly, call 800-832-0034, fax 978-443-8000, or visit our website, www.jblearning.com.

Substantial discounts on bulk quantities of Jones & Bartlett Learning publications are available to corporations, professional associations, and other qualified organizations. For details and specific discount information, contact the special sales department at Jones & Bartlett Learning via the above contact information or send an email to [email protected]

Copyright © 2014 by Jones & Bartlett Learning, LLC, an Ascend Learning Company

All rights reserved. No part of the material protected by this copyright may be reproduced or utilized in any form, electronic or mechanical, including photocopying, recording, or by any information storage and retrieval system, without written permission from the copyright owner.

The content, statements, views, and opinions herein are the sole expression of the respective authors and not that of Jones & Bartlett Learning, LLC. Reference herein to any specific commercial product, process, or service by trade name, trademark, manufacturer, or otherwise does not constitute or imply its endorsement or recommendation by Jones & Bartlett Learning, LLC and such reference shall not be used for advertising or product endorsement purposes. All trademarks displayed are the trademarks of the parties noted herein. Access Control, Authentication, and Public Key Infrastructure, Second Edition is an independent publication and has not been authorized, sponsored, or otherwise approved by the owners of the trademarks or service marks referenced in this product.

There may be images in this book that feature models; these models do not necessarily endorse, represent, or participate in the activities represented in the images. Any screenshots in this product are for educational and instructive purposes only. Any individuals and scenarios featured in the case studies throughout this product may be real or fictitious, but are used for instructional purposes only.

This publication is designed to provide accurate and authoritative information in regard to the subject matter covered. It is sold with the understanding that the publisher is not engaged in rendering legal or other professional service. If legal advice or other expert assistance is required, the service of a competent professional person should be sought.

Production Credits

Chief Executive Officer: Ty Field

President: James Homer

SVP, Editor-in-Chief: Michael Johnson

SVP, Curriculum Solutions: Christopher Will

Director of Sales, Curriculum Solutions: Randi Roger

Senior Marketing Manager: Andrea DeFronzo

Associate Marketing Manager: Kelly Thompson

VP, Design and Production: Anne Spencer

VP, Manufacturing and Inventory Control: Therese Connell

Manufacturing and Inventory Control Supervisor: Amy Bacus

Editorial Management: High Stakes Writing, LLC, President: Lawrence J. Goodrich

Senior Editor, HSW: Ruth Walker

Senior Editorial Assistant: Rainna Erikson

Production Manager: Susan Schultz

Composition: Gamut+Hue, LLC

Cover Design: Kristin E. Parker

Director of Photo Research and Permissions: Amy Wrynn

Rights & Photo Research Assistant: Joseph Veiga

Cover Image: © HunThomas/ShutterStock, Inc.

Chapter Opener Image: © Rodolfo Clix/Dreamstime.com

Printing and Binding: Edwards Brothers Malloy

Cover Printing: Edwards Brothers Malloy

ISBN: 978-1-284-03159-1

Library of Congress Cataloging-in-Publication Data

Not available at time of printing.

6048

Printed in the United States of America

17 16 15 14 13 10 9 8 7 6 5 4 3 2 1

Contents

Preface

Acknowledgments

PART ONE The Need for Access Control Systems

CHAPTER 1

Access Control Framework

Access and Access Control

What Is Access?

What Is Access Control?

Principal Components of Access Control

Access Control Systems

Access Control Subjects

Access Control Objects

Access Control Process

Identification

Authentication

Authorization

Logical Access Controls

Logical Access Controls for Subjects

Group Access Controls

Logical Access Controls for Objects

Authentication Factors

Something You Know

Something You Have

Something You Are

CHAPTER SUMMARY

KEY CONCEPTS AND TERMS

CHAPTER 1 ASSESSMENT

CHAPTER 2

Assessing Risk and Its Impact on Access Control

Definitions and Concepts

Threats and Vulnerabilities

Access Control Threats

Access Control Vulnerabilities

Risk Assessment

Quantitative Risk Assessment

Qualitative Risk Assessment

Risk Management Strategies

Value, Situation, and Liability

Potential Liability and Non-Financial Impact

Where Are Access Controls Needed Most?

How Secure Must the Access Control Be?

The Utility of Multilayered Access Control Systems

Case Studies and Examples

Private Sector

Public Sector

Critical Infrastructure

CHAPTER SUMMARY

KEY CONCEPTS AND TERMS

CHAPTER 2 ASSESSMENT

CHAPTER 3

Business Drivers for Access Controls

Business Requirements for Asset Protection

Importance of Policy

Senior Management Role

Classification of Information

Classification Schemes

Personally Identifiable Information (PII)

Privacy Act Information

Competitive Use of Information

Valuation of Information

Business Drivers

Cost-Benefit Analysis

Risk Assessment

Business Facilitation

Cost Containment

Operational Efficiency

IT Risk Management

Controlling Access and Protecting Value

Importance of Internal Access Controls

Importance of External Access Controls

Implementation of Access Controls with Respect to Contractors, Vendors, and Third Parties

Examples of Access Control Successes and Failures in Business

Case Study in Access Control Success

Case Study in Access Control Failure

CHAPTER SUMMARY

KEY CONCEPTS AND TERMS

CHAPTER 3 ASSESSMENT

CHAPTER 4

Access Control Policies, Standards, Procedures, and Guidelines

U.S. Compliance Laws and Regulations

Gramm-Leach-Bliley Act (GLBA)

Health Insurance Portability and Accountability Act (HIPAA)

Sarbanes-Oxley (SOX) Act

Family Educational Rights and Privacy Act (FERPA)

Communications Assistance for Law Enforcement Act (CALEA)

Children’s Internet Protection Act (CIPA)

21 CFR Part 11

North American Electric Reliability Council (NERC)

Homeland Security Presidential Directive 12 (HSPD 12)

Access Control Security Policy Best Practices

Private Sector—Enterprise Organizations

Public Sector—Federal, State, County, and City Government

Critical Infrastructure, Including Utilities and Transportation

IT Security Policy Framework

What Policies Are Needed for Access Controls?

What Standards Are Needed to Support These Policies?

What Procedures Are Needed to Implement These Policies?

What Guidelines Are Needed for Departments and End Users?

Examples of Access Control Policies, Standards Procedures, and Guidelines

Private Sector Case Study

Public Sector Case Study

Critical Infrastructure Case Study

CHAPTER SUMMARY

KEY CONCEPTS AND TERMS

CHAPTER 4 ASSESSMENT

ENDNOTE

CHAPTER 5

Security Breaches and the Law

Laws to Deter Information Theft

U.S. Federal Laws

State Laws

Cost of Inadequate Front-Door and First-Layer Access Controls

Access Control Failures

People

Technology

Security Breaches

Kinds of Security Breaches

Why Security Breaches Occur

Implications of Security Breaches

Private Sector Case Studies

Public Sector Case Study

Critical Infrastructure Case Study

CHAPTER SUMMARY

KEY CONCEPTS AND TERMS

CHAPTER 5 ASSESSMENT

PART TWO

Mitigating Risk with Access Control Systems, Authentication, and PKI

CHAPTER 6

Mapping Business Challenges to Access Control Types

Access Controls to Meet Business Needs

Business Continuity

Risk and Risk Mitigation

Threats and Threat Mitigation

Vulnerabilities and Vulnerability Management

Solving Business Challenges with Access Control Strategies

Employees with Access to Systems and Data

Employees with Access to Sensitive Systems and Data

Administrative Strategies

Technical Strategies

Separation of Responsibilities

Least Privilege

Need to Know

Input/Output Controls

Case Studies and Examples

Private Sector Case Study

Public Sector Case Study

Critical Infrastructure Case Study

CHAPTER SUMMARY

KEY CONCEPTS AND TERMS

CHAPTER 6 ASSESSMENT

CHAPTER 7

Human Nature and Organizational Behavior

The Human Element

Dealing with Human Nature

Pre-Employment Background Checks for Sensitive Positions

Ongoing Observation of Personnel

Organizational Structure and Access Control Strategy

Job Rotation and Position Sensitivity

Requirement for Periodic Vacation

Separation of Duties

Concept of Two-Person Control

Collusion

Monitoring and Oversight

Responsibilities of Access Owners

Training Employees

Acceptable Use Policy

Security Awareness Policy

Ethics

What Is Right and What Is Wrong

Enforcing Policies

Human Resources Involvement

Best Practices for Handling Human Nature and Organizational Behavior

Make Security Practices Common Knowledge

Foster a Culture of Open Discussion

Encourage Creative Risk-Taking

Case Studies and Examples

Private Sector Case Study

Public Sector Case Study

Critical Infrastructure Case Study

CHAPTER SUMMARY

KEY CONCEPTS AND TERMS

CHAPTER 7 ASSESSMENT

CHAPTER 8

Access Control for Information Systems

Access Control for Data

Data at Rest

Data in Motion

Object-Level Security

Access Control for File Systems

Access Control List

Discretionary Access Control List

System Access Control List

Access Control for Executables

Delegated Access Rights

Microsoft Windows Workstations and Servers

Granting Windows Folder Permissions

Domain Administrator Rights

Super Administrator Rights

UNIX and Linux

UNIX and Linux File Permissions

Linux Intrusion Detection System (LIDS)

The Root Superuser

Supervisory Control and Data Acquisition (SCADA) and Process Control Systems

Best Practices for Access Controls for Information Systems

Case Studies and Examples

Private Sector Case Study

Public Sector Case Study

Critical Infrastructure Case Study

CHAPTER SUMMARY

KEY CONCEPTS AND TERMS

CHAPTER 8 ASSESSMENT

CHAPTER 9

Physical Security and Access Control

Physical Security

Designing a Comprehensive Plan

Building Security and Access

Points of Entry and Exit

Physical Obstacles and Barriers

Granting Access to Physical Areas Within a Building

Biometric Access Control Systems

Principles of Operation

Types of Biometric Systems

Implementation Issues

Modes of Operation

Biometric System Parameters

Legal and Business Issues

Technology-Related Access Control Solutions

Physical Locks

Electronic Key Management System (EKMS)

Fobs and Tokens

Common Access Cards

Outsourcing Physical Security—Pros and Cons

Benefits of Outsourcing Physical Security

Risks Associated with Outsourcing Physical Security

Best Practices for Physical Access Controls

Case Studies and Examples

Private Sector—Case Studies and Examples

Public Sector Case Study

Critical Infrastructure Case Study

CHAPTER SUMMARY

KEY CONCEPTS AND TERMS

CHAPTER 9 ASSESSMENT

CHAPTER 10

Access Control in the Enterprise

Access Control Lists (ACLs) and Access Control Entries (ACEs)

Access Control Models

Discretionary Access Control (DAC)

Mandatory Access Control (MAC)

Role-Based Access Control (RBAC)

Attribute-Based Access Control (ABAC)

Authentication Factors

Types of Factors

Factor Usage Criteria

Kerberos

How Does Kerberos Authentication Work?

Use of Symmetric Key and Trusted Third Parties for Authentication

Key Distribution Center (KDC)

Authentication Tickets

Principal Weaknesses

Kerberos in a Business Environment

Network Access Control

Layer 2 Techniques

Layer 3 Techniques

CEO/CIO/CSO Emergency Disconnect Prime Directive

Wireless IEEE 802.11 LANs

Access Control to IEEE 802.11 WLANs

Identification

Confidentiality

Authorization

Single Sign-On (SSO)

Defining the Scope for SSO

Configuring User and Role-Based User Access Control Profiles

Common Configurations

Enterprise SSO

Best Practices for Handling Access Controls in an Enterprise Organization

Case Studies and Examples

Private Sector Case Study

Public Sector Case Study

Critical Infrastructure Case Study

CHAPTER SUMMARY

KEY CONCEPTS AND TERMS

CHAPTER 10 ASSESSMENT

PART THREE

Implementing, Testing, and Managing Access Control Systems

CHAPTER 11

Access Control System Implementations

Transforming Access Control Policies and Standards into Procedures and Guidelines

Transform Policy Definitions into Implementation Tasks

Follow Standards Where Applicable

Create Simple and Easy-to-Follow Procedures

Define Guidelines That Departments and Business Units Can Follow

Identity Management and Access Control

User Behavior, Application, and Network Analysis

Size and Distribution of Staff and Assets

Multilayered Access Control Implementations

User Access Control Profiles

Systems Access

Applications Access

File and Folder Access

Data Access

Access Controls for Employees, Remote Employees, Customers, and Business Partners

Remote Virtual Private Network (VPN) Access—Remote Employees and Workers

Intranets—Internal Business Operations and Communications

Extranets—External Supply Chains, Business Partners, Distributors, and Resellers

Secure E-commerce Portals with Encryption

Secure Online Banking Access Control Implementations

Logon/Password Access

Identification Imaging and Authorization

Best Practices for Access Control Implementations

Case Studies and Examples

Private Sector Case Study

Public Sector Example

Critical Infrastructure Case Study

CHAPTER 11 SUMMARY

KEY CONCEPTS AND TERMS

CHAPTER 11 ASSESSMENT

CHAPTER 12

Access Control Solutions for Remote Workers

Growth in Mobile Work Force

Remote Access Methods and Techniques

Identification

Authentication

Authorization

Access Protocols to Minimize Risk

Authentication, Authorization, and Accounting (AAA)

Remote Authentication Dial In User Service (RADIUS)

Remote Access Server (RAS)

TACACS, XTACACS, and TACACS+

Differences Between RADIUS and TACACS+

Remote Authentication Protocols

Virtual Private Networks (VPNs)

Web Authentication

Knowledge-Based Authentication (KBA)

Best Practices for Remote Access Controls to Support Remote Workers

Case Studies and Examples

Private Sector Case Study

Public Sector Case Study

Critical Infrastructure Case Study

CHAPTER SUMMARY

KEY CONCEPTS AND TERMS

CHAPTER 12 ASSESSMENT

CHAPTER 13

Public Key Infrastructure and Encryption

Public Key Infrastructure (PKI)

What Is PKI?

Encryption and Cryptography

Business Requirements for Cryptography

Digital Certificates and Key Management

Symmetric Versus Asymmetric Algorithms

Certificate Authority (CA)

Ensuring Integrity, Confidentiality, Authentication, and Non-

Repudiation

Use of Digital Signatures

What PKI Is and What It Is Not

What Are the Potential Risks Associated with PKI?

Implementations of Business Cryptography

Distribution

In-House Key Management Versus Outsourced Key Management

Certificate Authorities (CA)

Why Outsourcing to a CA May Be Advantageous

Risks and Issues with Outsourcing to a CA

Best Practices for PKI Use Within Large Enterprises and Organizations

Case Studies and Examples

Private Sector Case Study

Public Sector Case Study

Critical Infrastructure Example

CHAPTER SUMMARY

KEY CONCEPTS AND TERMS

CHAPTER 13 ASSESSMENT

CHAPTER 14

Testing Access Control Systems

Purpose of Testing Access Control Systems

Software Development Life Cycle and the Need for Testing Software

Planning

Requirements Analysis

Software Design

Development

Testing and Integration

Release and Training

Support

Security Development Life Cycle and the Need for Testing Security Systems

Initiation

Acquisition and Development

Implementation and Testing

Operations and Maintenance

Sunset or Disposal

Information Security Activities

Requirements Definition—Testing the Functionality of the Original Design

Development of Test Plan and Scope

Selection of Penetration Testing Teams

Performing the Access Control System Penetration Test

Assess if Access Control System Policies and Standards Are Followed

Assess if the Security Baseline Definition Is Being Achieved Throughout

Assess if Security Countermeasures and Access Control Systems Are Implemented Properly

Preparing the Final Test Report

Identify Gaps and Risk Exposures and Assess Impact

Develop Remediation Plans for Closing Identified Security Gaps Prioritized by Risk Exposure

Prepare Cost Magnitude Estimate and Prioritize Security Solutions Based on Risk Exposure

CHAPTER SUMMARY

KEY CONCEPTS AND TERMS

CHAPTER 14 ASSESSMENT

CHAPTER 15

Access Control Assurance

What Is Information Assurance?

C-I-A Triad

The Five Pillars

Parkerian Hexad

How Can Information Assurance Be Applied to Access Control Systems?

Access Controls Enforce Confidentiality

Access Controls Enforce Integrity

Access Controls Enforce Availability

Training and Information Assurance Awareness

What Are the Goals of Access Control System Monitoring and Reporting?

What Checks and Balances Can Be Implemented?

Track and Monitor Event-Type Audit Logs

Track and Monitor User-Type Audit Logs

Track and Monitor Unauthorized Access Attempts Audit Logs

Audit Trail and Audit Log Management and Parsing

Audit Trail and Audit Log Reporting Issues and Concerns

Security Information and Event Management (SIEM)

Best Practices for Performing Ongoing Access Control System Assurance

Case Studies and Examples

Private Sector Case Study

Public Sector Case Study

Critical Infrastructure Case Study

CHAPTER SUMMARY

KEY CONCEPTS AND TERMS

CHAPTER 15 ASSESSMENT

APPENDIX A

Answer Key

APPENDIX B

Standard Acronyms

Glossary of Key Terms

References

Index

Preface

Purpose of This Book

This book is part of the Information Systems Security & Assurance Series from Jones & Bartlett Learning (www.jblearning.com). Designed for courses and curriculums in IT Security, Cybersecurity, Information Assurance, and Information Systems Security, this series features a comprehensive, consistent treatment of the most current thinking and trends in this critical subject area. These titles deliver fundamental information-security principles packed with real-world applications and examples. Authored by Certified Information Systems Security Professionals (CISSPs), they deliver comprehensive information on all aspects of information security. Reviewed word for word by leading technical experts in the field, these books are not just current, but forward-thinking—putting you in the position to solve the cybersecurity challenges not just of today, but of tomorrow, as well.

The goal of Access Control, Authentication, and Public Key Infrastructure, Second Edition is to provide you with both academic knowledge and real- world understanding of the concepts behind access controls. These are tools you will use to secure valuable resources within your organization’s IT infrastructure. The authors’ goal was to provide you with a book that would teach important concepts first, and act as a useful reference later.

Access control goes beyond the simple username and password. This book approaches access control from a broad perspective, dealing with every aspect of access controls, from the very low-tech to the cutting edge.

Part 1 of this book defines the components of access control, provides a business framework for implementation, and discusses legal requirements that impact access control programs.

In Part 2, the risks, threats, and vulnerabilities that are prevalent in information systems and IT infrastructures are addressed with risk mitigation strategies and techniques. Access control systems and stringent authentication are presented as ways to mitigate risk.

Part 3 provides a resource for students and practitioners who are responsible for implementing, testing, and managing access control systems throughout the IT infrastructure. Use of public key infrastructures for large organizations and certificate authorities is presented to solve unique business challenges.

This book is more than just a list of different technologies and techniques. You will come away with an understanding of how and why to implement an access control system. You will know how to conduct an effective risk assessment prior to implementation, and how to test solutions throughout the life cycle of the system.

Learning Features

The writing style of this book is practical and conversational. Each chapter begins with a statement of learning objectives. Step-by-step examples of information security concepts and procedures are presented throughout the text. Illustrations are used both to clarify the material and to vary the presentation. The text is sprinkled with Notes, Tips, FYIs, Warnings, and sidebars to alert the reader to additional helpful information related to the subject under discussion. Chapter assessments appear at the end of each chapter, with solutions provided in the back of the book.

Chapter summaries are included in the text to provide a rapid review or preview of the material and to help students understand the relative importance of the concepts presented.

Audience

The material is suitable for undergraduate or graduate computer science majors or information science majors, or students at a two-year technical college or community college who have a basic technical background, or readers who have a basic understanding of IT security and want to expand their knowledge.

Acknowledgments

The production of a book is a complex effort involving many people. I would like to thank everyone involved in this project, especially those that I never had the opportunity to meet. Special thanks are due to Jim Cavanagh, who served as an excellent technical editor; Larry Goodrich and Randi Roger, who managed the project; and Ruth Walker, our fearless copy editor. I would also like to thank Carole Jelen, my literary agent with Waterside Productions.

Mike Chapple

The authors would like to thank Jones & Bartlett Learning for the opportunity to write this book and be a part of the Information Systems Security & Assurance Series project. Thanks also go to Mike Chapple, our technical reviewer, and Kim Lindros, our project manager. Mike ensured that every sentence in this book was as clear and technically accurate as it could possibly be. Kim managed the project on our behalf, reviewing and ferrying all the pieces that flowed between us, Mike Chapple, and Jones & Bartlett Learning.

Our heartfelt gratitude to our extended family and friends, without whose support we could not have written this book.

Bill and Tricia Ballad

To all my parents for providing the foundation that made this possible. Thank you.

To the Ursos for letting me spend hours in the yellow house and for making coffee. I am truly grateful.

To Mr. Weiss, I hope my words reflect all the guidance and wisdom you provided. I have learned more from you than you will ever know.

To Tarik and my family and friends who listened to me and still missed me. I don’t know what I would do without you.

To Marty Weiss, Carole Jelen, Mike Chapple, Kim Lindros, and all the

editors, for everything you do. Your assistance and advice are truly appreciated.

To RSA, EMC, and all my colleagues: You guys make me love security every day.

Erin K. Banks

About the Authors

MIKE CHAPPLE is senior director for Enterprise Support Services at the University of Notre Dame. In this role, he oversees the information security, IT architecture, project management, strategic planning, and communications functions for the Office of Information Technologies. He also serves as a concurrent assistant professor in the university’s Computer Applications Department, where he teaches an undergraduate course on Information Security. He is a technical editor for Information Security magazine and has written several books, including Information Security Illuminated (Jones & Bartlett, 2005), SQL Server 2008 for Dummies (Wiley, 2008), and the CISSP Prep Guide (Wiley, 2012). He earned his BS and PhD degrees from Notre Dame in computer science and engineering. He also holds an MS degree in computer science from the University of Idaho and an MBA from Auburn University.

BILL BALLAD has been active in the IT security community since the mid- 1990s. He is the coauthor and SME for Securing PHP Web Applications (Addison-Wesley Professional, 2008), and he wrote the security chapters for PHP & MySQL Web Development All-in-One Desk Reference for Dummies (Wiley, 2008). Professionally, Ballad is a senior systems engineer working with mission-critical Windows networks.

TRICIA BALLAD spent several years as a Web applications developer before becoming a full-time freelance writer and technical editor. She has written online courseware on various consumer electronics and computing subjects, and has coauthored PHP & MySQL Web Development All-in-One Desk Reference for Dummies (Wiley, 2008) and Securing PHP Web Applications (Addison-Wesley Professional, 2008).

ERIN K. BANKS is a security technology consultant for EMC, providing security solutions to Fortune 500 companies. She has over 13 years of experience in the network and security fields supporting customers and system integrators across a wide variety of industries. Banks holds a BS in electrical engineering from Northeastern University and is currently working on her MBA from the Isenberg School of Management at the University of Massachusetts Amherst. She holds the CISSP certification, among other

industry certifications.

This book is dedicated to the memory of Dewitt Latimer, my friend, colleague, and mentor.—Mike Chapple

To Will, Alex, Patrick, and Beth

—Bill and Tricia Ballad

To Holly, you will always be my girl

—Erin K. Banks

PART ONE

The Need for Access Control Systems

CHAPTER 1 Access Control Framework

CHAPTER 2 Assessing Risk and Its Impact on Access Control

CHAPTER 3 Business Drivers for Access Controls

CHAPTER 4 Access Control Laws, Policies, and Standards

CHAPTER 5 Security Breaches and the Law

CHAPTER

1 Access Control Framework

ORGANIZATIONS RELY UPON ACCESS CONTROLS to grant and restrict user access to information, systems, and other resources. Access control systems, when properly designed, implement business rules, often direct implementations of policy, in such a manner that individuals have access to the information and resources needed to perform their responsibilities but no more.

The consequences of weak or nonexistent access controls range from inconvenient to downright disastrous, depending on the nature of the resources being protected. For the average user, it may be annoying and inconvenient to have someone else reading your e-mail. On the other end of the scale, without strong access controls, companies could lose billions of dollars when disgruntled employees bring down mission-critical systems. Identity theft is a major concern in modern life, because so much of our private information is stored in accessible databases. The only way that information can be both useful and safe is through strong access controls.

Chapter 1 Topics

This chapter covers the following topics and concepts:

What access control is

What the principal components of access control are

What the three stages of access control are

What logical access controls are

What the three authentication factors are

Chapter 1 Goals

When you complete this chapter, you will be able to:

Identify the principal components of access control

Define the three stages of access control

Choose the best combination of authentication factors for a given scenario

Access and Access Control

There are two fundamentally important concepts you need to know before diving into the content for this chapter:

1. What does “access” mean?

2. What is an “access control”?

In an ideal world, you wouldn’t need to control access to what’s important to you or of value—you wouldn’t even need to lock your doors. Unfortunately that’s not reality—at home or in the business world. In the real world— especially in business—there is a need to protect precious data, network bandwidth, and other assets from a variety of threats. This chapter will help you understand how to lock your virtual doors.

What Is Access?

Fundamentally, access refers to the ability of a subject and an object to interact. That interaction is the basis of everything we do, both in the information technology (IT) field and in life in general. Access can be defined in terms of social rules, physical barriers, or informational restrictions.

For example, consider a busy executive with an administrative assistant who serves as a gatekeeper, deciding who will be allowed to interact personally with the executive and who must leave a message with the administrative assistant. In this scenario, the visitor is the subject and the executive is the object. The administrative assistant serves as the access control system, restricting what individuals (subjects) may access …