Join the 40,000+ candidates in over 58 countries that have found a faster, better way to pass their certification exam.
Comprehensive practice exam engine!
All features in the FREE plan, plus:
Welcome to our access control models module. Centralized access control models are frameworks that allow us to determine how subjects can interact with objects. These put technologies and controls in place to enforce rules, and objectives of our security policy. There are four main modules. DAC or discretionary access control in this case we provide the data owner with the ability to give access to those who need to access it.
MAC, or Mandatory Access Control. This is based on classification levels. Role based access controls. This allows you to assign rights to roles. And then role-based access control is also known as RBAC. Here we define access based on a set of conditions. With our discretionary access control, or DAC, our data owner, or data creator decides who can access the resources.
Here you have less central system administration and we call this discretionary because the control is not dictated by a company policy, but rather by the owner or creator of the information. This is usually implemented through access control lists, or ACLs, and is based on need to know. This model works well in environments that do not have a high level of centralized security, such as a home office or a small business that does not have a centralized server responsible for implementing controls.
Dak is a very simple model that allows sharing based simply on the identity of the subjects who are trying to access the objects. It is commonly used with Microsoft SharePoint services in enterprise environments, and here we do not have any separation of duties. The person who designs the content has the full power to determine who can access it.
MAC or Mandatory Access Control is a very inflexible model. Here we base the access on the user's security clearance, and the classification of the object they're attempting to access. Each user is required to have a clearance and each object must be stored with a security label to identify it.
The administrator of the system determines who has access to what objects. Subjects in the system are not permitted to share their permissions to another subject, it is determined solely by the administrator. These are typically used in environments with high levels of security. So for example, you can use DAQ for unclassified data.
And MAC for classified data that requires higher security. And MAC is usually used in many military institutions, and military is a good way to remember mandatory because they both start with the letter m. So if you think of mandatory access controls and you remind yourself of the military, it's an easy way for you to remember that.
When we talk about RBAC, there are two different RBAC. We have role based access controls, and we also have rule based access controls. And it's important to read questions carefully on the CISSP exam to make sure that you are looking at the correct type of control. With role-based access control, we will assign all of our users with a single role that they hold in the company. Administrators will assign the users to different roles and then provide access rights to each role. So in this model, we're not assigning rights directly to users, we are only assigning the rights to the role. And then we're placing a user into that role. This works well in environments with a high rate of turnover or if you're trying to put clear separation of duties in place.
Some roles, for example, might include, in the medical field, a doctor, a nurse, and a pharmacist. The doctor is permitted to write prescriptions, but not fill prescriptions. The pharmacists is permitted to fill prescriptions, but not write them. And the nurse is neither permitted to fill prescriptions nor write them.
Another example would be a banking environment. You'd have a bank president, a loan officer, and a teller. A teller can issue fund to a customer, but is not permitted to approve loans. A loan officer may be permitted to approve loans, but is not allowed to hand money directly to the customer.
The bank president may be authorized to perform both functions. Our second arback is rule based access control. This is dynamic model which has rules that determine what subjects are allowed to access which objects. The rules may allow access or deny access depending on the access control list or A.C.L. Some business changes will trigger the application of roles.
There are many different ways to apply roles, but one of the most common is time. As an example, if your organization is only open Monday through Friday from 9 AM to 5 PM, you could prohibit all of your employees from logging in after 5 PM, or on the weekends.
This would be an example of a time based rule that would prevent access. Most firewalls use access control lists, and these are considered rule based. Also layer three switches can determine which VLAN or virtual local area network traffic is supposed to be based on tags, and that is another example of a rural based control.
Another example is geo-location, where we can permit users to log in to a system, depending on where they are geographically located, or block them from accessing a system if they are not located in the correct geographical area. This concludes our access control models module. Thank you for watching.
Classified by skill and ranked by difficulty. Choose to answer questions in STUDY MODE to review and you go.
Know when you’re ready for the high-stakes exam. Have the confidence that you will pass on your first attempt.
Don’t forget what you’ve just studied! Use the intelligent reinforcement questions to stay fresh.
THANK YOU! Just bloody thank you! I’m doing the CEH minor at my college and well...I’ve learned more from this site in a few hours than I’ve learned from my school in 9 weeks about the subject. Keep up the good work!
Skillset’s Exam Engine continuously assesses your knowledge and determines when you are ready take and pass your exam. When Skillset learns that there is a gap between your knowledge and what you need to know to pass, we present you with a focused training module that gets you up to speed quickly. No fluff! Find your knowledge gaps and fill them.
Skillset is confident that we can help anyone pass their exam. If you reach 100% readiness, and you do not pass your exam, we will refund you plus pay for a replacement exam voucher. That’s how powerful our learning system is, we can offer this guarantee and stand behind our products with this no risk to you guarantee. See terms and conditions.
Don’t waste time studying concepts you have already mastered. Focus on what you need to know to pass. The Skillset Competency Diagnostic aligns our Exam Engine and Learning Plan to your baseline knowledge. This saves an average of 31% of the time required to prep for a professional certification exam.
More PRO benefits are being built all the time!