xlii Access Control
Access Control
According to the Information Systems Security Organization (ISSA) [23],
“access control is the collection of mechanisms for limiting, controlling,
and monitoring system access to certain items of information, or to certain
features based on a user’s identity and their membership in various pre-
defined groups.” In this section, we will explore the major building blocks
that comprise the field of Access Control as it applies to organizational enti-
ties and to the information systems these entities are trying to protect from
compromising situations.
Purpose of Access Control
You may be asking yourself, “What are some reasons why we should have
access control?” Access control is necessary for several good reasons. Infor-
mation proprietary to a business may need to be kept confidential, so the
confidentiality issue that provides a purpose for having access controls.
The information that an organization keeps confidential also needs to be
protected from tampering or misuse. The organization must ensure the
integrity of this data for it to be useful. Having internal data integrity also
provides a purpose for having access controls. When employees of the orga-
nization show up for work, it is important that they have access to the data
they need to perform their jobs. The data must be available to the employ-
ees for work to continue, or the organization becomes crippled and loses
money. It is essential that data availability be maintained. Access controls
provide yet another purpose in maintaining a reasonable level of assurance
the data is available and usable to the organization. Therefore, the answer to
the question above is that there are three very good reasons for having access
controls: confidentiality, data integrity, and data availability.
Access Control Entities
In any discussion of access control, there are some common elements that
need to be understood by all parties. These elements comprise a common
body of terminology to ensure that everyone working on security access
issues is talking about the same thing. For our purposes, there are four pri-
mary elements we will discuss: (1) the Subject, an active user or process that
requests access to a resource; (2) the Object, a resource that contains infor-
mation (can be interchanged with the word Resource); (3) the Domain, a set
of objects the Subject can access; and (4) Groups, collections of Subjects
and Objects that are categorized into groups based on their shared charac-