CCT 168: Access Controls - Understanding Role, Rule, Mandatory, and Attribute Based Controls for the CISSP (Domain 5.4)

What would you do if your social security number was compromised in a massive data breach affecting billions? In our latest episode of the CISSP Cyber Training Podcast, we unpack the alarming reality of a recent breach that exposed the personal records of 3 billion people. We provide critical advice on how to protect yourself using tools like "Have I Been Pwned," setting up credit freezes, and enabling multi-factor authentication. It's not just about safeguarding your data; it's about arming yourself with the knowledge to navigate these digital threats effectively.

Next, we dive into the realm of access controls with a keen focus on discretionary and non-discretionary systems. Discover why discretionary access control (DAC) might be a double-edged sword for smaller setups and how non-discretionary models such as mandatory access control (MAC), role-based access control (RBAC), and rule-based access control provide a structured, scalable framework for larger organizations. With real-world examples, we breakdown the benefits and challenges of each system, helping you understand which control model best suits your organization's needs.

Finally, we explore the complexities of RBAC and rule-based access controls, emphasizing the necessity of efficient access management in large enterprises and regulated industries. Learn about the principle of least privilege, the intricacies of role assignment, and how predefined static rules can simplify or complicate access management. We also delve into mandatory access controls, using high-security environments like military clearances to illustrate their importance. Whether you're an industry professional or just passionate about cybersecurity, this episode brings essential insights right to your ear.

Gain access to 60 FREE CISSP Practice Questions each and every month for the next 6 months by going to FreeCISSPQuestions.com and sign-up to join the team for Free. That is 360 FREE questions to help you study and pass the CISSP Certification. Join Today!

TRANSCRIPT

Speaker 1: 0:00 

Welcome to the CISSP Cyber Training Podcast, where we provide you the training and tools you need to pass the CISSP exam the first time. Hi, my name is Sean Gerber and I'm your host for this action-packed, informative podcast. Join me each week as I provide the information you need to pass the CISSP exam and grow your cybersecurity knowledge. Alright, let's get started. Let's go cybersecurity knowledge.

Speaker 2: 0:28 

All right, let's get started. Hey, I'm Sean Gerber with CISSP, cyber Training, and hope you all are having a blessed day today. Today's an amazing day. It truly is. You know why? Because of the fact is we get to talk about role-based, mandatory, discretionary and attribute-based access controls. Giddy up, yee-haw, it's going to be fun today. Yeah, I hope you all don't fall asleep on your morning commute. Yeah, no, we talk about that. Actually, if you have a Tesla, kick it in self-drive as we get going, because you're going to enjoy this so much that you will be riveted to the point where you will not be able to brake. Yes, that is very true. Actually, it's probably because there'll be drool coming out of your mouth as you fall asleep. No, you know, I'm just joking. All this stuff, it's designed to be super riveting and super enjoyable. So, hey, let's get started.

Speaker 2: 1:12 

But before we do right, before we do, one real quick article. I don't know if you all saw this. If you're listening to this and you are in the United States, or you're listening to it overseas, you may have been informed that your social security number has been leaked. Oh no, this is the end of the world as we know it. Right Cue song. Yeah, no, I don't have that song, but anyway, the thing of the cool part about all this is, well, so, not really cool, but the interesting part, I should say, is the fact that there was like a gob like 3 billion personal records were stolen, basically because of they were tied to social security numbers, addresses, you name it, all that stuff. Now, the interesting part on all this is what? There's 3 billion records. The positive part is they're going to have to go through a lot of records to find your stuff. The other thing is is, if you've been part of listening to CISSP cyber training, you obviously are someone who's probably been around a little while with your security stuff and therefore, one, you probably have protections in place. But two, you know as well as I do that your stuff has been compromised and pwned multiple times, so this is not a new development for you.

Speaker 2: 2:19 

But, that being said, this was part of the national public data. I had never heard of it, honestly. But what they do is a company that makes money by collecting and selling access to your personal data to credit companies, employers and private investigators. There's so many people who have access to your data. That's the part that's just unnerving. Honestly, it's just craziness. It's just craziness, but this group called USDOD snatched about 3 billion records, and which of those included addresses, social security numbers, all that kind of stuff. They basically have your history address history for the past three decades worth. If you're old like me, you'll have an address for three decades. If you're not, you probably go dude. I've got like a decade if that. Yeah, so, but it doesn't really matter. The fact is, I got your stuff.

Speaker 2: 3:09 

That being said, don't be out there. Don't go jump off a cliff and say, oh, this is the end of the world, it's not. You just obviously have to put some protections in place, and I'm telling you all this because you probably already know this, but I would recommend that you talk to people that you love, that are close to you, that may not know this, and so it's important that we talk through these things, just so it is a refresher for you all. First thing you need to do is obviously go to have I been pwned and see if your records were part of this breach as of right now. My records were not as of right now. Yeah, who knows, but they've been part of a lot of other breaches that have been in place, so go there, check it out, see what's going on.

Speaker 2: 3:47 

Obviously, if you're listening to this, you probably already have a credit freeze enabled with your overall credit. Go in, do that. I would also recommend that you talk to your family members about how to do this themselves. I've got a couple of podcasts that have gone through enabling your credit and or not enabling your credit, but enabling the overall freezes, and I recommend that you do that. Just whatever it takes, get people to go and freeze their credit, because that's the best way to protect them in this situation, also enabling the multi-factor that goes along with it an important part. So monitor your credit, go out there, freeze it.

Speaker 2: 4:24 

The other thing to do is, if you thought that you've been caught with any sort of your data has been compromised, your social security number specifically. This is from Dark Reading, actually, it's from ZDNet, and it's actually a really good step-by-step guide on what you should do to deal with a social security number that has been potentially compromised. And I will tell you. Though, if you do this, don't anticipate it to be done within a couple of weeks. Yeah, it might be a couple of months and it could take even longer than that, but the bottom line on all this is if you know here's the thing I have learned in security and dealing with lawyers If you know that your stuff has been compromised, just the date, that which you submit it is perfect.

Speaker 2: 5:05 

That's what you need.

Speaker 2: 5:06 

You need to let them know that you know it and you found out about it and you are submitting it and then keep all that documentation because if at any point in time, your social security number or your benefits get stolen and they start doing stuff with your account, you have the track that you actually submitted it, you knew it and you dealt with it.

Speaker 2: 5:26 

It's a whole lot easier to go from there at least trying to claw back any potential money that may have been taken from your account when you know that you've actually submitted to it. So go check it out. I'd highly recommend you go do that as soon as you possibly can. Obviously, don't do it now while you're driving. The reason I say that is many of the people that listen to this podcast are going to and from work and they use this as their morning commute. But when you get a chance, go check out have I Been Pwned? And see if you're part of this overall breach. But at a minimum, go out and freeze your credit and tell people that you love to freeze their credit as well.

Speaker 2: 5:59 

So, again, it's a real good. Article on ZDNet on your social security numbers. You article on ZDNet on your social security numbers. You can go check that out. It's relatively new, so if you Google it it'll pop up, so go check it out.

Speaker 2: 6:12 

Now let's get started in our most riveting content ever To this date. It's been the most important content you will ever listen to. Yeah well, maybe not, but it's going to be very helpful for your CISSP. So we're going to get into rule based, mandatory, discretionary and attribute basedbased access controls. You'll be able to go to cissp cyber training. You can actually see this content in the video format. It will be on youtube as well, but it's going to be out there for you and available. Also, let you know if you go to cissp cyber training and purchase one of the products that we have available for you. We've got a bronze, silver and gold. It's not in in commensurate with the olympics that just passed, but it's just to kind of put it in a tier system that if you purchase any of that, it all goes to charity. Yes, we are putting all of this in our charity for our nonprofit, for parents who want to adopt children, and that's where it's all going to go. I'm not going to keep any of it, I'm just going to give it all away. So I highly recommend it. Go do it Again. The content's amazing. The content is awesome and you'll get some great help when you're taking the CISP. But also know that anything you purchase goes to a good cause.

Speaker 2: 7:12 

So rule-based, mandatory, discretionary and attribute-based access controls what exactly are this? Are this? That's a really good English. You wouldn't know. I'm from Kansas and so we don't talk real well around here yeah, we don't really even talk like that at all but introduction to access control models. So, as we're talking about these, we're going to get into some of the various aspects and why they're important. We're going to get into a bit about non-discretionary and discretionary access controls and then we're going to roll into rule-based, mandatory, discretionary and attribute-based controls, and you're going to see those.

Speaker 2: 7:45 

Now I will tell you the one thing that is a bit confusing when you go and you'll see on the test. You have rule-based and role-based. They both have the same acronym. Potentially I've seen differations of that. They call RO for role. They've got RU for rule. But just know that if you glob under the acronym you could be wrong, so make sure you understand it's rule and roll. They're very different in what they do, even though the acronyms are extremely similar. So we're going to go through all of those today and just kind of walk you through. What can you anticipate for the CISSP and what should you be aware of? So first we're going to get into what we call discretionary kind of differentiate between discretionary access controls and non-discretionary access controls.

Speaker 2: 8:31 

A discretionary access control is a type of control where the resource owner has the authority to determine who can access the resources and at what actions they can perform. So this is the person who is acting as God. They are the one that can determine what is going on. These owner controls. These set the permissions, they set the access and they allow for the flexibility and the autonomy to be able to go and do what you want to do. Now, one thing to think about this is an access control list. Now, if you've dealt with firewalls, you understand that they are access control lists or ACLs, and these ACLs are what typically allow you to have access to various aspects on a firewall right. So they'll allow you to go to certain routing. Different routing tables allow you to go to routing locations. These are what an ACL typically does. Well, these ACLs will specify, in the case of access controls, users and groups who can access a resource and what actions they can perform Read, write, execute and so forth cases around it.

Speaker 2: 9:36 

The advantages of this is that the resource owners can easily adjust permissions to meet any changing needs that you may have within your organization, and they work really good, like that, right. So you know Billy Bob Joe. So you got three first names Billy Bob Joe. Billy Bob Joe has the ability to go and make these permissions, and then you can go talk to Billy Bob Joe and they can make the changes for you, which is really cool, and especially when you have ADD like myself, it's nice to go hey, bob, let's go. Okay, he goes by Bob instead of Billy Bob Joe. If you go to Bob and he says, yes, let's do it, you're good, right, easily implementation. Dacs are relatively straightforward to implement and to manage. They make it very good for small organizations and for very collaborative environments. Again, if you know Billy Bob Joe is the person in your organization, it's very easy to go to him and get that information you may need.

Speaker 2: 10:36 

The disadvantages, though, is it has inconsistent access control Because it's decentralized right, there's Billy Bob is the only guy that knows how to do it. It can lead to inconsistencies in providing access, and so you may have to go back to Billy Bob a few times to get this information taken care of the right way, whereas if it's centralized, you now click a button and it becomes very consistent across an organization. Again, small organizations with very few resources, this can work pretty well. When you're dealing with a much larger organization, then the inconsistencies can get unruly and it can actually cause you more challenges. There's a higher risk of unauthorized access. Again, without centralized oversight, there is a greater risk that somebody would have unauthorized access due to misconfigurations around the permissions.

Speaker 2: 11:24 

So again, there's pros and there's cons with doing the discretionary access controls Again we talked about. Some of the use cases would be small organizations that need flexible abilities to go kick this on and kick it off. And then your collaborative environments, which is allowing resource owners to share resources and set permissions based on the needs for the collaboration. So you have a small group, maybe you have SharePoint sites, maybe you have a development team, and this development team is the ones that are set up to go and do this. Then that would be someone you reach out to or not reach out to. You would set it up for that small development team. But, again, this does not scale very well, and so, therefore, it's important that if you got to consider your use case as a security professional going, is this going to need to scale? Is it not going to need to scale?

Speaker 2: 12:08 

Okay, so non-discretionary access controls these refer to the access control models where access decisions are made by a centralized authority based on the predefined policies rather than what individual resource owners may want or choose. So if you're a person who likes to have the fly by the seat of your pants, non-discretionary is not what you want. If you want something that is allowing you to have some level of control, or a strong level of control, consistency, deployability, non-discretionary access controls are what you may be wanting to go after. So here's just a couple which we'll talk about. Obviously, these are just a few of them, but the types of non-discretionary access controls would be your MAC, your mandatory access, role-based access, rule-based access controls. All of those will fall under the non-discretionary access controls. Now, just real, quickly mandatory access controls they are granted on security labels and clearance set by the central authority, so that they're the ones that will set up the mandatory controls. Okay, users cannot alter these permissions. Role-based is what granted, assigned to users by the administrator. Okay, these are predefined and determined to basically for each specific user. And then role-based they're determined based on the preset defined rules, such as time of day, location and so forth. So just kind of. We'll get into more of that here shortly, but just know that types of non-discretionary access controls are your, are back, your rule-based, your mandatory access controls. Okay, so characteristics central we talked about it again.

Speaker 2: 13:42 

Centralized control allows for the authority to be consistent and adherence to organizational policies. So a good example around this is if you're in a large enterprise and in this enterprise I know that all users that join our organization are going to have these set of things they can go do. They may not be able to do any sort of admin, administrative adding of names, and they may not be able to do anything as far as their account goes other than just a normal user account. Now, once you get into added levels of ability, then you can increase what that person might be. So a role-based could be a good example of this. Where I'm a standard user, then I want to be an admin. Well, then I get the admin added to my user ability If I want to be a domain admin. That's a whole separate additional ad that would need to be added to me. If I wanted to be able to access a certain server at a certain time of day, because it's basically in a walled garden per se, then you would have a rule-based access control. So, again, it's very centralized, it's very policy driven.

Speaker 2: 14:46 

So we talk about policies. Policies aren't like okay, you're having a policy for the government. We talk about policies are basically the security rules by which you're creating something and this access might be granted based on these predefined policies, which include classifications, roles or rules, and so these policies are set up. So I'll give you one example of a policy I'm setting up policies for a data loss protection and insider risk program. These policies are set up that a USB will only be able to be used at X, y and Z, or if you are uploading to a certain file share, only a certain file share at a certain time of day. Those are policies that are set up specifically to control access. They're going to control what you can and cannot do with the tool. So that's the policy driven piece of this.

Speaker 2: 15:35 

Advantages of it it's high security Again. Centralized control, strict policies provide a high level of security and prevent unauthorized access. They don't allow access to anything except for what you allow them to, so that can be really good. Consistency we talked about that earlier as well. It allows you to have some level of consistency within your enterprise and it just makes things flow much better. Disadvantages, though, obviously, is complex of management. The management of this can get very out of control at times can get, especially if you let somebody like me who gets a little bit distracted. My wife tells me this all the time I'm working on something and all of a sudden squirrel, something pulls me aside and I go over and work on that and I go wait a minute, what was I doing a minute ago? And so because of that and you guys might even see that in CISSP cyber training because I'll do a PowerPoint that looks really cool and then I'll do it on a piece of paper, yeah, because I forgot what I did. Yeah, that's just kind of crazy at times.

Speaker 2: 16:28 

But, that being said, I don't know where I was going with this, other than the fact that it's consistency. You want to have some level of consistency to ensure that application access controls are meeting your organization. Okay, no, it's complex management, right? Complex brain, complex management Reduce flexibility. It does have a rigid structure which can hinder the collaboration and adaptability, especially in a dynamic environment. So when you're dealing with something this is a great example of this organization I'm working with now really good organization, lots of great people, but it is a monster company, huge company, right, and it is very complex and it is not very flexible and it makes things very challenging. When it is not as easy to make changes within the organization, that can happen with these different types of access controls. It can be frustrating and it can take time. That being said, there's risks that are being in place. The bureaucratic challenges can add a level of protection to keep from many changes occurring too quickly or too randomly. So it's important that you have some of that in there as well. It's just that's that trade-off. You have to be able to go back and forth with Use cases again, military and government. They ensure that the classified information is only protected in a certain way We've talked about this in various podcasts we get into the ability around the military and how it protects you. And then large organizations obviously very large enterprises. They have to have consistent access control policies across a very diverse and complex environment. So it's important that they have that as well. So you got to keep that in mind, that there's times and places in which you want to use these All right role-based access controls. So that's the one we're going to get into right now, and this is typically called RBAC.

Speaker 2: 18:11 

Now, role-based access controls a security approach which restricts system access to users based on the role in which they are within your organization. Now, these permissions are assigned to the role, okay, to the role itself. Like Sean is security analyst A, it's assigned to Sean, the security analyst, rather than the individual user, than to Sean Gerber, okay, or, as my friends call me, enrique, okay. The ultimate point is to simplify the management of the access rights. So all users that come in get this, all analysts that come in get why. Now these characters are set up for, basically, role assignment. These users are assigned the roles based on their job function, and then each role is set on permissions that define what actions the users in that role can perform. So, again, what can they actually do? The authorization this is where the user's active role must be authorized ensuring that only users with the appropriate role can access certain resources. So you get the assignment, you have the authorization and then you have the permission. Right. These are then when it's granted to you, that's when the permissions are given to you. So again, role Sean the analyst has signed the role. The will go up to my boss, the approval will go up to my boss, my boss will. Boss will authorize it. Then, once my boss authorizes it, then the permission is granted and I now have access to what I need to do. Large organizations will have this very automated and it doesn't have to actually go to Bob Now, or I should say it will go to my boss. So this is Sean going to my boss, billy Bob Joe, and Billy Bob Joe will see this. He'll click, he'll mash a button and say yep, approved, and then it'll kick through an automated process by which Sean will get all of the entitlements, all the credentials that he is supposed to have for the role. Again, that's the characteristics of a role-based access control.

Speaker 2: 19:58 

Now, again, we talked about roles, permissions and users. So roles are defined in the job, function or responsibility, again, administrator, manager, analyst, employee depends Permissions these are the specific rights that are assigned to the role, such as read, write, execute, so on and so forth. Those are what's the permissions that allow Sean to do what he's going to do. And then the other also it could be a set of other entitlements outside of read, write, execute. It could be administrator and so forth. But those are that would be, I should say, administrator would be a role that Sean would have and it would just be tied to Sean's name.

Speaker 2: 20:32 

Users uh, individuals who are assigned a role and then they inherit permissions associated with those roles. Now, what this is the part that can get really squirrely is the inheritance issue of this. When you have a certain set of credentials these some sometimes depending upon where you're at within your organization and depending upon the active directory structure within your organization, sometimes these roles, these individuals, can inherit permissions based on where they're at within the overall Active Directory tree. And so we're not going to get into that today. But the point of it is that it's important that when you set this up, you have to be very specific on how you set up the roles with individuals and then also know your environment to know that these individuals are put into other areas within the organization. They don't inherit types of permissions just because of where they were put. You need to understand that overall plan.

Speaker 2: 21:25 

One of the things I've learned as a red teamer and then also just being a CISO for a large company that is not a well-known topic. People do not totally understand their infrastructure and we're to the point of going yes, sean gets put into this group. Well, sean has access to all these things because Sean was put in this group. Well, sean was also put into another group, which gives him a lot more access to a lot of other things that Sean really shouldn't have access to and Sean didn't have control of. I didn't request that access, somebody just put me in there, or you were in that group and you moved on to a new role and guess what? They stayed in that group. They didn't pull you out.

Speaker 2: 22:02 

So there's a lot of challenges that go along with especially dealing with individual user entitlements and user roles. So what are the advantages around this Simplified management? Obviously, assigning permissions to roles rather than users. Around this Simplified management, obviously assigning permissions to roles rather than users. Okay. Rbac reduces the complexity of managing access rights. Principle of least privilege ensures that only you have access that's necessary to perform the job functions Again reducing the risk of unauthorized access. So that's a big positive around this, great for large organizations with many users and allows for efficient management. Those are the positives.

Speaker 2: 22:35 

Here come the downsides. Initial setup can be very complex, right. So just setting all this up can take very careful planning and it can be complex, which can cause some challenges. You need to think about it when you're planning this out, and the best thing I have learned is it's better to start small and work your way up than to start big, like basically saying, give them access to all this stuff and then we'll start whittling it down over time. No, you want to start them off small and then, as you build this out, you realize, oh, we really should be giving people access to this, but that needs to go through a committee, rather than you just saying, oh, okay, bill needs access to this Click. Now, all of a sudden, instead of Bill getting access, all those roles got access. And now that's when you can get into yourself and do a lot of challenges Role explosion Again, dynamic environments.

Speaker 2: 23:24 

The number of roles can proliferate big $10 word making the management challenging, right? We talked about that. There, the roles grow. You got challenges. Rigidity, changes in job functions or responsibilities can cause frequent updates and roles and permissions. Use cases large enterprises again, we talked about them being the ones that have hundreds, if not thousands, of employees based on their roles and responsibilities. Regulated industries they have to have this. So you'll see a company I'm working with now well, many companies, especially as the government's getting involved. They do require specific roles. And then that these roles have to be audited and that these roles have to be managed. This, again, strict access controls that are based on job function, and then IT systems controlling access to applications, databases, network resources and so forth, are a lot of tied two roles. So again, those are the pros, the cons and then some of the use cases around rule-based access controls.

Speaker 2: 24:25 

Rule-based access controls Now rule-based, these are accesses granted based on a set of predefined rules by the administrator or system administrator. These rules dictate the conditions under which can be allowed or potentially denied right. So you have two different types of rule-based access you have predefined and static and you have condition-based decisions. So let's go into predefined. What is that? These are established in advance, right, so you have this already set up. So it's like an access control list. Right, they're already set up. They don't change frequently. They're designed to cover the typical scenarios and the conditions.

Speaker 2: 24:54 

So if you know in your network that I'm going to allow port 443 is allowed through, but port XYZ 62252 is not allowed, that would be static. Right, you would know 443 is going to go through. Those would be the predefined or static types of and I'm talking ports on an access control list. But that's what kind of role you would say. The user, that's a predefined, static user account that doesn't change frequently because every user is going to get it. That's static, condition-based decisions. These are access based on the specific conditions, such as a time of day, user, location, type of transaction being performed. So if you say that I only want people to make changes based on if they are in Dallas-Fort Worth area, okay, that's very close to geofencing in that localized area. But let's just say Dallas-Fort Worth, anybody outside of Dallas, no, that won't work. Now, the gotcha on this is if you have people that are remoting in from other locations, do you allow the virtual environment to be able to fall under that condition? And that might be the condition you set is that the only people that have remote access into our environment are the ones that can do this. So, again, that's the condition-based decisions.

Speaker 2: 26:11 

So there's various components to it rules, subjects and objects. Rules these are the specific conditions that must be met for access to be granted. For example, rule might state that access to a financial system is only allowed during business hours and not after business hours. Subjects these are users or entities requesting access to the resources, such as myself. That would be a subject and this would be evaluated against the rules to determine if I should be given access or not. So, again, rules are specific, to be specific. Conditions subjects are the users and entities. Objects these are the resources or the data that subjects are trying to access. So this is the stuff I'm trying to get to, and so the files, databases, applications, whatever, it is right. So you have rules. Those are conditions. Subjects that's the users or the entities. And then three is the objects. These are what we're trying to get.

Speaker 2: 27:04 

Okay, so what are the advantages around rule-based access controls? It simplifies the management, so it does. By automating these access decisions on a predefined set of rules, administrators can reduce the complexity of managing access controls. It ensures consistency. It ensures that the rules are applied uniformly right. There's a consistent approach to granting, denying, removing access. It's all very consistent and it works very well, especially when you're dealing with large organizations.

Speaker 2: 27:34 

The disadvantages of this, though, is the lack of flexibility, so when you're dealing with static rules, they may not be sufficient to cover all scenarios. They also could be where you're dealing with rules that maybe are not as static, maybe more dynamic, then you have. Keeping these rules up to date and relevant will be a very ongoing and arduous process. It takes a lot of attention to detail for administrators, so you need the right person that can do this. You wouldn't want to let me in there. That would be bad. We would have everybody having access all over the place, but the point of it is is that those are some of the challenges that come along with rule-based access. So some of the use cases around this financial transactions implementing time-based restrictions to ensure transactions that can only be done during business hours would be a huge part of a financial piece. So if you know you have employees that are remoting in from a certain time, that it's only limited to a certain time in which there'll be updates to the system, otherwise it's queued that way at least. Then there aren't people trying to do this in the middle of the night and then the next day you come back and all your money's gone. That's a challenge.

Speaker 2: 28:44 

Location-based access is another one. That's where you deal with like geofencing of some kind, granting access to sensitive data only when they're in a specific geographic location, such as the office premises. So if you had a certain set of IP addresses where they're allowed, that might be something you would do from a specific rule-based access control. So now let's get into mandatory access controls. Mandatory access control this is granted on policies set by a central authority dealing with.

Speaker 2: 29:07 

We talked about security labels, right to classify the resources and the users. This is a this we talk about. The fact of this was the mandatory access of this is it's a non-discretionary access control and and so therefore it's designed to have your different security levels, such as confidential, secret, and all these are granted by clearances that are correspond to these specific levels. So, as an example, for military, I had classified security clearance and I was able to reach certain levels of classification based on my security clearance, which I don't have anymore because after time it all goes away, and which is good. Right, you want that to happen. But, based on what my clearance was, I was allowed access to certain types of information from secret, top secret, whatever that might be. That was all dependent upon my role. Now these labels are is if you want to have access to certain data, for example, we talk about top secret. That needs to be.

Speaker 2: 30:02 

We used to call it a ticket. You have your ticket punched to be able to go and access top secret information or secret information. Or, in the case of top secret, it might be even compartmentalized and caveats that only allows you into certain areas, so that you guys, everybody knows. Is that just because you have access to top secret information doesn't mean, oh, I now know where the aliens are, I can go find the aliens because I have top secret information? And no, that's not true. Wherever the aliens are at, there is a special ticket that is probably written in invisible ink that you can't get access to. If they even exist.

Speaker 2: 30:36 

And so, therefore, that's a special ticket to get punched on a certain ride at Disneyland. But no, you have to have a certain caveat to allow you access. So then, when you deal with the components so we talked about labels already. As far as what labels are top secret, then the clearances. These are assigned to determine the level of access that are permitted. A user with a secret clearance has access to resources that are secret or lower. Top secret, top secret or lower. If you're access to just unclassified, that's all you get. You can't go any higher than that. Then you have to have the central authority that's responsible for defining and enforcing the access control policies. It ensures that the access decisions are consistent and aligned with the access control policies. It ensures that the access decisions are consistent and aligned with the organizational security requirements.

Speaker 2: 31:20 

So advantages of this high security right Really limit what people can do. That does not stop people from stealing classified information. Edward Snowden good example of that. But it continues to happen, but it is limited because of these high access controls. The thing is, is where the edwin snowden's, snowden's of the world, get the access out is when they buy, when these security controls are not fully managed correctly. That's how edward snowden got access and had access to stuff that he should have not had access to for one, and then two, when he did have access to it, have the ability to get data out of the organization. That was a big failure and I know they fixed that, but they shouldn't have ever gotten that far. So again, these strict policies.

Speaker 2: 32:05 

Mac provides a high level of security and control over access to sensitive resources. It prevents unauthorized access. The use of security labels and clearances ensures that only authorized users can access classified information. Hopefully right In most cases. A very complex beast and you have to have a person that's specifically set aside in each organization just to deal with classified data, and then you have to have training on how to label it. Only certain people can label it, only certain people can remove the label. There's a lot of complex moving parts on dealing with mandatory access.

Speaker 2: 32:41 

Controls Reduce flexibility. It's a rigid structure of Mac, can hinder collaboration and adaptability, especially in dynamic environments. So again, it reduces the flexibility of your organization. The military is good with that. They like flexibility, but when it comes to classified stuff they are not flexible. They are unbending very much. So I talked about the military and the government dealing with classified information and also financial institutions. They are required to have sensitive labeling put on a lot of this. Healthcare industries as well. There's a lot of pieces and parts that need some level of labeling around.

Speaker 2: 33:14 

Access Okay, attribute-based access controls. Now, access is granted on attributes of the user resource and the environment, allowing for a dynamic and context-aware access control decisions. Now I will say this is something you're going to start seeing more of, this type of activity, I feel in my mind, as we get into AI and that becomes more involved, it's going to be more context-aware of what's actually going on and allow access in and out. So the characteristics this is dynamic and context-aware basically means decisions are made based on the combination of attributes which can change over time in different contexts. The attributes, such as user role, resource type and environmental conditions, are evaluated to determine what the access might be. So, based on the user's situation, it may allow the access depending upon the need.

Speaker 2: 34:04 

I have not dealt with this specifically. I've read of it, but I've never actually dealt with it completely. So, such as the attributes would be characteristic of the root of the user role, department and so forth. What are the resources that they need to have access to Classification type of data. And then the environment, which would be time and location. So you're bringing all these things together and that would be the attribute of which it would be able to be context aware of what it's trying to allow.

Speaker 2: 34:29 

Now these policies will define how attributes are evaluated to grant or deny access, and these policies can be very complex and they could consider multiple attributes.

Speaker 2: 34:39 

But this is where you're going to need something that has the logic to be able to all look at this.

Speaker 2: 34:43 

So Sean's allowed access from Hong Kong at a certain time of the day and he has to use a certain specific IP address to be able to get access, because maybe he's using a device from his work or he's in a, I should say, an IP address coming from the office location. Those three things have to be in context and have to be working for Sean to have access that he needs. Then there becomes a policy decision point, or they call it PDP. This is the component that is responsible for evaluating policies and making access decisions based on the attributes and the rules. So this is where the brains of this thing figures this out. Again, you're not going to be able to do it. It has to have a smart how. It's got to have something, a brain that will think through this, to allow or deny the access. Hopefully it won't launch you into space. If you guys got the hell indication, you would understand what I just said, so that 2000 what was that?

Speaker 2: 35:41 

it was, ah see, I can't remember the name of the. It was like odyssey 2000. I can't even think of the name of the movie, but it's like out of hell, the big red eyeball. Okay, attribute-based access controls. The advantages of this See, the ADD kicks in every once in a while, squirrel. High flexibility. Abac supports complex access control requirements and can adapt to changing conditions and context because it has the ability, the flexibility, to do that. It is scalable, right, so its attribute-based approach allows for scalable access controls in large and diverse environments.

Speaker 2: 36:11 

This really happens a lot, especially if so, like if you're dealing with a large company. I don't know if you've all have dealt I get lots of different people listen to this podcast from. I got people from Spain, I got people from Brazil, I got people in the United States all over the place, right, listening to the podcast, which is awesome, right and they all come from different backgrounds and different lifestyles. The thing around this, though, is interesting is that if you've dealt with a large organization I've done M&A, which is mergers and acquisitions you bring in people from companies. Your company goes and buys one, you merge it into your organization, so you have to deal with M&A.

Speaker 2: 36:44 

Well, when you're dealing with diverse companies. You have your way that you did your company right. So this is the way your naming convention is. This is the way you use your IP structure. All this stuff is based in a certain way. Well, now, and you have a certain way you do roles, now you bring in somebody else right from the outside and they did a whole different way of doing business. So how do you merge the two together? And this is where attribute-based access controls could be very valuable. Again, I haven't ever seen it in place, I've just read about it and I think if you could make it work, this would be really, really cool.

Speaker 2: 37:16 

The disadvantages though is defining and managing attributes and policies can be challenging and requiring a very strong infrastructure and expertise. Again, got to find the one, the unicorn and sometimes unicorn is out there, but sometimes they're not. Again, got to find the one, the unicorn and sometimes unicorn is out there, but sometimes they're not. If you do find the unicorn, sometimes they want a lot of money and therefore you don't want the unicorn. So you have to build, you train your own little unicorn, which means you get a mule and you stick a cone on its head and then you hope that someday it will grow into a beautiful unicorn. But right, when it starts growing into a beautiful unicorn, it moves on to another role. Yes, so just kind of. Yeah, I went on a tangent there, but it's true, it's so true, okay. So disadvantages we talked about that managers can be challenging, requiring robust infrastructure, infrastructure requirements. Implementing a back also requires a system for managing and evaluating attributes and policies. Again, you got to have something and it's going to be expensive to do this, but it could be extremely valuable to you, especially if you're dealing with mergers and acquisitions, that you could put a case together for how this would reduce the risk to your organization, especially from an insider standpoint. One of the big issues you run into from an insider point of view is when you start merging companies together. Watch your data. Leave your organization because it goes out the door faster than you can even imagine because of the fact that nobody's watching it. Use cases you have cloud environments. These provide dynamic access controls for user bases, and then organizations with dynamic needs. Again, they support environments where access control needs change frequently based on context and conditions again. So these are kind of the areas in which you would deal with attribute-based access controls. Okay, that is all I have for you today. So I want you guys to head on over to CISSP Cyber Training. Go check it out. Go check out all the free stuff that's there. Go purchase the products. Again, the products go to a non-profit, not taking the money. It's all good. Again, we want to help kids that we want, parents that want to adopt children. We want to try to help in the financial aspects of this through low interest loans, grants and so forth, and so therefore, that's the overall purpose of our nonprofit. Again, I'm doing this stuff. I be honest with y'all. I enjoy working with this, I enjoy talking to you all, and this is kind of a bit of a therapy for me, but I also want to let you know that I don't need to do this. I want to do this one to help you, but then also, as we start going forward, going, how do I help families? And that's the overall purpose of CISSP. Cyber Training is to help. That Last thing is, head on over to Reduce Cyber Risk as well.

Speaker 2: 39:37 

I'm a consultant and so therefore, if you are looking for any sort of consulting needs, I can help you with those. Between myself and the team that I work with, we can pretty much help you in almost everything that comes down to security-related products. Again, reducecyberriskcom. Go check that out for any of your consulting needs. Okay, I sound like the guy that's trying to sell you the. What is that? I can't think of it. That Shamu guy or whatever. Whatever the guy is trying to sell you, this is a towel that if you take it and you fill up the water with it, it will work you forever. Yeah, no, that's not what we're doing here. So, anyway, go to cisspcybertrainingcom, check it out head on over to Reduce Cyber Risk if you need consulting work. Have a wonderful blessed day and we will catch you on the flip side, see ya.