CCT 286: Access Controls - Role Based, Rule Based and Many More Controls (Domain 5.4) Artwork

CISSP Cyber Training Podcast - CISSP Training Program

Join Shon Gerber on his weekly CISSP Cyber Training podcast, where his extensive 23-year background in cybersecurity shines through. With a rich history spanning corporate sectors, government roles, and academic positions, Shon imparts the essential insights and advice necessary to conquer the CISSP exam. His expertise is not just theoretical; as a CISSP credential holder since 2009, Shon translates his deep understanding into actionable training. Each episode is packed with invaluable security strategies and tips that you can implement right away, giving you an edge in the cybersecurity realm. Tune in and take the reins of your cybersecurity journey—let’s ride into excellence together! 🚀

All Episodes

CISSP Cyber Training Podcast - CISSP Training Program

CCT 286: Access Controls - Role Based, Rule Based and Many More Controls (Domain 5.4)

October 06, 2025 • Shon Gerber, vCISO, CISSP, Cybersecurity Consultant and Entrepreneur • Season 3 • Episode 286

Send us a text

Check us out at: https://www.cisspcybertraining.com/

Get access to 360 FREE CISSP Questions: https://www.cisspcybertraining.com/offers/dzHKVcDB/checkout

Get access to my FREE CISSP Self-Study Essentials Videos: https://www.cisspcybertraining.com/offers/KzBKKouv

A headline‑grabbing data leak is the wake‑up call; what you do next is the difference between panic and control. We start with concrete actions you can take today—check exposure with Have I Been Pwned, lock down your credit with freezes, turn on MFA, and keep meticulous records so you have proof when it counts. From there, we switch gears into the playbook every CISSP candidate and security leader needs: a clear path through the access control maze that actually maps to real work.

We break down Discretionary Access Control (DAC) and why it’s fast but fragile, then show how non‑discretionary models keep large environments consistent. Role‑Based Access Control (RBAC) gets the spotlight with practical guidance: define roles by job function, automate approvals, prevent role explosion, and audit entitlements so inheritance doesn’t hand out surprise privileges. We separate role‑based from rule‑based—one tied to people and jobs, the other to conditions like time, location, and transaction type—using examples you can adopt immediately.

For high‑assurance scenarios, we dig into Mandatory Access Control (MAC): labels, clearances, compartments, and the uncompromising policies that protect the most sensitive data. Finally, we look ahead with Attribute‑Based Access Control (ABAC), where context drives decisions in cloud and zero trust architectures. User attributes, device posture, data sensitivity, time, and geo all combine to answer the crucial question: should this subject access this object, right now?

You’ll walk away with exam‑ready cues, battle‑tested pros and cons, and a mental model to pick the right approach for your team. If this helped, subscribe, share it with a teammate who keeps mixing up role‑based and rule‑based, and leave a quick review so others can find us.

Gain exclusive access to 360 FREE CISSP Practice Questions at FreeCISSPQuestions.com and have them delivered directly to your inbox! Don’t miss this valuable opportunity to strengthen your CISSP exam preparation and boost your chances of certification success.

Join now and start your journey toward CISSP mastery today!

SPEAKER_00: 0:00

Welcome to the CISSP Cyber Training Podcast, where we provide you the training and tools you need to pass the CISSP exam the first time. Hi, my name is Sean Gerber, and I'm your host for this action-packed informative podcast. Join me each week as I provide the information you need to pass the CISSP exam and grow your cybersecurity knowledge. Alright, let's get started.

SPEAKER_01: 0:25

Hey I'll Sean Gerbert with CISSP Cyber Training, and hope you all are having a blessed day today. Today is an amazing day. It truly is. Yeah, I uh you know why? Because of the fact is we get to talk about role-based, mandatory, discretionary, and attribute-based access controls. Giddy up, yeeha! It's gonna be fun today. Yeah, hope you all don't fall asleep on your morning commute. Yeah, no, we talk about that. Actually, if you have a Tesla, kick it in self-drive as we get going because you're gonna enjoy this so much that you will be riveted to the point where you will not be able to break. Yes, that is very true. Actually, it's probably because there'll be drool coming out of your mouth as you fall asleep. No, I you know I'm just joking, all this stuff. It's designed to be super riveting and super enjoyable. So, hey, let's get started. But before we do, right, before we do, uh, one real quick article. I don't know if you all saw this. If you're listening to this and you are in the United States, or you're listening to your next pat and you're listening to it overseas, you may have been informed that your social security number has been leaked. Oh no, this is the end of the world as we know it, right? Q song. Yeah, no, I don't have that song. But anyway, the thing of the cool part about all this is, well, so not really cool, but the interesting part, I should say, is the fact that there was like a gob, like three billion personal records were in stolen, uh basically because of they were tied to social security numbers, addresses, you name it, all that stuff. Now, the interesting part on all this is that with there's three billion records, the positive part is they're gonna have to go through a lot of records to find your stuff. The other thing is, is if you've been part of listening to CISSP Cyber Training, you obviously are someone who's probably been around a little while with your security stuff, and therefore, one, you probably have protections in place, but two, you know as well as I do that your stuff has been compromised and pwned multiple times. So this is not a new development for you. But that being said, uh, this was part of the national public data. I never heard of it, I honestly. But what they do is a company that makes money by collecting and selling access to your personal data to credit companies, employers, and private investigators. These guys, there's so many people have access to your data. That's the part is just unnerving, honestly. It's just craziness. But this group called USDOD snatched about three billion records, and which of those included addresses, social security numbers, all that kind of stuff. Uh, they basically have your history, address history for the past three decades worth. Uh, if you're old like me, you'll have an address for three decades. If you're not, you probably be going, uh, dude, I've I've got like a decade, if that. Yeah. So, but it doesn't really matter. The fact is, I got your stuff. That being said, don't be out there and go, don't go jump off a cliff and say, oh, this is the end of the world. It's it's not. You just obviously have to put some protections in place. And I'm telling you all this because you probably already know this, but I would recommend that you talk to people that you love that are close to you, that may not know this. And so it's important that we talk through these things just so it is a refresher for you all. First thing you need to do is obviously go to Have I Been Pwned and see if your records were part of this breach. Um, as of right now, my records were not, as of right now. Yeah, who knows? But they've been part of a lot of other breaches that have been in place. So go there, check it out, see what's going on. Obviously, if you if you're listening to this, you probably already have a credit freeze enabled with your uh your overall credit. Go in, do that. I would also recommend that you talk to your family members about how to do this themselves. I've got a couple podcasts that have gone through the enabling your credit and or not enabling your credit, but enabling the overall freezes. And I would recommend that you do that. Just whatever it takes, get people to go and freeze their credit because that's the best way to protect them in this situation. Also, enabling the multi-factor that goes along with it, an important part. So monitor your credit, go out there, freeze it. The other thing to do is if you thought that you've been caught with any sort of your data's been compromised, like your social security number specifically, um, he this this is from Dark Reading. Actually, it's from ZDNet, and it's actually a really good step-by-step guide on what you should do to deal with a social security number that has been potentially compromised. And I will tell you though, if you do this, it don't anticipate it to be done within a couple weeks. Um, yeah, it might be a couple months and it could take even longer than that. But the bottom line on all this is if you know, here's the thing I have learned in security and dealing with lawyers. If you know that your stuff has been compromised, just the date that which you submit it is perfect. That's what you need. You need to let them know that you know it and you found out about it and you are submitting it. And then keep all that documentation because if at any point in time your social security number or your your benefits get stolen and they start doing stuff with your account, you have the the track that you actually submitted it, you knew it, and you dealt with it. Um, it's a whole lot easier to go from there, at least trying to get claw back any potential money that may have been taken from your account when you know that you've actually submitted to it. So go check it out. I'd highly recommend you go do that as soon as you possibly can. Uh obviously don't do it now while you're driving. The reason I say that is many of the people that listen to this podcast are going to and from work and they they use this as their morning commute. But when you get a chance, go check out Have I Been Pwned and PC if you're part of this overall breach. But at a minimum, go out and freeze your credit and tell people that you love to freeze their credit as well. So again, it's a real good article on ZDNet on your social security numbers. You can go check that out. It's relatively new, so if you Google it, it'll pop up. So go check it out. Now, let's get started in our most riveting content ever. To this date, it's been the most important content you will ever listen to. Yeah, well, maybe not, but it's gonna be very helpful for your CISSP. So we're gonna get into rule-based, mandatory, discretionary, and attribute-based access controls. You'll be able to go to CISSP Cyber Training. You can actually see this content in the video format. It will be on YouTube as well, uh, but it's gonna be out there for you and available. Also let you know if you go to CISSP Cyber Training and purchase one of the products that we have available for you. We've got a bronze, silver, and gold. It's not in in commensurate with the Olympics that have just passed, but it's just to kind of put it in a tier system. That if you purchase any of that, it all goes to charity. Yes, we are putting all of this in our charity for non our nonprofit for parents who want to adopt children, and uh that's where it's all gonna go. I don't, I'm not gonna keep any of it, just gonna give it all away. So I highly recommend it. Go do it. Uh again, there's the content's amazing, the content is awesome, and you'll get some great help when you're taking the CISP, but also know that anything you purchase goes to a good cause. So, rule-based, mandatory, discretionary, and attribute-based access controls. What exactly are this? Are this? That's a really good English. You wouldn't know. I'm from Kansas, and so we don't talk real well around here. Um, yeah, we don't really even talk like that at all. But introduction to access control models. So, as we're talking about these, we're gonna get into some of the various aspects and why they're important. We're gonna get into a little bit about non-discretionary and discretionary access controls, and then we're gonna roll into rule-based, mandatory, discretionary, and attribute-based controls. And you're gonna see those. Now, I will tell you the one thing that is a bit confusing when you go and you'll see on the test, you have rule-based and role-based. They both had the same acronym potentially. And I've seen differations of that. The they they call RO for ROL, they've got R U for RUL. But just know that if you glob one of the under the acronym, you could be wrong. So make sure you understand it's RULE and ROL. They're very different uh in what they do, even though the acronyms are extremely similar. So we're gonna go through all of those today and just kind of walk you through what you can anticipate for the CISSP and what should you be aware of. So, first we're gonna get into what we call discretionary control, kind of differentiate between discretionary access controls and non-discretionary access controls. A discretionary access control is a type of control where the resource owner has the authority to determine who can access the resources and at what actions they can perform. So, this is the person who is acting as God. They are the one that can determine what is going on. Uh, these owner controls, these set the permissions, they set the access, and they allow for the flexibility and the autonomy to autonomy to be able to go and do what you want to do. Now, one and uh one thing to think about this is uh an access control list. Now, if you've dealt with firewalls, you understand that they are access control lists or ACLs. And these ACLs are what per typically allow you to have access to various aspects on a firewall, right? So they'll that allow you to go to certain routing, different routing tables, allow to go to routing locations. These are what an ACL typically does. Well, these are these ACLs will specify in the case of access controls, users and groups who can access a resource and what actions they can perform. Read, write, execute, and so forth. So that's the characteristics of a discretionary access control. Now we're gonna kind of get into the advantages, the disadvantages, and some potential use cases around it. The advantages of this is that the resource owners can easily adjust permissions to meet any changing needs that you may have within your organization. And they work really good like that, right? So you know Billy Bob Joe, so you got three first names, Billy Bob Joe. Billy Bob Joe has the ability to go and make these permissions. And then you can go talk to Billy Bob Joe and they can make the changes for you, which is really cool. And especially when you have ADD like myself, it's nice to go, hey Bob, let's go. Okay. Uh he goes by Bob instead of Billy Bob Joe. If you go to Bob and he says, yes, let's do it, you're good, right? Ease of implementation, DACs are relatively straightforward and it to implement and to manage. They make it very good for small organizations and for very collaborative environments. Again, if you know Billy Bob Joe is the person in your organization, it's very easy to go to him and get that information you may need. The disadvantages, though, is it has inconsistent access control. Because it's decentralized, right? There's only there's Billy Bob is the only guy that knows how to do it, it can lead to inconsistencies in providing access. And so you may have to go back to Billy Bob a few times to get this information taken care of the right way. Whereas if it's centralized, you now click a button and it becomes very consistent across an organization. Again, small organizations with very few resources, that this can work pretty well. When you're dealing with a much larger organization, then the inconsistencies can get unruly and it can actually cause you more challenges. There's a higher risk of unauthorized access. Again, without centralized oversight, there is a greater risk that somebody would have unauthorized access due to misconfigurations of the permissions. So again, there's pros and there's cons with doing the discretionary access controls. Again, we talked about some of the use cases, would be small organizations that need flexible abilities to go kick this on and kick it off. And then your collaborative environments, which is our allowing resource owners to share resources and set permissions based on the needs for the collaboration. So you have a small group, you maybe you have SharePoint sites, maybe you have a development team, and this development team is the ones that are set up to go and do this, then that that would be someone you reach out to. Or not reach out to, you would set it up for though that small development team. But again, this does not scale very well. And so therefore, it's important that if you got to consider your use case as a security professional of going, is this going to need to scale? Is it not going to need to scale? Okay, so non-discretionary access controls. These refer to the access control models where access decisions are made by a centralized authority based on the predefined policies rather than what individual resource owners may want or choose. So if you're a person who likes to have the fly by the seat of your pants, non-discretionary is not what you want. If you want something that is allowing you to have some level of control or a strong level of control, consistency, uh, deployability, non-discretionary access controls are what you may be wanting to go after. So here's just a couple, which we'll talk about. Obviously, these are just a few of them, but the types of non-discretionary access controls would be your Mac, your mandatory access, role-based access, rule-based access controls. All of those will fall under the non-discretionary access controls. Now, just real quickly, mandatory access controls, they are granted on security labels and clearance set by the central authority. So that they're the ones that will set up the mandatory controls. Okay, users cannot alter these permissions. Role-based is what are granted assigned to users by the administrator. Okay, these are predefined and determined to basically for each specific user. And then role-based, they're determined based on the set preset defined rules such as time of day, location, and so forth. So just kind of we'll get into more of that here shortly, but just know that types of non-discretionary access controls are your RBAC, your rule-based, your mandatory access controls. Okay. So characteristics, central we talked about ever again, centralized control allows for the authority to be consistent and adherence to organizational policies. So a good example around this is if you're in a large enterprise, and in this enterprise, I know that all users that join our organization are going to have these set of limitations, these set of things they can go do. They may not be able to do any sort of admin uh administrative adding of names, and they may not be able to do anything as far as their account goes other than just a normal user account. Now, when you once you get into added levels of uh ability, then you can increase what that person might be. So a role-based could be a good example of this, where I'm a standard user, then I want to be an admin. Well, then I get the admin added to my user ability. If I want to be a domain admin, that's a whole separate additional ad that would need to be added to me. Um, if I wanted to be able to access a certain server at a certain time of day, because it's it's basically in a walled garden per se, then you would have a rule-based access control. So again, it's very centralized, it's very policy driven. So we talk about policies. Policies aren't like, okay, you're having a policy for the government. This is what we talk about. Policies are basically the security rules by which you're creating something. And these are this access might be granted based on these predefined policies, which include classifications, roles, or rules. And so these policies are set up. So I'll I'll give you one example of a policy. I'm setting up policies for a data loss protection and insider risk program. These policies are set up that a USB will only be able to be used at X, Y, and Z. Or if you are uploading to a certain file share, only a certain file share at a certain time of day. Those are policies that are set up specifically to control access. They're control what you can and cannot do with the tool. So yeah, that's the policy-driven piece of this. Advantages of it, it's high security. Again, centralized control, strict policies provide a high level of security and prevent unauthorized access. They don't allow access to anything except for what you allow them to. So that can be really good. Consistency, we talked about that earlier as well. It allows you to have some level of consistency within your enterprise and it just makes things flow much better. Disadvantages, though, obviously, is complex of management. The management of this can get very out of control at times, can get, especially if you let somebody like me who gets a little bit distracted. My wife tells me this all the time. I'm working on something, and all of a sudden, squirrel, put something pulls me aside, and I go over and work on that, and I go, wait a minute, what was I doing a minute ago? And so, because of that, and you guys might even see that in CISSP cyber training, because I'll do a PowerPoint that looks really cool, and then I'll do it on a piece of paper. Yeah, because I forgot what I did. Yeah, that's just kind of crazy at times. But that being said, I don't know where I was going with this. Other than the fact that it's it's consistency. You want to have some level of consistency to ensures the application access controls are meeting your organization. Okay, no, it's complex management, right? Complex brain, complex management. Reduce flexibility. It does have a registered structure which can hinder the collaboration and adaptability, especially in a dynamic environment. So when you're dealing with something, this is a great example of this. Organization I'm working with now, really good organization, lots of great people, but it is a monster company, huge company, right? And it is very complex and it is not very flexible. And it's it makes things very challenging when it is not as easy to make changes within the organization. That can happen with these different types of access controls. It can be frustrating and it can take time. That being said, there's risks that are being in place. These the bureaucratic challenges can add a level of protection to keep from many changes occurring too quickly or too randomly. So it's important that you have some of that in there as well. It's just that's that trade-off you have to be able to go back and forth with. Use cases, again, military and government, they ensure that the classified information is only protected in a certain way. We've talked about this in various podcasts. We get into the ability around the military and how it protects you. And then large organizations, obviously, very large enterprises, they have to have consistent access control policies across a very diverse and complex environment. So it's important that they have that as well. So you got to keep that in mind that these there's just there's times and places in which you would want to use these. All right, role-based access controls. So that's the one we're gonna get into right now. And this is typically called RBAC. Now, role-based access controls are a security approach which restricts system access to users based on the role in which they are within your organization. Now, these permissions are assigned to the role, okay, to the to the role itself. Like Sean is security analyst A. It's it is assigned to Sean, the security analyst, rather than the individual user, than to Sean Gerbert, okay? Or as my friends call me, Enrique. Okay, the ultimate point is to simplify the management of the access rights. So all users that come in get this. All analysts that come in get Y. Now these characters are set up for basically role assignment. These users are assigned the roles based on their job function, and then each role is set on permissions that define what actions the users in that role can perform. So again, what can they actually do? The authorization, this is where the user's active role must be authorized, ensuring that only users with the appropriate role can access certain resources. So you get the assignment, you have the authorization, and then you have the permission, right? These are then when it's granted to you. That's when the permissions are given to you. So again, role, Sean the analyst, is sign the role. The will go up to my boss, the approval will go up to my boss, my boss will boss will authorize it. Then once my boss authorizes it, then the permission is granted, and I now have access to what I need to do. Large organizations will have this very automated, and it doesn't have to actually go to Bob. Now, or I should say it will go to my boss. So this is Sean, going to my boss, Billy Bob Joe, and Billy Bob Joe will see this, he'll click, he'll mash a button and say, Yep, approved, and then it'll see it'll kick through an automated process by which Sean will get all of the entitlements, all the credentials that he is supposed to have for the role. Again, that's the characteristics of a role-based access control. Now, again, we talked about roles, permissions, and users. So roles are defined in the job functional responsibility. Again, administrator, manager, analyst, employee, depends. Permissions, these are the specific rights that are assigned to the role, such as read, write, execute, so on and so forth. Okay, those are what's the permissions that allow Sean to do what he's going to do. And then the other also it could be a set of other entitlements outside of read, write, execute. It could be administrator and so forth. But those are, that would be, I should say, administrator would be a role that Sean would have, and it would just be tied to Sean's name. Users, uh, individuals who are assigned to roles, and then they inherit permissions associated with those roles. Now, what this is the part that can get really squirrely is the inheritance issue of this. When you have a certain set of credentials, these some sometimes, depending upon where you're at within your organization, and depending upon the active directory structure within your organization, sometimes these role, these individuals can inherit permissions based on where they're at within the overall Active Directory tree. And so we're not going to get into that today, but the point of it is that it's important that when you have these, you set this up, you have to be very specific on how you set up the roles with individuals. And then also know your environment to know that if these individuals are put into other areas within the organization, they don't inherit types of permissions just because of where they were put. You need to understand that overall plan. One of the things I've learned as a red teamer, and then also just being a CISO for a large company, that is not a well-known topic. People do not totally understand their infrastructure and were to the point of going, yes, Sean gets put into this group. Well, Sean has access to all these things because Sean was put into this group. Well, Sean was also put into another group, which gives him a lot more access to a lot of other things that Sean really shouldn't have access to. And Sean didn't have control of, I didn't request that access. Somebody just put me in there. Or you were in that group and you moved on to a new role, and guess what? They stayed in that group. They didn't pull you out. So there's a lot of challenges that go along with especially dealing with individual user entitlements and user roles. So, what are the advantages around this? Simplified management, obviously assigning permissions to roles rather than users. Okay, RBAC reduces the complexity of managing access rights. Principle of least privilege ensures that only you have access that's necessary to perform the job functions, again, reducing the risk of unauthorized access. So that's a big positive around this. Great for large organizations with many users, and it allows for efficient management. Those are the positives. Here come the downsides. Initial setup can be very complex, right? So just setting all this up can take very careful planning and it can be complex, which can cause some challenges. You need to think about it when you're planning this out. And the best thing I have learned is it's better to start small and work your way up than to start big, like basically saying, give them access to all this stuff, and then we'll start whittling it down over time. No, you want to start them off small, and then as you build this out, you realize, oh, we really should be giving people access to this. But that's it, that needs to go through a committee rather than you just saying, oh, okay, Bill needs access to this. Click. Now all of a sudden, instead of Bill getting access, all those roles got access. And now that's when you can get into yourself into a lot of challenges. Role explosion, again, dynamic environments, the number of roles can proliferate, big$10 word, making the management challenging, right? We talked about that there. The roles grow, you got challenges. Rigidity, changes in job functions or responsibilities can cause frequent updates, roles and permissions. Use cases, large enterprises, again, there we talked about them being the ones that have hundreds, or if not thousands, of employees based on their roles and responsibilities. Regulated industries, they have to have this. So you'll see a company I'm working with now, and well, many companies, or especially as the governments get involved, they do require specific roles, and then that these roles have to be audited, and that these roles have to be managed. This again, strict access controls that are based on job function. And then IT systems, controlling access to applications, databases, network resources, and so forth are a lot of tied to roles. So again, those are the at the pros, the cons, and then some of the use cases around role-based access controls. Rule-based access controls. Now, the rule-based, these are these are accesses granted based on a set of predefined rules by the administrator or system administrator. These rules dictate the conditions under which can be allowed or potentially denied, right? So you have two different types of rule-based access. You have predefined and static, and you have condition-based decisions. So let's go into predefined. What is that? These are established in advance, right? So you have this already set up. So it's like an access control list, right? They're already set up, they don't change frequently. They're designed to cover the typical scenarios and the conditions. So if you know in your network that I'm going to allow port 443 is allowed through, but port XYZ 62,252 is not allowed. That would be static, right? You would know 443 is going to go through. Those would be the predefined or static types of, and I'm talking porous on an access control list, but I'm talking that's what kind of role you would say. The user, that's a predefined static user account. That's doesn't change frequently because every user is going to get it. That's static. Condition-based decisions, these are accessed based on the specific conditions, such as a time of day, user location, type of transaction being performed. So if you say that I only want people to make changes based on if they are in Dallas Fort Worth area. Okay, that's very close to geofencing in that local localized area, but let's just say Dallas Fort Worth. Anybody outside of Dallas, no, that won't work. Now, the gotcha on this is if you have people that are remoting in from other locations, do you allow the virtual environment to be able to fall under that condition? And that might be, that might be the condition you set is that the only can have people that have remote access into our environment are the ones that can do this. So that again, that's the condition-based decisions. So there's various components to it: rules, subjects, and objects. Rules, these are the specific conditions that must be met for access to be granted. For example, rule might state that access to a financial system is only allowed during business hours and not after business hours. Subjects, these are users or entities requesting access to the resources, such as myself, I would be a subject, and this would be evaluated against the rules to determine if I should be given access or not. So again, rules are specific to be specific conditions. Subjects are the users and entities. Objects, these are the resources or the data that subjects are trying to access. So this is the stuff I'm trying to get to. So if you do files, databases, applications, whatever it is. All right. So you have rules, those are the conditions, subjects, that's the users or the entities, and then three is the objects. These are what we're trying to get. Okay. Okay, so what are the advantages around rule-based access controls? It simplifies the management. Okay, so it does by automating these access decisions on a predefined set of rules, administrators can reduce the complexity of managing access controls. Ensures consistency, they are it ensures that the rules are applied uniformly, right? Their consistent approach to granting, denying, removing access, it's all very consistent. And I think it works very well, especially when you're dealing with large organizations. The disadvantages of this though is the lacks of lack of flexibility. So when you're dealing with static rules, they may not be sufficient to cover all scenarios. They also could be where you're dealing with rules that maybe are not as static, maybe more dynamic, uh, then you have keeping these rules up to date and relevant will be a very ongoing and arduous process. Takes a lot of attention to detail for administrators. So you need the right person that can do this. You wouldn't want to let me in there. That would be bad. We would have everybody having access all over the place. But the point of it is that those are some of the challenges that come along with rule-based access. So some of the use cases around this, financial transactions, implementing time-based restrictions to ensure transactions that can only be done during business hours would be a huge part of a financial piece. So if you know you have people that are employees that are remoting in from a certain time, that it's only limited to a certain time in which there'll be updates to the system. Otherwise, it's cued. That way, at least then there aren't people trying to do this in the middle of the night, and then the next day you come back and all your money's gone. That's a challenge. Location-based access is another one that's where you you deal with like geofencing of some kind, granting access to sensitive data only when they're in a specific geographic location, such as the office premises. So if you had a certain set of IP addresses where they're allowed, that might be something you would do from a specific rule-based access control. So now let's get into mandatory access controls. Mandatory access control, this is granted on policies set by a central authority dealing with what we talked about, security labels, right, to classify the resources and the users. This is an this we talk about the fact of this, it was the mandatory access of this, is it's a non-discretionary access control. And so therefore, it's designed to have your different security levels, such as confidential, secret, and all these are granted by clearances that are correspond to these specific levels. So, as an example, before military, I had classified uh security clearance, and I was able to reach certain levels of classification based on my security clearance, which I don't have anymore because after time it all goes away. And which is good, right? You want that to happen. But you based on what my clearance was, I was allowed access to certain types of information from secret, top secret, whatever that might be. That was all dependent upon my role. Now, these labels are if you want to have access to certain data, you for example, we talk about top secret. Secret, that needs to be, we we used to call it a ticket. You have your ticket punch to be able to go and access top secret information or secret information. Or in the case of top secret, it might be even compartmentalized and caveats that only allows you into certain areas. So that you guys, everybody knows is that just because you have access to top secret information doesn't mean, oh, I now know where the aliens are. I can go find the aliens because I have top secret information. No, that's not true. You the wherever the aliens are at, there is a special ticket that is probably written in invisible ink that you can't get access to if they even exist. And so therefore, that's a special ticket to get punched on a certain ride at Disneyland. But no, that you have to have a certain caveat to allow you access. So then when you deal with the components, so we talked about labels already, as far as what labels are just top secret, then the clearances, these are assigned to determine the level of access that are permitted. A user with a secret clearance is access to resources that are secret or lower. Top secret, top secret or lower. If you're access to just unclassified, that's all you get. You can't go any higher than that. Then you have to have the central authority that's responsible for defining and enforcing the access control policies. It ensures that the access decisions are consistent and aligned with the organizational security requirements. So advantages of this high security, right? Really limit what people can do. That does not stop people from stealing classified information.

unknown: 31:27

SPEAKER_01: 31:28

Edward Snowden, good example of that. But it continues to happen, but it is limited because of these high access controls. The thing is, is where the Edwin Snow Snowdons of the world get the access out is when they buy when these security controls are not fully managed correctly. That's how Edward Snowden got access and had access to stuff that he should have not had access to, for one, and then two, when he did have access to it, have the ability to get data out of the organization. That was a big failure. And I know they've fixed that, but they shouldn't have ever gotten that far. So again, these strict policies, Mac provides a high level of security and control over access to sensitive resources. It prevents unauthorized access. The use of security labels and clearances ensures that only authorized users can access classified information. Hopefully, right, in most cases. Disadvantages of this, it is a very complex beast, and you have to have a person that's specifically set aside in each organization just to deal with classified data. And then you have to have training on how to label it. Only certain people can label it, only certain people can remove the label. There's a lot of complex moving parts on clap are on dealing with mandatory access controls. Reduce flexibility, it's a rigid structure of Mac can hinder collaboration and adaptability, especially in dynamic environments. So again, it reduces the flexibility of your organization. The military is good with that. They don't like, they like flexibility, but when it comes to classified stuff, they are not flexible. They are they are unbending, very much so. Talked about the military and the government dealing with classified information and also financial institutions. They are required to have sensitive labeling put on a lot of this. Healthcare industries as well. There's a lot of pieces and parts that need some level of labeling around access. Okay, attribute-based access controls. Now, access is granted on attributes of the user, resource, and the environment, allowing for a dynamic and content, context-aware access control decisions. Now, I will say this is something that's gonna, you're gonna start seeing more of this type of activity, I feel in my mind, as we get into AI and that becomes more involved. It's gonna be more context aware of what's actually going on and allow access in and out. So the characteristics this is dynamic and context aware basically means decisions are made based on the combination of attributes which can come, which can change over time and different context. The attributes of such as user role, resource type, and environmental conditions are evaluated to determine what the access might be. So based on this the user's situation, it may allow the access depending upon the need. Um, I have not dealt with this specifically. I'd I've read of it, but I've never actually dealt with it completely. So such of these attributes would be characteristic of the root of the user, role, department, and so forth. What are the resources that they need to have access to? Classification, type of data, and then the environment, which would be time and location. So you're bringing all these things together, and that would be the attribute of which it would be able to be context aware of what it's trying to allow. Now, these policies will define how attributes are evaluated to grant or deny access. And these policies can be very complex and they could consider multiple attributes. But this is where you're going to need something that has the logic to be able to all look at this. So Sean's allowed access from Hong Kong at a certain time of the day, and he has to use a certain specific IP address to be able to get access because maybe he's using a device from his work, and that's and or he's in a geo, I should say, an IP address coming from the office location. Those three things have to be in context and have to be working for Sean to have access that he needs. Then there becomes a policy decision point, or they call it PDP. This is the component is responsible for evaluating policies and making access decisions based on the attributes and the rules. So this is where the brains of this thing figures this out. Again, you're not going to be able to do it, it has to have a smart HAL. You know, it's got to have something that a brain that will think through this to allow or deny the access. Hopefully it won't launch you into space. If you guys got the HAL indication, you would understand what I just said. So 2000, what was that? It was uh see, I can't remember the name of the, it was like Odyssey 2000. I can't even think of the name of the movie, but it's got HAL, the big red eyeball. Okay, attribute-based access controls, the advantages of this. See, the ADD kicks in every once in a while. Squirrel. High event, high flexibility. ABAC supports complex access control requirements and can adapt to changing conditions and context because it has the ability, the flexibility to do that. It is scalable, right? So its attribute-based approach allows for scalable access controls in large and diverse environments. This really happens a lot, especially if so, so like if you're dealing with a large company, I don't know if you've all dealt, I get lots of different people listening to this podcast from I got people from Spain, I got people from Brazil, I got people in the United States, all over the place, right? Listening to the podcast, which is awesome, right? And they all have come from different backgrounds and different lifestyles. The thing around this, though, is interesting, is that if you've dealt with a large organization, I've done MA, which is mergers and acquisitions. You bring in people from companies, your company goes and buys one, you merge it into your organization. So you have to deal with MA. Well, when you're dealing with diverse companies, you have your way that you did your company, right? So this is the way your naming convention is, this is the way you do your IP structure, all of this stuff is based in a certain way. Well, now, and you have a certain way you do roles. Now you bring in somebody else, right, from the outside. And they did a whole different way of doing business. So how do you merge the two together? And this is where attribute-based access controls could be very valuable. Again, I haven't ever seen it in place. I've just read about it. And I think if you could make it work, this would be really, really cool. The disadvantages though is defining and managing attributes and policies can be challenging and requiring a very strong infrastructure and expertise. Again, got to find the one, the unicorn. And sometimes unicorn is out there, but sometimes they're not. If you do find the unicorn, sometimes they want a lot of money, and therefore you don't want the unicorn. So you have to build and train your own little unicorn, which means you get a mule and you stick a cone on its head, and then you hope that someday it will grow into a beautiful unicorn. Uh, but right when it starts growing into a beautiful unicorn, it moves on to another role. Yes. So I just kind of, yeah, I went on a tangent there, but it's true, it's so true. Okay, so disadvantages. We talked about that. Manages can be challenging, requiring robust infrastructure. Infrastructure requirements. Implementing ABAC also requires a system for managing and evaluating attributes and policies. Again, you got to have something, and it's going to be expensive to do this. But it could be extremely valuable to you, especially if you're dealing with mergers and acquisitions, that you you could put a case together for how this would reduce the risk to your organization, especially from an insider standpoint. One of the big issues you run into from an insider point of view is when you start merging companies together, watch out, watch your data leave your organization because it goes out the door faster than you can even imagine because of the fact that nobody's watching it. Use cases, you have cloud environments. These provide dynamic access controls for user bases, and then organizations with dynamic needs. Again, they support environments where access control needs change frequently based on context and conditions. Again, so these are kind of the areas in which you would deal with attribute-based access controls. Okay, that is all I have for you today. So I want you guys to head on over to CISSP Cyber Training. Go check it out. Go check out all the free stuff that's there. Go purchase the products. Again, the products go to a nonprofit. Not taking the money. It's all good. Again, we want to help kids that uh we want parents that want to adopt children. We want to try to help in the financial aspects of this through low interest loans, grants, and so forth. And so, therefore, that's the whole purpose of our nonprofit. Again, I'm doing this stuff. I be honest with y'all. I enjoy working with this, I enjoy talking to you all. And this is kind of a bit of a therapy for me, but I also want to let you know that I don't do, I don't, I don't need to do this. I want to do this to one, to help you, but then also as we start going forward, going, how do I help families? And that's the overall purpose of CISSP Cyber Training is to help that. Last thing is head on over to Reduce Cyber Risk as well. I'm a consultant, and so therefore, if you are looking for any sort of consulting needs, uh, I can help you with those. Between myself and the team that I work with, we can pretty much help you in almost everything that comes down to security-related products. Again, reduce cyberrisk.com, go check that out for any of your consulting needs. Okay, I sound like the guy that's on that's trying to sell you the uh what is that? I can't think of that. That shamu guy. Whatever the guy is trying to sell you a uh this is a towel that if you take it and you fill up the water with it, it will work you forever. Yeah, no, that that's not what we're doing here. So, anyway, go to cspcybertraining.com, check it out, head on over to Reduce Cyber Risk if you need consulting work. Have a wonderful, blessed day, and we will catch you on the flip side. See ya.

Shon Gerber

Host