ITPro.TV: CompTIA Security+ (SY0-601)

author: Nathan Acks
date: 2022-03-14

ITPro.TV: CompTIA Security+ (SY0-601)

Access Control Schemes

Access control is about how authorization is actually enforced.

Common access control models:

Confusingly, both rule-based access controls and role-based access controls us the acronym “RBAC”.

The difference between rule-based access controls and attribute-based access controls is that the former generally refers to access that’s granted depending on the subject’s current state, rather than by properties inherent to the subject itself (it’s “attributes”). For example, allowing or denying access to a system based upon the user’s geographic location is an example of rule-based access control, while basing access on the user’s organizational unit is an example of rule-based access control.

As if the difference between rule-based and attribute-based access control wasn’t muddy enough, people will also refer to “conditional access”. Conditional access controls (CACs) generally look at the state of the client the user is attempting to use to access the object in question, rather than attributes of the user themself (think: Google Workspace’s Context-Aware Access system). Conditional access controls generally define this state in both rule-like and attribute-like ways.

Finally, there’s “Privilege Access Management” (PAM). PAM systems are concerned with managing and monitoring user access (particularly administrator access). Up until now we’ve been talking about approaches to managing access; PAM systems represent the class of software that actually instantiates these approaches.

Examples: Thycotic, CyberArk, Arcon, One Identity Safeguard.

Account Management - Account Types

Account Management - Password Policies

Account Management - Account Policies

This is more Windows-specific. In particular, account policies in Active Directory apply to all objects in the directory (users, computers, etc.)

An account policy is generally a set of pre-applied configuration parameters that the user (or computer, or whatever) cannot change. However, in Active Directory you can also set some access policies, which determines under what conditions we have access to a particular system or object (RBACs/ABACs/CACs as we discussed above), through the same “User Properties” interface.