Everyone has real-life experience with access management, in which a subject (you, perhaps) controls access to an object (your home, say, or your bank account). Some controls are physical, such as a door lock, a vault, or a detective control such as an alarm. A logical control can be a password that unlocks a folder (or lets you log in), a decryption key, or a list of authorized individuals. Controls can also be a hybrid combination of physical and logical controls, such as the door locks in some modern homes or hotel rooms that require the use of a mobile app to unlock them.
Another factor to consider about the management of physical logical controls is whether the information about those controls should itself be centralized, decentralized, or a hybrid. Think, for example, of the electronic door locks common to hotel rooms these days. To read the key card, the lock has a simple computer inside it. But is the lock’s electronic card reader connected, with or without wires, to the front desk, or even to a server at hotel headquarters? In some hotel chains, they are. This makes it easy to change the key code and even make a good guess as to whether the room is occupied at a given moment.
Some brands of electronic door, on the other hand, are standalone, requiring someone to physically go to the door and electronically engage it to unlock it, change the code, or download from the lock a record of openings and closings. Each scheme and the many hybrids have pros and cons. One argument for centralized control is economy of scale (in the hotel example, one clerk can set key codes for many rooms). An argument on the side of decentralized control is the potential chaos an attacker could cause if every room in a hotel (or every vault in a museum or bank) were to be unlocked at the same time!
Regardless of whether controls are centralized, the primary purpose when selecting access controls for an asset is to protect the asset’s confidentiality, integrity, and/or availability. As a reminder, the three components of the CIA triad are as follows:
- Confidentiality is preserving authorized restrictions on information access and disclosure, including means for protecting personal privacy and proprietary information.
- Integrity means guarding against improper information modification or destruction and includes ensuring information nonrepudiation and authenticity.
- Availability means ensuring timely and reliable access to and use of information by authorized users.
-
The following sections quickly analyze how each of these three attributes might be at risk if you fail to control access, either physical or logical.
