Domain 3 — Access Controls Concepts

What Is Access Control?

Access control is the set of mechanisms that determine who can access what, under what conditions, and when. Every access control decision involves three elements:

• Subject: The entity requesting access — typically a user, process, or device. The "who."
• Object: The resource being accessed — a file, database, system, or physical space. The "what."
• Rules: The conditions under which access is permitted or denied. The "how and when."

Access is not granted simply because someone claims to be authorized. Two additional factors shape access decisions: trustworthiness (is the subject who they claim to be?) and need to know (does the subject actually need access to this resource to do their job?).

Defense in Depth

Defense in depth uses multiple, layered security controls to protect an organization's assets. Rather than relying on a single barrier, it places controls at every layer — so if one control fails, others remain in place to contain the damage.

Think of it like a medieval castle: the crown jewels are in a vault, the vault is in a keep, the keep is surrounded by walls, the walls are surrounded by a moat, and guards patrol throughout. Each layer slows an attacker down and increases the chances of detection.

Principle of Least Privilege

Users and programs should have only the minimum access necessary to perform their assigned tasks — nothing more. Every extra permission is an extra opportunity for misuse. An employee who only needs to read financial reports should not have write access to the finance database.

Least privilege reduces the blast radius of a compromised account. If an attacker gains access through a low-privileged account, they can only do limited damage.

Privileged Access Management (PAM)

Some accounts require elevated permissions to perform administrative tasks. These are called privileged accounts and represent a significant security risk if misused. PAM is the practice of controlling and monitoring how administrative privileges are used:

• Admin privileges should only be used when actually needed, not as a routine working account
• In practice: maintain two accounts — a regular user account for day-to-day work and a separate privileged account invoked only for administrative tasks

Segregation of Duties

Segregation of Duties (Separation of Duties) ensures that no single person can complete a sensitive organizational process on their own. Critical tasks are divided between two or more people so that collusion is required to abuse the system.

A classic example: the person who initiates a financial transaction should not also be the person who approves it. This control reduces insider threat by forcing any fraudulent activity to require coordination between multiple people.

User Provisioning Lifecycle

User accounts follow a defined lifecycle from creation to deletion. Managing this lifecycle properly is a critical access control function:

• New employee hired → Account created (onboarding)
• Employee changes role → Account modified (permissions updated)
• Employee takes temporary leave → Account disabled (access suspended but not deleted)
• Employee leaves the organization → Account deleted (offboarding)

Physical Access Controls

Physical access controls are tangible mechanisms that control, direct, or prevent the movement of people and equipment. They are the outermost layer of the defense in depth model. Common examples include: security guards, fences, motion detectors, locked doors and gates, lighting, cable protection, ID badges, cameras, mantraps, turnstiles, and alarms.

• Mantrap: An entrance requiring a person to pass through two doors, where only one door can be open at a time. This prevents tailgating — an unauthorized person following an authorized person through a secure entrance.
• Turnstile: A one-way spinning barrier that allows only one person at a time to pass, ensuring shared credentials cannot allow multiple entries.
• CPTED (Crime Prevention Through Environmental Design): An architectural approach that uses building design and spatial arrangement to passively reduce criminal activity — clear sightlines, natural lighting, removal of concealment areas.

Logical Access Controls

Logical access controls (technical controls) are implemented by computer systems to restrict access to digital resources. They can be software-based or hardware-based.

DAC, MAC, and RBAC

Discretionary Access Control (DAC)

In DAC, the owner of a resource decides who can access it and what they can do. The access policy is at the owner's discretion. DAC is flexible but risky — a careless owner may grant excessive permissions.

Mandatory Access Control (MAC)

In MAC, access decisions are enforced by the system according to the organization's security policies — not by individual owners. Users cannot override these controls. MAC is commonly used in high-security environments such as government and military systems. Both the subject and object are assigned security labels; access is only granted when the subject's label meets the requirements for the object's label.

Role-Based Access Control (RBAC)

In RBAC, access permissions are assigned to roles, and users are assigned to roles. A user inherits the permissions of their role. RBAC scales well for large organizations and simplifies access administration, especially when job functions are clearly defined.

Logging and Log Management

Logs are the record of events occurring within an organization's systems and networks. Three key concepts:

• Log Anomaly: An irregularity in log entries that stands out from normal patterns — an indicator of potential security events warranting further investigation.
• Log Consolidation: Collecting logs from multiple sources into a centralized repository for combined analysis. Managed by a SIEM (Security Information and Event Management) system.
• Log Retention: Keeping logs for a defined period as required by policy, regulation, or legal requirements.

Key Terms for the Exam