Separation of Duties and Responsibilities

Comparing Access Control Models 
627
to protect them. Some organizations create a security policy as a single document, and other 
organizations create multiple security policies, with each one focused on a separate area. 
Policies are an important element of access control because they help personnel within 
the organization understand what security requirements are important. Senior leadership 
approves the security policy and, in doing so, provides a broad overview of an organiza-
tion’s security needs. However, a security policy usually does not go into details about how 
to fulfi ll the security needs or how to implement the policy. For example, it may state the 
need to implement and enforce separation of duties and least privilege principles but not 
state how to do so. Professionals within the organization use the security policies as a guide 
to implement security requirements. 
Chapter 1, “Security Governance Through Principles and Policies,” covers 
security policies in more depth. It includes detailed information on stan-
dards, procedures, and guidelines.
Implementing Defense in Depth 
Organizations implement access controls using a
defense-in-depth
strategy. This uses mul-
tiple layers or levels of access controls to provide layered security. As an example, consider 
Figure 14.1 . It shows two servers and two disks to represent assets that an organization 
wants to protect. Intruders or attackers need to overcome multiple layers of defense to reach 
these protected assets. 
F I g u r e 14 .1
Defense in depth with layered security
Physical
Access Controls
Administrative
Access Controls
Logical/Technical
Controls

628
Chapter 14 
■
Controlling and Monitoring Access
Organizations implement controls using multiple methods. You can’t depend on tech-
nology alone to provide security; you must also use physical access controls and adminis-
trative access controls. For example, if a server has strong authentication but is stored on 
an unguarded desk, a thief can easily steal it and take his time hacking into the system. 
Similarly, users may have strong passwords, but social engineers can trick uneducated users 
into giving up their password. 
The concept of defense in depth highlights several important points: 
■
An organization’s security policy, which is one of the administrative access controls, 
provides a layer of defense for assets by defining security requirements. 
■
Personnel are a key component of defense. However, they need proper training and 
education to implement, comply with, and support security elements defined in an 
organization’s security policy. 
■
A combination of administrative, technical, and physical access controls provides a 
much stronger defense. Using only administrative, only technical, or only physical con-
trols results in weaknesses that attackers can discover and exploit.

Download 19,3 Mb.

Do'stlaringiz bilan baham: