Understanding access control: A CISSP certification guide

Getting CISSP certified requires thorough preparation and a deep understanding of modern information security concepts. Access control, a critical domain of the CISSP Common Body of Knowledge (CBK), has evolved significantly with the April 2024 CISSP exam update. As the foundation of information security, access control ensures that only authenticated and authorized users can interact with important resources. 

Access control might not be the most glamorous aspect of cybersecurity, but it's essential for maintaining system security and integrity. Whether you're preparing for the CISSP exam or working as a security professional, understanding access control's nuances — from basic categories to sophisticated models — is crucial for protecting organizational assets. 

This article explores the comprehensive world of access control, covering both fundamental concepts and advanced implementations. We'll examine different control categories, explore various access control models and discuss practical implementation strategies that align with current CISSP exam requirements. 

Ready to start your CISSP journey? Check out our CISSP Boot Camp, download our free CISSP exam tips and tricks ebook or watch our free CISSP prep course. 

Earn your CISSP, guaranteed!

Get live, expert CISSP training from anywhere. Enroll now to claim your Exam Pass Guarantee!

Get Pricing

Main access control categories 

Security architects and engineers implement access control through three primary categories of controls, each serving distinct but complementary purposes. 

Administrative controls 

The top management of any organization lays out administrative controls. These can be looked at as those that require the most rigorous implementation. Some of the control components worth mentioning here are: 

• Procedures and policy: Every organization has its own security policy, to which all the employees must adhere. It's a high-level plan that outlines the management's intentions of practicing security within the premises. The policy can include actions deemed acceptable, the level of risk the company is willing to undertake, the penalties in case of a breach, etc. The policy is normally compiled by an expert who understands the business objectives, regulations and laws that define (and restrict) the organization. 

Via a security policy, every functional section and every employee of the company is able to figure out how they need to implement security and what the repercussions could be in case of non-compliance. 

• Supervisory structure: Almost all organizations in the modern world make managerial staff responsible for employees and scrutinizing their activities. A supervisor is a person placed directly above an employee, and if the employee is held in contempt for some reason, the supervisor will also be held accountable. 
• Personnel controls: The personnel controls describe the expectations of the organization toward its employees' interactions with the security mechanisms. They are also often used to address non-compliance issues regarding these expectations. 

Change of status access controls depicts the type of security actions that should be taken when employees get hired, suspended, terminated or promoted. Separation of duties is a phenomenon, and the enforcement of it is paramount so that no single employee can perform a critical duty alone (which could hurt the company in the long run). An example is a bank teller who has to seek approval from his supervisor before cashing checks over $2,000. For a security breach to take place, more than one person would have to commit fraud, and their efforts would be mutual; using separation of duties brings about exponential reductions in the probability of fraud and breaches. 

• Duty rotation: Via duty rotation, employees rotate jobs often, in order to be capable of fulfilling duties of more than one position. Another benefit of this process is that if an employee intends to commit fraud within their position, the chances of detection are a lot greater if another employee also knows the tasks required for that particular position (and how they need to be carried out). 

Some examples of administrative controls are: 

• Information classification 
• Personnel procedures 
• Investigations 
• Testing 
• Security-awareness and training 

Technical controls 

As the name indicates, technical controls (logical controls) are the tools and/or software that can be used to enforce restrictions on different objects for different subjects. The entities for which restrictions are enforced might be applications, protocols, core application components, OS components, add-on security packages, access control metrics, encryption mechanisms, etc. Security architects can secure the availability and integrity of important resources by limiting the number of subjects who have access to important entities and ensuring protection against unauthenticated subjects. 

Some of the most important technical access control components are: 

• Network access: These days, the network is the most exploitable part of any system. If a hacker makes their way into the internal network of a system, they have basically opened the pathway that can ultimately lead them to a complete systematic takeover. Network access controls define the mechanisms that authorize access to network resources like switches, routers, bridges, firewalls, etc. 
• System access: In this category, the resources' access control depends on the data's sensitivity, the user's clearance level and their permissions and rights. System access control mechanisms can be imparted using usernames/passwords, biometrics, TACACS, smartcard authentication, the Kerberos implementation, etc. 
• Auditing: Such controls are used for tracking activities within a network, on network devices or specific computers. They especially aid in finding weaknesses in various technical controls and in making subsequent alterations based on those findings. 
• Encryption (and other protocols): Cryptographic techniques, protocols and encryption are used to ensure that the information is protected as it passes through networks (or is present on devices). 
• Architecture: Architecture control lays out the physical and logical layout of the network, along with the access control mechanisms present between different segments of the network. 

Some technical access control tools worth mentioning are: 

• ACLs 
• IDS 
• Antivirus software 
• Dial-up call-back systems 
• Alarms and alerts 

Physical controls 

Not enough stress can be laid on the importance of physical access control within an organization. Where breaches in the technical (and administrative) realms can often be made using sophisticated hacking technologies, physical breaches require the use of social engineering, which is a trait normally present in abundance in IT criminals. Here are some of the components worth mentioning that are also important for the CISSP access control domain preparation: 

• Network segregation: The network should be adequately segregated; a section may contain employees' computers, whereas another one may only contain routers, switches and servers. 
• Security of the perimeter: Depending on the organization, perimeter security implementation needs to be carried out to ensure that no unwarranted entrants make their way into the premises. 

Some other physical access control components can be: 

• Computer controls 
• Separation of work area 
• Backups of data 

Some examples are fences, locks, badge systems, security guards, biometric systems, mantrap doors, motion detectors, closed-circuit TVs, alarms, backups, etc. 

Access control models 

While the three categories of controls establish the foundation of access control, organizations need specific models to implement these controls effectively. Simply designating a system administrator to handle access requests isn't enough for modern security needs. Instead, organizations use established access control models to manage permissions and protect resources automatically. 

Let's examine the main access control models frequently covered on the CISSP exam and used in real-world implementations. 

Earn your CISSP, guaranteed!

Get live, expert CISSP training from anywhere. Enroll now to claim your Exam Pass Guarantee!

Get Pricing

Primary access control models 

Below are models for access control covered extensively on the CISSP exam. At the heart of each model is the concept of exchanges between subjects and objects. A subject is anything, whether it be a person, software program or another entity, that requests access to an object, which is typically defined as anything that contains information. 

Each of the following access control models uses different methods for granting permission to the subjects and controlling access to the objects. 

Discretionary Access Control (DAC) 

This access control model gives subjects the most freedom to access objects but also provides a lower level of security than other models on this list. It works by a security administrator creating a resource profile for the object that contains an access control list of those who can access an object and in what capacity. However, in addition to the administrator, the owner or creator of the object has the same ability to manage access. While this can provide flexibility and allow new people who need access to acquire it, the main downside to this model is that the owner can offer access to whomever they wish — including the wrong subjects. 

Mandatory Access Control (MAC) 

Nearly the opposite of DAC, the Mandatory Access Control model has one administrator in charge of granting access to subjects by designating clearance levels to any entity that accesses information. An object is given a clearance level based on its security requirements, and only subjects with the same clearance level or higher can access that object. Two security models are commonly used to manage a MAC model based on whether information integrity or confidentiality is the priority: Biba and Bell-LaPadula. 

Biba is best for maintaining information integrity in access control models and allows subjects with lower-level clearance to read higher-level clearance objects and subjects with higher-level clearance to write for lower-level clearance objects. 

Bell-LaPadula is a little more rigid and is commonly used in government or military roles. In this model, even subjects with higher-level clearance can write at their level and no higher or lower but can still read objects with lower clearance. 

While the Mandatory Access Control model is one of the most secure in the IS realm, getting access approval is often very slow and time-consuming. 

Role-Based Access Control (RBAC) 

This model is a standard part of access control implementation in ICS, or Industrial Control Systems. Instead of assigning clearance levels to approve access, this access control model grants access to objects based on the organizational role or job title assigned to the subject. Creating resource profiles for access based on job roles can be a great, streamlined option for organizations with clearly defined roles and associated objects. However, it's not an ideal access control model if your job requires you to work with many departments or on projects with wildly differing access levels. 

Rule-Based Access Control (RuBAC) 

This access control model uses a programmed set of "conditions," or rules, input by a system administrator to determine whether a subject should have access to an object. While some models only consider the subject and object when granting permission, RuBAC also considers "action." It's similar to if-then and if-then-else statements used by coders, and this model can utilize many conditions and variables to grant or deny permissions. An organization with information that should only be accessed at a certain time of day or in a certain geographic location might benefit from a RuBac model, but changing the set of conditions often takes time and coding knowledge. 

Less common access control models 

While the following control models aren't as commonly used as the four listed above, you'll still need to know about them for the CISSP exam. Additionally, there are some specific situations where these access control methods can be particularly useful. 

Attribute-Based Access Control (ABAC) 

It may help to think of this form of access control as a combination of the RBAC and RuBAC models. Permissions are granted based on the subject's clearance designation, the type of object being requested, the action being performed on the object and the request's environment. For example, ABAC can assess your designated role, the type of file you're trying to access, whether you're trying to read or modify the file and what time of day you're requesting access before granting permission. As you can probably tell, this access control model allows system administrators much more control over whether permissions are granted but also requires a lot of coding or programming to create or modify. 

Risk-Adaptive Access Control (RAdAC) 

RAdAC is one of the best access control models for administrators with an eye for threat and attack analysis. In addition to assessing the subject's clearance and authority, unique security metrics are also used to determine access. These metrics can include the type of connection a subject uses to request access, their physical location, and the authentication method used. This can be an ideal model for organizations where many employees request access to highly sensitive information in various ways and where information security varies according to various factors. However, like other granular access control methods, configuring and modifying this model can take a lot of work to get right. And since RAdAC means permission can change based on changing security conditions, it's not always the easiest for end-users. 

Identity-Based Access Control (IBAC) 

This is a very straightforward model for controlling access that can be used for consumer-facing information systems. A control access list is created defining permissions based on a subject's singular identity, defining what they, in particular, are and aren't allowed to access. This is often done using a login ID and password but can include fingerprinting or facial recognition data to approve access. IBAC can be a good option for systems with one subject requesting access to one low-security object; however, fingerprinting and facial recognition data are subject to change, privacy concerns and bias, and password systems put even more responsibility on the end user, sometimes causing "password fatigue." 

Organization-Based Access Control (OrBAC) 

Like the Role-Based Access Control model, OrBac also considers a subject's designated role, the action being performed and the permissions associated with the object. However, before assessing these other factors, OrBAC also considers an additional level at the top of the hierarchy: the declared organization. This can be a good option for companies that are part of a larger parent company with multiple subsidiaries all sharing the same access and information. With so many different levels of information being shared in company structures like these, this access control method can help manage permissions without creating unique models for each part of your larger organization. 

Implementing access control 

The key to effective security lies in understanding access control concepts and implementing them correctly across your organization. Let's examine how these models and controls work together in practice. 

The implementation process 

Every effective access control system follows these essential steps: 

1. Identification of the subject: When an entity requests access to a resource, the system must first identify it. This preliminary step happens before any authentication occurs and typically involves the subject presenting identifying information, such as a username. 
2. Authentication: Once identity is established, the system must verify the subject is who they claim to be. This verification process matches presented credentials against stored information in the database. If the credentials don't match stored records, access is denied. 
3. Privilege ACLs: After authentication, the system checks Access Control Lists to determine what privileges should be granted to the verified subject. These ACLs prevent subjects from performing actions they don't have permission to execute. 
4. Audits: Regular audits need to be performed to identify security vulnerabilities and system flaws. These reviews help maintain the integrity of your access control system. 

Selecting and adapting control models 

The type of access control model you choose depends on several organizational factors: 

Security Requirements: High-security environments might need MAC, while more flexible environments could benefit from DAC 

• Organizational structure: Larger organizations or those with clear role definitions might find RBAC most effective 
• Resource sensitivity: The nature and importance of protected resources influences model selection 
• Operational flexibility: Consider how different departments and roles need to interact with resources 
• Growth trajectory: Choose a model that can scale with your organization 

Many institutions find that combining two or more access control methods into a hybrid model best suits their needs. As organizations grow and change, their access control approach can evolve from broad to granular implementations. 

Earn your CISSP, guaranteed!

Get live, expert CISSP training from anywhere. Enroll now to claim your Exam Pass Guarantee!

Get Pricing

Access control in practice 

Both on the exam and in real-world implementations, access control remains a critical component of information security. As organizations face increasingly complex security challenges, understanding and implementing the right combination of access control categories and models becomes essential for protecting sensitive resources. 

For CISSP candidates, mastering access control concepts is crucial for exam success and professional growth. According to CyberSeek, CISSP is currently the most requested cybersecurity certification in U.S. job listings. With information security managers earning an average salary of $175,583, the investment in understanding these concepts can significantly impact your career trajectory. 

The April 2024 exam update reflects the evolving nature of access control and information security. Stay current with these changes by: 

• Downloading our free cybersecurity certifications roadmap 
• Exploring our comprehensive CISSP training hub 
• Taking advantage of our CISSP exam tips and tricks ebook 
• Enrolling in a CISSP Boot Camp