Interior Page Icon

Access Control

Constraining What the Adversary Can Do

The Big Idea

Use access control mechanisms to constrain actions adversaries can take and ensure that they are effectively limiting harm, while still allowing legitimate users to continue mission or business functions.

Cyber Resiliency Goals & Objectives

Access control supports the Anticipate and Withstand goals and the Constrain and Prevent objectives.

Design Principles

The design principles for access control improve the ability of component systems and services to constrain an adversary's actions, making it harder for the adversary to attack the organization’s crown jewels (e.g., critical applications and data stores).

What Can Be Done Now

To maximize the effectiveness of Access Control, apply the following resiliency techniques.

The Right People & Policies

Cyber Attack Lifecycle

Using the cyber resiliency techniques, analytic monitoring, coordinated defense, privilege restriction, and segmentation, as described above, defenders can detect the adversary, impede the adversary's attack on the enterprise and limit the damage the malware causes. The use of coordinated defense, privilege restriction, and segmentation impede the adversary's ability to initiate the exploit. The use of analytic monitoring enables the defenders to detect the adversary's efforts after this initial exploitation. When the adversary attempts to control the initial victims both privilege restriction and segmentation limit and impede these efforts. Coordinated defense in concert with privilege restriction and segmentation limitandimpedethe adversary's ability to execute the attack plan and maintain a presence in the enterprise.

Synergies & Barriers

Synergies among practices include Coordinated Defense and Segmentation. Barriers to adoption include:

Just Ahead

The growing convergence of enterprise systems (the “system of systems”) and the Internet of Things technologies will increase the potential adversary attack surface, and further erode the concept of a secure boundary. To address this problem requires increased layering of access control throughout the system. This can be achieved through various means such as virtualization or encryption to separate critical and non-critical resources (segmentation) and by requiring dynamically increased level of privileges to access more sensitive information (privilege restriction).

See Key Concepts and Terms for definitions

Previous Activity Back to Menu Next Activity