Skip to content

Page255

Content- and Context-Dependent Access Controls

Content- and context-dependent access controls are not full-fledged access control methods in their own right, but can play a defense-in-depth supporting role. Historically they may be added as an additional control, typically to DAC systems, but now these approaches are commonly used as significant attributes within an ABAC ecosystem.

Content-dependent access control adds additional criteria beyond identification and authentication: the actual content the subject is attempting to access. All employees of an organization may have access to the HR database to view their accrued sick time and vacation time. Should an employee attempt to access the content of the CIO’s HR record, access is denied.

Context-dependent access control applies additional context before granting access. A commonly used context is time. After identification and authentication, a help desk worker who works Monday–Friday from 9 AM to 5 PM will be granted access at noon on a Tuesday. A context-dependent access control system could deny access on Sunday at 1:00 AM (wrong time, and therefore wrong context).

Risk-Based Access Control

Though the nomenclature makes risk-based access control sound rather generic, the real-world implications are substantial. The classic access control paradigm involves determining whether a subject should be granted or denied access to an object. While this sounds rather straightforward, the current threat landscape involves adversaries targeting users and their associated systems to gain access to resources accessible to the compromised user or system. A significant access control question becomes whether the subject seeking access is actually an adversary that has gained some degree of control over the subject.

The goal of risk-based access control involves dynamic or adaptive access control measures, when and where determined to be necessary. Two manifestations of risk-based access control approaches include adaptive authentication and step-up authentication. Both of these approaches involve requiring, under certain circumstances, additional vetting of a subject prior to their being permitted access to an object.

Exam Warning
On the CISSP® exam, RBAC stands for Role-Based Access Control. Be careful not to confuse the RBAC abbreviation with either rule-based access control or risk-based access control. Both rule-based access control and risk-based access control will always be spelled out on the exam.

Step-Up Authentication

Step-up authentication requires users to pass additional validation before being allowed to proceed with access to data or functions previously defined to be more sensitive or critical. A common scenario involving step-up authentication would be requiring a user to revalidate their MFA before being allowed to carry out a critical transaction. Step-up authentication can be considered a type of risk-based access control in that it focuses on assets that, if compromised, would result in more substantial impact.