Authentication and Access Control

# CHAPTER 11

Authentication and Access Control #

1. Introduction #

Firewalls and encryption ensure that hackers cannot easily break into a network from the outside or read data in transit. However, what if the hacker simply logs in through the front door using stolen credentials? The perimeter is only as strong as the identities allowed to cross it. In this chapter, we will explore the mechanisms of proving identity (Authentication), the enforcement of permissions (Access Control), and the absolute necessity of the Principle of Least Privilege.

2. Learning Objectives #

By the end of this chapter, you will be able to:

• Define the difference between Identification, Authentication, and Authorization.

• Understand the three factors of Multi-Factor Authentication (MFA).

• Differentiate between DAC, MAC, and RBAC access control models.

• Apply the Principle of Least Privilege (PoLP) to network design.

• Understand the function of Identity and Access Management (IAM) systems.

3. Beginner-Friendly Explanation #

Imagine a secure government facility.

• Identification: You walk up to the guard and say, "I am Alice." (Typing your username).

• Authentication: The guard says, "Prove it." You hand the guard your driver's license. (Typing your password).

• Multi-Factor Authentication (MFA): The guard checks your ID, then asks you to scan your fingerprint on a biometric reader. (Providing a second form of proof).

• Authorization / Access Control: The guard verifies you are Alice. They look at a clipboard. The clipboard says Alice is allowed into the Lobby, but Alice is NOT allowed into the Server Room. The guard unlocks the Lobby door but leaves the Server Room locked.

4. The Three Factors of Authentication #

Relying solely on passwords (Something you *know*) is fundamentally broken. Passwords are guessed, leaked in data breaches, or stolen via phishing. Robust security requires Multi-Factor Authentication (MFA), combining at least two of the following:

1. 1. Something you know: A password or PIN.

1. 2. Something you have: A smartphone (authenticator app), a hardware token (YubiKey), or a smart card.

1. 3. Something you are: Biometrics (fingerprint, iris scan, facial recognition).

5. Access Control Models #

Once authenticated, how does the network decide what you can do?

• Discretionary Access Control (DAC): The creator of a file decides who can read it. (Common in home Windows PCs).

• Mandatory Access Control (MAC): The strictest model. The operating system strictly enforces rules based on clearance levels (e.g., Top Secret vs. Unclassified). Even the creator of a file cannot share it with someone lacking the clearance. (Used in military networks).

• Role-Based Access Control (RBAC): The enterprise standard. Permissions are tied to *Roles*, not individuals.

*Example:* Alice and Bob are assigned the role HR_Manager. The network grants the HR_Manager role access to the payroll database. If Alice leaves the company and Charlie is hired, you simply assign Charlie the role; you don't have to manually recreate 50 individual permissions.

6. The Principle of Least Privilege (PoLP) #

This is the most important concept in Access Control. PoLP states: A user, program, or process should be granted the bare minimum privileges necessary to perform its legitimate function, and absolutely nothing more.

• A Marketing intern should not have administrative rights to install software on their corporate laptop.

• A Web Server should not have permission to execute commands on the Database Server; it should only have permission to read and write specific data rows.

7. Mini Project: Create a Secure User Access Policy #

Drafting policy is a core responsibility of security management.

An Access Control Policy Checklist:

1. 1. Enforce MFA Everywhere: VPNs, email portals, and internal databases must require MFA. No exceptions for executives.

1. 2. Implement RBAC: Audit all existing user accounts. Ensure permissions are tied to Job Titles (Roles), not directly assigned to names.

1. 3. Automate Deprovisioning: Create a strict workflow with HR. When an employee is terminated, their Active Directory account and VPN access must be disabled within 15 minutes to prevent insider threats.

1. 4. Regular Access Reviews: Every 90 days, managers must review the permissions of their staff and revoke access to systems they no longer need (e.g., an employee who transferred from Finance to Marketing should lose access to the accounting software).

8. Real-World Scenarios #

A system administrator is tired of typing their complex password every time they need to fix a minor issue on a server. They create a secondary account called Admin-Backup with the password Welcome123 and grant it full Domain Admin privileges. A week later, a low-level malware infection on a receptionist's computer scans the network, discovers the Admin-Backup account, brute-forces the weak password, and instantly gains full control over the entire corporate network. A violation of the Principle of Least Privilege turned a minor infection into a total catastrophic breach.

9. Best Practices #

• Separation of Duties: No single individual should have the authority to execute a high-risk transaction entirely on their own. For example, a developer who writes code should not have the access rights to deploy that code directly to the live production server. A separate operations team must review and deploy it. This prevents unilateral malicious actions.

10. Legal and Ethical Notes #

Access logs containing usernames, login times, and IP addresses are often considered Personally Identifiable Information (PII) under privacy frameworks like GDPR. Security teams must ensure that authentication logs are stored securely and accessed only for legitimate incident response or auditing purposes.

11. Exercises #

1. 1. Define the Principle of Least Privilege (PoLP). Give a practical example of how PoLP applies to an entry-level employee's workstation.

1. 2. Explain why SMS text messages are increasingly considered a weak form of "Something you have" in Multi-Factor Authentication.

12. FAQs #

Q: What is Single Sign-On (SSO) and is it secure? A: SSO (like Okta or Microsoft Entra ID) allows a user to log in once and gain access to dozens of corporate applications without re-typing their password. It is highly secure because it centralizes authentication, allowing the security team to enforce strict MFA policies in one place, rather than relying on 50 different applications to manage security correctly.

13. Interview Questions #

• Q: Differentiate between Discretionary Access Control (DAC) and Role-Based Access Control (RBAC). Why is RBAC preferred in large enterprise environments?

• Q: Describe a scenario where implementing the Principle of Least Privilege on a service account (not a human user) prevents a lateral movement attack during a breach.

14. Summary #

In Chapter 11, we reinforced the network perimeter by securing the identities allowed to cross it. We distinguished between Identification, Authentication, and Authorization. We established that passwords alone are insufficient, making Multi-Factor Authentication (MFA) mandatory. We explored Access Control models, standardizing on Role-Based Access Control (RBAC) for operational efficiency. Finally, we elevated the Principle of Least Privilege (PoLP) as the cornerstone philosophy for mitigating both external breaches and insider threats.

15. Next Chapter Recommendation #

Even with perfect access control, the software running on the network might have flaws. How do we find and fix those flaws before the hackers do? Proceed to Chapter 12: Network Vulnerability Management.