Access control, in one form or another, is considered by most information systems security professionals to be the cornerstone of their security programs. The various features of physical, technical, and administrative access control mechanisms work together to construct the security architecture so important in the protection of an organizations critical and sensitive information assets.
The first section of Domain 1 covers Access Control Principles and Objectives. These are the basic considerations that must be addressed to construct and administer a successful information security plan of attack. Chapter 1-1-1, Types of Information Security Controls presents the three basic categories of controls as physical, technical, or administrative and further classifies them as preventive or detective. Examples and descriptions are provided to enable a visualization of their meaning and use.
Chapter 1-1-2, Purposes of Information Security Management, discusses the three basic purposes of information security data and system integrity, availability, and confidentiality. Since it is important for a security professional to be familiar with the basic models developed to explain implementations of integrity and confidentiality, these principles are described in some detail.
The next section in Domain 1 is devoted to a discussion and highlighting of Access Control Issues. Although the use of biometrics in user identification has been around for years, new innovations continue to emerge. Understanding the potential and limitations of this important tool is necessary to avoid pitfalls in selecting, installing, and operating a biometric identification system. Chapter 1-2-1, Biometric Identification, contains the details that the security professional needs to effectively utilize this type of control.
Individual privacy is one of the key reasons for implementing strong access controls in an organization. These days, data bases contain extensive information about individuals that can be readily available to persons with no need for that information. As technology makes it easier to share information between data bases the ability to properly protect it becomes more difficult. Chapter 1-2-2, When Technology and Privacy Collide, discusses some of the major concerns in this sensitive area.
With the widespread use of client/server systems to bring computing power closer to the end user and increase efficiencies, access controls in relational data base systems becomes a major issue. Chapter 1-2-3, Relational Data Base Access Controls Using SQL, reviews the relational data model and the SQL language. It discusses the pitfalls of relying on discretionary access controls and provides insight to the benefits of employing mandatory access control. Since some systems contain data at different levels of sensitivity, this chapter includes a description of various architectures for creating multilevel data bases.
The third and last section in Domain 1 is called Access Control Administration. This topic involves the implementation and operation or use of access controls to effectively protect information resources. Key to the decision of what access controls to implement is the establishment of organization policy that provides management guidance on what to protect and to what degree. Implementation of Access Controls, Chapter 1-3-1, addresses the process of categorizing resources for protection and then describes the various models of access controls. Included is an examination of the administration and implementation of access controls.
One of the most difficult steps in access control administration involves the authentication of users to ensure that they are who they claim to be. In Chapter 1-3-2, Implementing Kerberos in Distributed Systems, the use of Kerberos the de facto standard for authentication in large, heterogeneous network environments is described. The pros and cons of Kerberos are discussed as well as its performance and cost factors.