Access Control Types – Technical and Physical Controls

Technical and physical access control types are actually two separate categories. Though I find that conceptually they are quite similar in nature. Quite possibly because most virtual concepts are based on real world ones (even if that does mean occupying an nth dimensional space).

Technical Access Controls

Technical access control is also known as logical access control and can be further broken down into 6 sub types:

• Network Access
• Remote Access
• System Access
• Application Access
• Malware Control
• Encryption

Network access controls are those that exist as part of the communications infrastructure designed to serve the users and resources. 

Examples of Network Access Controls

• Physical networking
• VLANs
• Firewalls
• ACLs
• All different types of proxy server
• Network Access Control (NAC) policies. NAC’s are policies that specify the condition that the device attempting to connect to the network must be in. For example – “must have an up to date virus scanner” or “must use an encryption certificate for all network communication”.

What is Remote Access Control?

Remote access controls are where the user is “off-site”.  This can be because they are working from home. A travelling sales person in a hotel or a consultant at a customers site. 

To access any of the company resources, first, the user must gain access to the company network.  Most obviously would be the use of a VPN. The user must have a correct username and password combination and have privileges enough to connect remotely. 

Another example would be the use of a Remote Desktop Gateway with Network Level Authentication whilst the user may not realise it. (as it is performed seamlessly). The user must first authenticate against the network and then onto the Terminal Server.

What are System Access Control?

System access controls is a very broad sub-type. Essentially wherever you log in to a particular server or service and possibly should be named “Operating System Access Control”. 

Most obvious occasions would be places you use a user name and password. But can also include smart cards and other authentication media.  Things like terminal servers are easy to recognise system access control. But also include things like SSH console connections, access to Windows file shares and Microsoft Management Console.  These last two are not as obvious because the access control is done in the background with your previously logged in authentication details.

What are Application Access Control?

Application access controls are as obvious as you might think but also much more.  Yes, they do the whole logging on a thing. Which depending on the scenario can be made to be seamless with the OS authentication.  Applications can provide different access depending on which section of the application your working in. For example, what time of day it is, which network you are connecting from or any other factor you care to think about. 

This is not limited just to your access to the application either. It can be about the access details it uses to access a database server. Too which if you do it correctly it could make it more secure. Therefore, vulnerabilities are harder to exploit.  That’s not even considering the data validation and sanity checking that can be performed.

What is Malware Control?

Malware control is just as simple as you think.  Controlling virus’, trojan horses, etc via the use of anti-virus technologies and file integrity checking and IPS’.

Cryptography

Cryptography as an access control type is not necessarily that obvious but does play a strong part. Hashing is methods which are a one-way encryption process. Hashing should be used on stored passwords but that is not really what is meant. 

The example given by the CISSP CBK is a spreadsheet that for whatever reason must be stored on a shared network drive but should only be accessible by certain members of staff. If it was encrypted it would not be accessible unless the user knows the decryption password. 

A similar problem is a physical transfer of a large dataset that requires by a courier. If we include encryption you again need the password to access the information.  A completely different example of encryption as an access control would be the use of SSL certificates for SSH authentication.  You physically have to have a copy of the certificate to be able to gain access.

What is Physical Access Control?

Physical access controls also work in that defence in depth style mentioned in an earlier article.  Think ditches around the compound, a double layered security fence, security guards on patrol, sentry towers, movement sensors coupled with CCTV, building entry sign in procedure and access passes, man-trap systems that can smell your “signature body odours” and know how heavy you should be, swipe cards for certain building areas, fingerprint readers for the server rooms, combination locks on the server cabinet and so on.  With all the security considerations, the more valuable the assets are considered to be, the more involved.

When designing physical access controls it must consider all types of resources they are trying to protect, including users.  Users are particularly important here because they provide a potential conflict of interests.  It is often their access you are intending to control, but equally they must have emergency escape routes.  Human safety is always the number one priority (think the opposite of The Hive in the Resident Evil movies).

It is important to note that with physical security you are not just protecting resources, your protecting the humans involved as well.

Learn how YGHT can help you improve your cybersecurity