Maintaining access control is a key part of day-to-day cybersecurity and is often a function assigned to many entry-level professionals. Larry Watlington, CISSP, explains the fundamentals for those taking on access control responsibilities for the first time.

Larry Watlington, CISSPOften when we talk about cybersecurity, our lexicon is filled with technical jargon and acronyms that will send the average person running away in a mad frenzy. After a few years of teaching IT and cybersecurity to beginner college students, whose most useful cybersecurity talent was googling cheat codes for the latest version of Fortnite, I have whole-heartedly embraced this quote.

“If you can’t explain it to a six-year old, you don’t understand it yourself” – Albert Einstein

With the mentality of Albert Einstein, we will break down the fundamental processes that fortify the NIST 800-53 Risk Management Framework (RMF)/JSIG Access Control (AC) Security Control Family.

Going Back to Basics

First, let’s forget terms like RMF and NIST 800-53 frameworks for a moment and focus on the basic steps associated with controlling access to anything that’s valuable. There are a few rudimentary security steps we all perform in our day-to-day lives that assist use in mitigating risks:

  • Identify
  • Authenticate
  • Authorize
  • Access Control
  • Audit

Let's suppose I come to your house at 10:00pm and ring the doorbell. What is the first thing you do? It would probably be to look out of the window, check your security cameras or look through the peep hole in the door to see if you can “identify” who I am before making any decision about entry or prevention. This is effectively what we do on the network when you enter your username. You are providing a form of identification.

However, simply providing identification is not sufficient, you will need to verify or “authenticate” that the identification is valid. So, before you open the door and let me in, you might want to check a form of photo ID. This is what the network does when we enter our password. It authenticates that we are who we say we are.

Extra Layers of Authentication

Many organizations are moving to multi-factor authentication (MFA) to better validate our identity. This is based on requiring two or more authentication factors such a something you know (a username), something you have (a token or Common Access Card) or something you are (biometrics such as a fingerprint or retina scan).

Now that my identity has been authenticated, you decide to let me into the house (but you remain cautious). Once inside, I am sure you will not allow me to freely roam into any room of your house. You will “authorize” the areas of the house I can go, such as the living room, den or guest bathroom. A similar process exists on the network. Once you are logged in, various software and hardware components such as Domain Controllers and Active Directory will control where you are able to go on the network.

Policies and Processes

At this point, I am authorized to be in the den. I make a move towards the high-tech remote that controls your $5,000 Bose media center. As I see your hand move methodically toward remote to intercept it, I quickly realize that I do not have “access” or permission to touch that remote even though I am authorized to be in the room. On the network we use various types of access control polices to grant users permissions to objects in a given network location. These include discretionary access controls (DAC), mandatory access controls (MAC) or role-based access controls (RBAC) to grant access to directories, folders or files.

Well, now it's time for me to leave your home and if you are vigilant, I am sure you will do a quick check of the areas I was authorized to go. Double check the areas I was allowed to access just to ensure everything is still intact. in other words, you will do an “audit” to be sure nothing is missing or has changed. Cybersecurity professionals use information contained in security event logs to continuously perform audits on the network. These security logs capture every place you visit and every object you try to access.

The process of protecting access to information on our networks may not be as simple as subduing or expelling an intruder. However, the overall mindset for protecting information access is nothing new or cosmic. It is a basic process that's used every day... Keep Cyber Simple!

Larry Watlington, CISSP, has over 30 years of experience in cybersecurity, IT, telecommunications and military command and control systems. He is a senior cybersecurity manager at Raytheon Business and an adjunct IT/cybersecurity professor for multiple universities. His cybersecurity activities span risk management, auditing, NIST 800-53 security control implementation, and mentoring the next generation of cybersecurity professionals.

Related Insights