Certified in Cybersecurity Domain 3 Access Control Concepts Detailed Notes

---

Objective

This domain introduces foundational principles for managing and securing access to systems and data. The focus is on authorization, authentication, access models, and accountability. Understanding how to regulate access is critical in protecting confidentiality, integrity, and availability (CIA) of information systems.

What You’ll Learn in Domain 3

1. Access Control Fundamentals
   • What access control is and why it’s essential.
   • Core principles: identification, authentication, authorization, and accountability (IAAA).
2. Authentication Methods
   • Single-factor and multi-factor authentication (MFA).
   • Types: something you know (password), have (token), are (biometrics), do (behavior), or where you are (location-based).
3. Access Control Models
   • Mandatory Access Control (MAC) – rigid, based on classification (e.g., military).
   • Discretionary Access Control (DAC) – flexible, owner decides access.
   • Role-Based Access Control (RBAC) – access tied to job roles.
   • Attribute-Based Access Control (ABAC) – dynamic, based on policies and attributes.
4. Account Management
   • Creating, maintaining, and deactivating user accounts securely.
   • Enforcing least privilege and separation of duties.
5. Access Control Tools & Techniques
   • Logical access controls: passwords, smart cards, biometric systems.
   • Physical access controls: locks, security guards, access badges.
6. Remote Access
   • Secure methods for offsite access like VPNs, remote desktop, cloud authentication mechanisms.
7. Monitoring and Auditing Access
   • Keeping records, logging events, analyzing user behavior to detect unauthorized access.

3.1 – Understand Physical Access Controls

Objective: To understand how physical security mechanisms protect information systems by preventing unauthorized physical access to facilities, devices, and data.

What Are Physical Access Controls?

Physical access controls are the security measures designed to restrict access to physical areas or equipment. They prevent unauthorized individuals from entering spaces where sensitive information, systems, or infrastructure is located. These controls are part of the broader defense-in-depth strategy and form the first layer of protection in any cybersecurity framework.

Components of Physical Access Controls

1. Physical Security Devices and Mechanisms

These are the hardware-based methods to prevent unauthorized entry:

• Badge/ID Card Systems
  • Electronic systems that verify identity using magnetic stripes, RFID chips, or QR codes.
  • Can track who accessed what area and when.
  • Often integrated with access control panels and logging systems.
• Biometric Access
  • Uses fingerprints, iris scans, facial recognition, or voice patterns.
  • Harder to spoof than ID cards but may have privacy and accuracy concerns.
• Keypads/Passcodes
  • Simple but effective; can be combined with cards for two-factor authentication.
  • Require regular code changes to prevent compromise.
• Locks (Mechanical and Electronic)
  • Traditional locks (e.g., deadbolts) or electronic versions controlled by access systems.
  • Electronic locks may offer centralized control and audit trails.
• Mantraps and Turnstiles
  • Small vestibules that require authentication before access.
  • Prevent tailgating and piggybacking.
• Security Fencing and Barriers
  • Deters unauthorized entry.
  • Includes walls, fences, bollards, and vehicle gates.

2. Environmental Design (CPTED)

Crime Prevention Through Environmental Design is a proactive approach using architectural principles to deter physical threats.

Key CPTED strategies:

• Natural Surveillance – Clear lines of sight, visibility from security points.
• Natural Access Control – Pathways and entrances that guide movement.
• Territorial Reinforcement – Use of signs, fences, and landscaping to establish property boundaries.
• Maintenance – Well-maintained areas discourage malicious behavior.

3. Monitoring and Surveillance Systems

• Security Guards
  • Physically patrol and respond to alarms or suspicious activity.
  • Often positioned at entrances and secure zones.
• Closed-Circuit Television (CCTV)
  • Cameras used to monitor activities in real time or record for review.
  • Helps deter intrusions and provides forensic evidence.
• Alarm Systems
  • Notify when unauthorized access or environmental issues occur (e.g., fire, flood, temperature).
  • Can be silent (for covert alerts) or audible.
• Access Control Logs and Audit Trails
  • Logs every entry or access attempt, including timestamps.
  • Used in security investigations, audits, and compliance checks.

4. Authorized vs. Unauthorized Personnel

• Authorized Personnel
  • Cleared individuals with explicit permission to access a given area.
  • Often given role-based access using credentials.
• Unauthorized Personnel
  • Individuals without access rights (includes guests, terminated staff, or outsiders).
  • May pose a risk if not properly managed or escorted.

Supporting Best Practices

• Visitor Management Systems – Track and issue temporary access to visitors.
• Escorted Access – For contractors or guests in secure areas.
• Tailgating Prevention – Use anti-passback systems or train staff to challenge suspicious access.
• Physical Security Training – Educate employees on access rules and awareness.
• Redundant Power & Climate Controls – Protect against downtime and environmental threats.

Key Takeaways

• Understand how physical access controls relate to information assurance.
• Know examples of preventive (locks), detective (CCTV), and deterrent (lighting, signage) physical controls.
• Learn how monitoring and logs support accountability and investigations.
• Distinguish authorized vs. unauthorized personnel handling.
• Remember CPTED principles and multi-layered defense.

3.2 – Understand Logical Access Controls

Objective: To understand how to control and manage access to systems, data, and digital resources using non-physical (logical) methods and principles.

Logical access controls ensure that only authorized individuals can access specific resources and perform only permitted actions, based on policies and organizational needs.

Key Logical Access Control Concepts

1. Principle of Least Privilege (PoLP)

Definition: Users and systems should only have the minimum level of access required to perform their duties—nothing more.

• Example: A receptionist may only need access to calendar and HR tools, not financial systems.
• Helps reduce attack surface.
• Critical in preventing privilege escalation and limiting damage from insider threats.

2. Segregation of Duties (SoD)

Definition: A single individual should not be responsible for completing all parts of a sensitive task or process.

• Example: One person initiates a payment, another approves it.
• Prevents fraud, errors, and misuse.
• Enforces checks and balances.

3. Discretionary Access Control (DAC)

Definition: The data owner determines who has access and what type of access (read, write, execute).

• Most flexible but less secure.
• Common in Windows and UNIX systems.
• Access permissions can be changed by the resource owner.

Example: A user shares a folder and grants write access to a colleague.

4. Mandatory Access Control (MAC)

Definition: Access is based on predefined policies and classification labels; users cannot modify permissions.

• Common in military and government environments.
• Uses security labels such as Confidential, Secret, Top Secret.
• Access decisions based on clearance level + data classification.

Example: A user with Secret clearance cannot open a Top Secret file, even if they’re the file creator.

5. Role-Based Access Control (RBAC)

Definition: Access rights are assigned based on the user’s role or job function.

• Centralized and scalable for large organizations.
• Roles are mapped to permissions; users are assigned roles.
• Reduces administrative overhead and enforces standardized access.

Example: Everyone in the “HR” role gets access to the HR system; no manual permission assignment needed.

Additional Considerations for Logical Access:

• Strong Authentication Mechanisms – e.g., passwords, biometrics, multi-factor authentication (MFA).
• Access Control Lists (ACLs) – Define specific permissions per user or group for each object.
• Account Management – Includes onboarding, role changes, and termination to prevent orphaned accounts.
• Audit Trails & Logging – Monitor who accessed what and when for investigation or compliance.

Key Takeaways

• Know when to apply DAC vs. MAC vs. RBAC.
• Understand least privilege and how it mitigates risk.
• Recognize examples of logical controls vs. physical controls.
• Be clear on how SoD reduces fraud or misuse.
• Expect scenarios asking you to identify the best access control model for a given situation.