Security Controls
Security Controls:
Control is a countermeasure that is created to maintain the confidentiality, Integrity, and availability (CIA) of information.
Access Controls are the parameters that are used to restrict unauthorized access. Access controls define who accesses what information. Why certain access is necessary and how a particular access is managed.
Information Security Controls:
Information Security Controls are the safeguards or measures to minimize cyber risks and detect and counteract information security threats to an organization. These risks may include:
Information Security controls help protect the CIA triad to information security.
What subjects can access what objects? Who can get access to our data, organization, and other assets, and what they can do when getting access to it?
Access Controls are not only used to restrict access but also allow an appropriate level of permission to an authorized individual or process according to their role and also to deny access to those functions that they are not authorized to do.
There are 3 elements upon which access is based.
Subject:
Any entity that can request assets that may be a user, client, process, or program. It is the initiator of the request. It is referred to as "Active".
For Example:
A subject can be a user(person), process, or program. It may include end devices, mobile phones USB devices, etc.
Object:
An object is anything that is attempted to access by a subject.
For Example:
An object can be a person, user, device, process, program, and any entity that responds to the request of a subject.
The subject is active because it initiates a request while the object is passive because it does not take any action until it is requested by a subject. Object-only response when it is requested by some entity (person, user, device, etc).
Objects are passive in nature which means that they cannot protect themselves and do not have their access control logic and they need protection from unauthorized access.
Rules:
Rules are instructions that are developed in order to allow are deny access to an object by the subject and
the subject identity is compared with a valid identity of that are defined in access control list.
For Example:
Firewall Access Control List
By default, all access is denied from any address to any address in the firewall. But a rule can be added in a firewall to allow access from the inside network to the outside network and from the outside network to the inside network.
A rule can allow access to an object.
Controls are used to reduce the risk.
Types of Access Controls:
Defense in Depth:
It is a use of multiple logical controls and physical controls arranged in a series for the protection of an asset is called defense in depth. It is a layered protection approach in which different types of physical and logical controls are implemented to secure an asset.
For Example:
First, an organization is covered by Walls, Fences, Gates, and Security guards which is an example of Physical control. Then firewall rules are defined, which is an example of logical control or technical control.
Different types of rules are defined for the purpose that only authorized individuals have access to certain data is an example of administrative controls.
Other examples:
Technical Control:
When logging into your account in an ATM Machine, You use your credit card which is something that you have, and you use your PIN which is something you know is called multifactor authentication. If someone has your card but does not have your PIN then he/she cannot access your bank account.
Recommended by LinkedIn
This is a two-layer approach used here.
Principle of Least Privilege:
The principle of Least Privilege means permitting only necessary privileges for the user that are necessary to complete their job.
For Example:
If there is an employee in a company who is working as a help desk or an HR Manager, We should not provide him administrative privileges to him. We should be providing only those permissions that are required to complete his/her job requirement. There should be a separate user account for him with the least privileges.
Privileged Access Management:
Privileged Access Management is role-based access, that can only be assigned for a specific duration when the use of a resource or service is needed.
For Example:
Privileged Access Management is helpful in situations when there is a ransomware attack happening in a company if all the employees have privileged access then all the data of that particular organization can be affected but if there is a role-based access control implemented then the complete domain cannot be effected because all the users do not have privileged access.
The main aim of privileged-based access control is that only assign privileges when a user needs them.
Privileged Accounts:
Those accounts have more privileges than normal users.
This includes administrators' or managers' accounts. Privileged account users' activities should be logged, monitored, and audited because these are the critical ones and these accounts should use Multifactor authentication.
Segregation of Duties:
Segregation of duties is also known as separation of duties. It is a security practice that a single person should not control an entire high-risk activity from the beginning to the end.
Segregation of duties divides the activity into separate parts and each activity requires a separate person to execute that same task but a different part of that task.
For Example:
One part of a particular activity should be completed by one person and the other part of the same task will be completed by another person.
In a bank, an employee submits an invoice for payment to a vendor but that invoice must be signed by a manager before payment.
Collusion:
It means that when two people have segregated duties but combine to commit fraud then it is called collusion.
Dual Control:
It is another implementation of the segregation of duties.
For Example:
If there is a door in the bank, a bank door has a password, one person knows the first part of the password and another person knows the second part of the password. To open the door both persons should work together to open a door this is called dual control.
Two-Person Integrity:
It is a security strategy that requires that there must be a minimum of two people together in an area, There should not be a single person.
This strategy can also help in reducing insider threats and also helps in life safety because if any emergency happens then a second person will be available for his/her assistance.
Authorized Vs Unauthorized:
Authorized:
When a subject is authenticated by a system, authentication means that a subject has confirmed its identity to a system. Then the system checks its authorization level to check if a particular subject is authorized to perform a particular action.
Unauthorized:
When a subject is authenticated by a system then a system checks for its authorization level how much data or permissions a particular subject has. If he does not have proper permission or privileges to a certain file or data then a subject is unauthorized.
For Example:
When a user logs into a system, a user is authenticated by a system by entering a username and password. After logging in if the user wants to delete a certain file or folder, the user is authorized to delete a certain folder which means that the user is authorized and he/she has a certain level of privileges if the user does not have permission to delete a certain file then the user is unauthorized then he/she cannot delete that particular file.
User Provisioning:
It is an identity management process for creating and managing access to resources and information systems. (ISC2)
If an employee is on leave then his/her account should be deactivated and should be activated if he/she returns because this can decrease the risk, that his/her account should not be accessed by others while he/she is on leave.
Follow me on LinkedIn for more
Realtor Associate @ Next Trend Realty LLC | HAR REALTOR, IRS Tax Preparer
1yThanks for Sharing.