October 6, 2025 • 40 mins
Check us out at: https://www.cisspcybertraining.com/
Get access to 360 FREE CISSP Questions: https://www.cisspcybertraining.com/offers/dzHKVcDB/checkout
Get access to my FREE CISSP Self-Study Essentials Videos: https://www.cisspcybertraining.com/offers/KzBKKouv
A headline‑grabbing data leak is the wake‑up call; what you do next is the difference between panic and control. We start with concrete actions you can take today—check exposure with Have I Been Pwned, lock down your credit with freezes, turn on MFA, and keep meticulous records so you have proof when it counts. From there, we switch gears into the playbook every CISSP candidate and security leader needs: a clear path through the access control maze that actually maps to real work.
We break down Discretionary Access Control (DAC) and why it’s fast but fragile, then show how non‑discretionary models keep large environments consistent. Role‑Based Access Control (RBAC) gets the spotlight with practical guidance: define roles by job function, automate approvals, prevent role explosion, and audit entitlements so inheritance doesn’t hand out surprise privileges. We separate role‑based from rule‑based—one tied to people and jobs, the other to conditions like time, location, and transaction type—using examples you can adopt immediately.
For high‑assurance scenarios, we dig into Mandatory Access Control (MAC): labels, clearances, compartments, and the uncompromising policies that protect the most sensitive data. Finally, we look ahead with Attribute‑Based Access Control (ABAC), where context drives decisions in cloud and zero trust architectures. User attributes, device posture, data sensitivity, time, and geo all combine to answer the crucial question: should this subject access this object, right now?
You’ll walk away with exam‑ready cues, battle‑tested pros and cons, and a mental model to pick the right approach for your team. If this helped, subscribe, share it with a teammate who keeps mixing up role‑based and rule‑based, and leave a quick review so others can find us.
Gain exclusive access to 360 FREE CISSP Practice Questions delivered directly to your inbox! Sign up at FreeCISSPQuestions.com and receive 30 expertly crafted practice questions every 15 days for the next 6 months—completely free! Don’t miss this valuable opportunity to strengthen your CISSP exam preparation and boost your chances of certification success. Join now and start your journey toward CISSP mastery today!
Mark as Played
Transcript
Episode Transcript
Available transcripts are automatically generated. Complete accuracy is not guaranteed.
SPEAKER_00 (00:00):
Welcome to the CISSP Cyber Training Podcast, where we
provide you the training andtools you need to pass the CISSP
exam the first time.
Hi, my name is Sean Gerber, andI'm your host for this
action-packed informativepodcast.
Join me each week as I providethe information you need to pass
the CISSP exam and grow yourcybersecurity knowledge.
(00:21):
Alright, let's get started.
SPEAKER_01 (00:25):
Hey I'll Sean Gerbert with CISSP Cyber
Training, and hope you all arehaving a blessed day today.
Today is an amazing day.
It truly is.
Yeah, I uh you know why?
Because of the fact is we get totalk about role-based,
mandatory, discretionary, andattribute-based access controls.
Giddy up, yeeha! It's gonna befun today.
(00:47):
Yeah, hope you all don't fallasleep on your morning commute.
Yeah, no, we talk about that.
Actually, if you have a Tesla,kick it in self-drive as we get
going because you're gonna enjoythis so much that you will be
riveted to the point where youwill not be able to break.
Yes, that is very true.
Actually, it's probably becausethere'll be drool coming out of
your mouth as you fall asleep.
No, I you know I'm just joking,all this stuff.
(01:07):
It's designed to be superriveting and super enjoyable.
So, hey, let's get started.
But before we do, right, beforewe do, uh, one real quick
article.
I don't know if you all sawthis.
If you're listening to this andyou are in the United States, or
you're listening to your nextpat and you're listening to it
overseas, you may have beeninformed that your social
security number has been leaked.
(01:28):
Oh no, this is the end of theworld as we know it, right?
Q song.
Yeah, no, I don't have thatsong.
But anyway, the thing of thecool part about all this is,
well, so not really cool, butthe interesting part, I should
say, is the fact that there waslike a gob, like three billion
personal records were in stolen,uh basically because of they
were tied to social securitynumbers, addresses, you name it,
(01:50):
all that stuff.
Now, the interesting part on allthis is that with there's three
billion records, the positivepart is they're gonna have to go
through a lot of records to findyour stuff.
The other thing is, is if you'vebeen part of listening to CISSP
Cyber Training, you obviouslyare someone who's probably been
around a little while with yoursecurity stuff, and therefore,
one, you probably haveprotections in place, but two,
(02:11):
you know as well as I do thatyour stuff has been compromised
and pwned multiple times.
So this is not a new developmentfor you.
But that being said, uh, thiswas part of the national public
data.
I never heard of it, I honestly.
But what they do is a companythat makes money by collecting
and selling access to yourpersonal data to credit
(02:32):
companies, employers, andprivate investigators.
These guys, there's so manypeople have access to your data.
That's the part is justunnerving, honestly.
It's just craziness.
But this group called USDODsnatched about three billion
records, and which of thoseincluded addresses, social
security numbers, all that kindof stuff.
Uh, they basically have yourhistory, address history for the
(02:55):
past three decades worth.
Uh, if you're old like me,you'll have an address for three
decades.
If you're not, you probably begoing, uh, dude, I've I've got
like a decade, if that.
Yeah.
So, but it doesn't reallymatter.
The fact is, I got your stuff.
That being said, don't be outthere and go, don't go jump off
a cliff and say, oh, this is theend of the world.
It's it's not.
You just obviously have to putsome protections in place.
(03:18):
And I'm telling you all thisbecause you probably already
know this, but I would recommendthat you talk to people that you
love that are close to you, thatmay not know this.
And so it's important that wetalk through these things just
so it is a refresher for youall.
First thing you need to do isobviously go to Have I Been
Pwned and see if your recordswere part of this breach.
Um, as of right now, my recordswere not, as of right now.
(03:40):
Yeah, who knows?
But they've been part of a lotof other breaches that have been
in place.
So go there, check it out, seewhat's going on.
Obviously, if you if you'relistening to this, you probably
already have a credit freezeenabled with your uh your
overall credit.
Go in, do that.
I would also recommend that youtalk to your family members
about how to do this themselves.
(04:01):
I've got a couple podcasts thathave gone through the enabling
your credit and or not enablingyour credit, but enabling the
overall freezes.
And I would recommend that youdo that.
Just whatever it takes, getpeople to go and freeze their
credit because that's the bestway to protect them in this
situation.
Also, enabling the multi-factorthat goes along with it, an
important part.
So monitor your credit, go outthere, freeze it.
(04:23):
The other thing to do is if youthought that you've been caught
with any sort of your data'sbeen compromised, like your
social security numberspecifically, um, he this this
is from Dark Reading.
Actually, it's from ZDNet, andit's actually a really good
step-by-step guide on what youshould do to deal with a social
security number that has beenpotentially compromised.
And I will tell you though, ifyou do this, it don't anticipate
(04:48):
it to be done within a coupleweeks.
Um, yeah, it might be a couplemonths and it could take even
longer than that.
But the bottom line on all thisis if you know, here's the thing
I have learned in security anddealing with lawyers.
If you know that your stuff hasbeen compromised, just the date
that which you submit it isperfect.
That's what you need.
You need to let them know thatyou know it and you found out
(05:09):
about it and you are submittingit.
And then keep all thatdocumentation because if at any
point in time your socialsecurity number or your your
benefits get stolen and theystart doing stuff with your
account, you have the the trackthat you actually submitted it,
you knew it, and you dealt withit.
Um, it's a whole lot easier togo from there, at least trying
to get claw back any potentialmoney that may have been taken
(05:32):
from your account when you knowthat you've actually submitted
to it.
So go check it out.
I'd highly recommend you go dothat as soon as you possibly
can.
Uh obviously don't do it nowwhile you're driving.
The reason I say that is many ofthe people that listen to this
podcast are going to and fromwork and they they use this as
their morning commute.
But when you get a chance, gocheck out Have I Been Pwned and
PC if you're part of thisoverall breach.
(05:53):
But at a minimum, go out andfreeze your credit and tell
people that you love to freezetheir credit as well.
So again, it's a real goodarticle on ZDNet on your social
security numbers.
You can go check that out.
It's relatively new, so if youGoogle it, it'll pop up.
So go check it out.
Now, let's get started in ourmost riveting content ever.
To this date, it's been the mostimportant content you will ever
(06:14):
listen to.
Yeah, well, maybe not, but it'sgonna be very helpful for your
CISSP.
So we're gonna get intorule-based, mandatory,
discretionary, andattribute-based access controls.
You'll be able to go to CISSPCyber Training.
You can actually see thiscontent in the video format.
It will be on YouTube as well,uh, but it's gonna be out there
for you and available.
Also let you know if you go toCISSP Cyber Training and
(06:35):
purchase one of the productsthat we have available for you.
We've got a bronze, silver, andgold.
It's not in in commensurate withthe Olympics that have just
passed, but it's just to kind ofput it in a tier system.
That if you purchase any ofthat, it all goes to charity.
Yes, we are putting all of thisin our charity for non our
nonprofit for parents who wantto adopt children, and uh that's
where it's all gonna go.
(06:56):
I don't, I'm not gonna keep anyof it, just gonna give it all
away.
So I highly recommend it.
Go do it.
Uh again, there's the content'samazing, the content is awesome,
and you'll get some great helpwhen you're taking the CISP, but
also know that anything youpurchase goes to a good cause.
So, rule-based, mandatory,discretionary, and
attribute-based access controls.
(07:17):
What exactly are this?
Are this?
That's a really good English.
You wouldn't know.
I'm from Kansas, and so we don'ttalk real well around here.
Um, yeah, we don't really eventalk like that at all.
But introduction to accesscontrol models.
So, as we're talking aboutthese, we're gonna get into some
of the various aspects and whythey're important.
We're gonna get into a littlebit about non-discretionary and
(07:38):
discretionary access controls,and then we're gonna roll into
rule-based, mandatory,discretionary, and
attribute-based controls.
And you're gonna see those.
Now, I will tell you the onething that is a bit confusing
when you go and you'll see onthe test, you have rule-based
and role-based.
They both had the same acronympotentially.
And I've seen differations ofthat.
The they they call RO for ROL,they've got R U for RUL.
(08:02):
But just know that if you globone of the under the acronym,
you could be wrong.
So make sure you understand it'sRULE and ROL.
They're very different uh inwhat they do, even though the
acronyms are extremely similar.
So we're gonna go through all ofthose today and just kind of
walk you through what you cananticipate for the CISSP and
what should you be aware of.
(08:23):
So, first we're gonna get intowhat we call discretionary
control, kind of differentiatebetween discretionary access
controls and non-discretionaryaccess controls.
A discretionary access controlis a type of control where the
resource owner has the authorityto determine who can access the
resources and at what actionsthey can perform.
So, this is the person who isacting as God.
(08:45):
They are the one that candetermine what is going on.
Uh, these owner controls, theseset the permissions, they set
the access, and they allow forthe flexibility and the autonomy
to autonomy to be able to go anddo what you want to do.
Now, one and uh one thing tothink about this is uh an access
control list.
Now, if you've dealt withfirewalls, you understand that
they are access control lists orACLs.
(09:08):
And these ACLs are what pertypically allow you to have
access to various aspects on afirewall, right?
So they'll that allow you to goto certain routing, different
routing tables, allow to go torouting locations.
These are what an ACL typicallydoes.
Well, these are these ACLs willspecify in the case of access
controls, users and groups whocan access a resource and what
(09:30):
actions they can perform.
Read, write, execute, and soforth.
So that's the characteristics ofa discretionary access control.
Now we're gonna kind of get intothe advantages, the
disadvantages, and somepotential use cases around it.
The advantages of this is thatthe resource owners can easily
adjust permissions to meet anychanging needs that you may have
within your organization.
(09:51):
And they work really good likethat, right?
So you know Billy Bob Joe, soyou got three first names, Billy
Bob Joe.
Billy Bob Joe has the ability togo and make these permissions.
And then you can go talk toBilly Bob Joe and they can make
the changes for you, which isreally cool.
And especially when you have ADDlike myself, it's nice to go,
hey Bob, let's go.
(10:12):
Okay.
Uh he goes by Bob instead ofBilly Bob Joe.
If you go to Bob and he says,yes, let's do it, you're good,
right?
Ease of implementation, DACs arerelatively straightforward and
it to implement and to manage.
They make it very good for smallorganizations and for very
collaborative environments.
Again, if you know Billy Bob Joeis the person in your
organization, it's very easy togo to him and get that
(10:35):
information you may need.
The disadvantages, though, is ithas inconsistent access control.
Because it's decentralized,right?
There's only there's Billy Bobis the only guy that knows how
to do it, it can lead toinconsistencies in providing
access.
And so you may have to go backto Billy Bob a few times to get
this information taken care ofthe right way.
Whereas if it's centralized, younow click a button and it
(10:58):
becomes very consistent acrossan organization.
Again, small organizations withvery few resources, that this
can work pretty well.
When you're dealing with a muchlarger organization, then the
inconsistencies can get unrulyand it can actually cause you
more challenges.
There's a higher risk ofunauthorized access.
Again, without centralizedoversight, there is a greater
risk that somebody would haveunauthorized access due to
(11:21):
misconfigurations of thepermissions.
So again, there's pros andthere's cons with doing the
discretionary access controls.
Again, we talked about some ofthe use cases, would be small
organizations that need flexibleabilities to go kick this on and
kick it off.
And then your collaborativeenvironments, which is our
allowing resource owners toshare resources and set
permissions based on the needsfor the collaboration.
(11:43):
So you have a small group, youmaybe you have SharePoint sites,
maybe you have a developmentteam, and this development team
is the ones that are set up togo and do this, then that that
would be someone you reach outto.
Or not reach out to, you wouldset it up for though that small
development team.
But again, this does not scalevery well.
And so therefore, it's importantthat if you got to consider your
use case as a securityprofessional of going, is this
(12:06):
going to need to scale?
Is it not going to need toscale?
Okay, so non-discretionaryaccess controls.
These refer to the accesscontrol models where access
decisions are made by acentralized authority based on
the predefined policies ratherthan what individual resource
owners may want or choose.
So if you're a person who likesto have the fly by the seat of
(12:28):
your pants, non-discretionary isnot what you want.
If you want something that isallowing you to have some level
of control or a strong level ofcontrol, consistency, uh,
deployability, non-discretionaryaccess controls are what you may
be wanting to go after.
So here's just a couple, whichwe'll talk about.
Obviously, these are just a fewof them, but the types of
(12:48):
non-discretionary accesscontrols would be your Mac, your
mandatory access, role-basedaccess, rule-based access
controls.
All of those will fall under thenon-discretionary access
controls.
Now, just real quickly,mandatory access controls, they
are granted on security labelsand clearance set by the central
authority.
So that they're the ones thatwill set up the mandatory
(13:09):
controls.
Okay, users cannot alter thesepermissions.
Role-based is what are grantedassigned to users by the
administrator.
Okay, these are predefined anddetermined to basically for each
specific user.
And then role-based, they'redetermined based on the set
preset defined rules such astime of day, location, and so
forth.
So just kind of we'll get intomore of that here shortly, but
(13:31):
just know that types ofnon-discretionary access
controls are your RBAC, yourrule-based, your mandatory
access controls.
Okay.
So characteristics, central wetalked about ever again,
centralized control allows forthe authority to be consistent
and adherence to organizationalpolicies.
So a good example around this isif you're in a large enterprise,
and in this enterprise, I knowthat all users that join our
(13:54):
organization are going to havethese set of limitations, these
set of things they can go do.
They may not be able to do anysort of admin uh administrative
adding of names, and they maynot be able to do anything as
far as their account goes otherthan just a normal user account.
Now, when you once you get intoadded levels of uh ability, then
(14:15):
you can increase what thatperson might be.
So a role-based could be a goodexample of this, where I'm a
standard user, then I want to bean admin.
Well, then I get the admin addedto my user ability.
If I want to be a domain admin,that's a whole separate
additional ad that would need tobe added to me.
Um, if I wanted to be able toaccess a certain server at a
certain time of day, becauseit's it's basically in a walled
(14:39):
garden per se, then you wouldhave a rule-based access
control.
So again, it's very centralized,it's very policy driven.
So we talk about policies.
Policies aren't like, okay,you're having a policy for the
government.
This is what we talk about.
Policies are basically thesecurity rules by which you're
creating something.
And these are this access mightbe granted based on these
(15:00):
predefined policies, whichinclude classifications, roles,
or rules.
And so these policies are setup.
So I'll I'll give you oneexample of a policy.
I'm setting up policies for adata loss protection and insider
risk program.
These policies are set up that aUSB will only be able to be used
at X, Y, and Z.
Or if you are uploading to acertain file share, only a
(15:22):
certain file share at a certaintime of day.
Those are policies that are setup specifically to control
access.
They're control what you can andcannot do with the tool.
So yeah, that's thepolicy-driven piece of this.
Advantages of it, it's highsecurity.
Again, centralized control,strict policies provide a high
level of security and preventunauthorized access.
(15:43):
They don't allow access toanything except for what you
allow them to.
So that can be really good.
Consistency, we talked aboutthat earlier as well.
It allows you to have some levelof consistency within your
enterprise and it just makesthings flow much better.
Disadvantages, though,obviously, is complex of
management.
The management of this can getvery out of control at times,
(16:04):
can get, especially if you letsomebody like me who gets a
little bit distracted.
My wife tells me this all thetime.
I'm working on something, andall of a sudden, squirrel, put
something pulls me aside, and Igo over and work on that, and I
go, wait a minute, what was Idoing a minute ago?
And so, because of that, and youguys might even see that in
CISSP cyber training, becauseI'll do a PowerPoint that looks
really cool, and then I'll do iton a piece of paper.
(16:24):
Yeah, because I forgot what Idid.
Yeah, that's just kind of crazyat times.
But that being said, I don'tknow where I was going with
this.
Other than the fact that it'sit's consistency.
You want to have some level ofconsistency to ensures the
application access controls aremeeting your organization.
Okay, no, it's complexmanagement, right?
Complex brain, complexmanagement.
Reduce flexibility.
(16:45):
It does have a registeredstructure which can hinder the
collaboration and adaptability,especially in a dynamic
environment.
So when you're dealing withsomething, this is a great
example of this.
Organization I'm working withnow, really good organization,
lots of great people, but it isa monster company, huge company,
right?
And it is very complex and it isnot very flexible.
(17:07):
And it's it makes things verychallenging when it is not as
easy to make changes within theorganization.
That can happen with thesedifferent types of access
controls.
It can be frustrating and it cantake time.
That being said, there's risksthat are being in place.
These the bureaucraticchallenges can add a level of
protection to keep from manychanges occurring too quickly or
(17:29):
too randomly.
So it's important that you havesome of that in there as well.
It's just that's that trade-offyou have to be able to go back
and forth with.
Use cases, again, military andgovernment, they ensure that the
classified information is onlyprotected in a certain way.
We've talked about this invarious podcasts.
We get into the ability aroundthe military and how it protects
you.
And then large organizations,obviously, very large
(17:52):
enterprises, they have to haveconsistent access control
policies across a very diverseand complex environment.
So it's important that they havethat as well.
So you got to keep that in mindthat these there's just there's
times and places in which youwould want to use these.
All right, role-based accesscontrols.
So that's the one we're gonnaget into right now.
And this is typically calledRBAC.
Now, role-based access controlsare a security approach which
(18:14):
restricts system access to usersbased on the role in which they
are within your organization.
Now, these permissions areassigned to the role, okay, to
the to the role itself.
Like Sean is security analyst A.
It's it is assigned to Sean, thesecurity analyst, rather than
the individual user, than toSean Gerbert, okay?
Or as my friends call me,Enrique.
(18:35):
Okay, the ultimate point is tosimplify the management of the
access rights.
So all users that come in getthis.
All analysts that come in get Y.
Now these characters are set upfor basically role assignment.
These users are assigned theroles based on their job
function, and then each role isset on permissions that define
what actions the users in thatrole can perform.
(18:56):
So again, what can they actuallydo?
The authorization, this is wherethe user's active role must be
authorized, ensuring that onlyusers with the appropriate role
can access certain resources.
So you get the assignment, youhave the authorization, and then
you have the permission, right?
These are then when it's grantedto you.
That's when the permissions aregiven to you.
So again, role, Sean theanalyst, is sign the role.
(19:19):
The will go up to my boss, theapproval will go up to my boss,
my boss will boss will authorizeit.
Then once my boss authorizes it,then the permission is granted,
and I now have access to what Ineed to do.
Large organizations will havethis very automated, and it
doesn't have to actually go toBob.
Now, or I should say it will goto my boss.
So this is Sean, going to myboss, Billy Bob Joe, and Billy
(19:42):
Bob Joe will see this, he'llclick, he'll mash a button and
say, Yep, approved, and thenit'll see it'll kick through an
automated process by which Seanwill get all of the
entitlements, all thecredentials that he is supposed
to have for the role.
Again, that's thecharacteristics of a role-based
access control.
Now, again, we talked aboutroles, permissions, and users.
So roles are defined in the jobfunctional responsibility.
(20:04):
Again, administrator, manager,analyst, employee, depends.
Permissions, these are thespecific rights that are
assigned to the role, such asread, write, execute, so on and
so forth.
Okay, those are what's thepermissions that allow Sean to
do what he's going to do.
And then the other also it couldbe a set of other entitlements
outside of read, write, execute.
(20:24):
It could be administrator and soforth.
But those are, that would be, Ishould say, administrator would
be a role that Sean would have,and it would just be tied to
Sean's name.
Users, uh, individuals who areassigned to roles, and then they
inherit permissions associatedwith those roles.
Now, what this is the part thatcan get really squirrely is the
inheritance issue of this.
When you have a certain set ofcredentials, these some
(20:46):
sometimes, depending upon whereyou're at within your
organization, and depending uponthe active directory structure
within your organization,sometimes these role, these
individuals can inheritpermissions based on where
they're at within the overallActive Directory tree.
And so we're not going to getinto that today, but the point
of it is that it's importantthat when you have these, you
(21:07):
set this up, you have to be veryspecific on how you set up the
roles with individuals.
And then also know yourenvironment to know that if
these individuals are put intoother areas within the
organization, they don't inherittypes of permissions just
because of where they were put.
You need to understand thatoverall plan.
One of the things I've learnedas a red teamer, and then also
(21:28):
just being a CISO for a largecompany, that is not a
well-known topic.
People do not totally understandtheir infrastructure and were to
the point of going, yes, Seangets put into this group.
Well, Sean has access to allthese things because Sean was
put into this group.
Well, Sean was also put intoanother group, which gives him a
lot more access to a lot ofother things that Sean really
(21:49):
shouldn't have access to.
And Sean didn't have control of,I didn't request that access.
Somebody just put me in there.
Or you were in that group andyou moved on to a new role, and
guess what?
They stayed in that group.
They didn't pull you out.
So there's a lot of challengesthat go along with especially
dealing with individual userentitlements and user roles.
(22:09):
So, what are the advantagesaround this?
Simplified management, obviouslyassigning permissions to roles
rather than users.
Okay, RBAC reduces thecomplexity of managing access
rights.
Principle of least privilegeensures that only you have
access that's necessary toperform the job functions,
again, reducing the risk ofunauthorized access.
So that's a big positive aroundthis.
(22:30):
Great for large organizationswith many users, and it allows
for efficient management.
Those are the positives.
Here come the downsides.
Initial setup can be verycomplex, right?
So just setting all this up cantake very careful planning and
it can be complex, which cancause some challenges.
You need to think about it whenyou're planning this out.
And the best thing I havelearned is it's better to start
(22:50):
small and work your way up thanto start big, like basically
saying, give them access to allthis stuff, and then we'll start
whittling it down over time.
No, you want to start them offsmall, and then as you build
this out, you realize, oh, wereally should be giving people
access to this.
But that's it, that needs to gothrough a committee rather than
you just saying, oh, okay, Billneeds access to this.
(23:12):
Click.
Now all of a sudden, instead ofBill getting access, all those
roles got access.
And now that's when you can getinto yourself into a lot of
challenges.
Role explosion, again, dynamicenvironments, the number of
roles can proliferate, big$10word, making the management
challenging, right?
We talked about that there.
The roles grow, you gotchallenges.
(23:33):
Rigidity, changes in jobfunctions or responsibilities
can cause frequent updates,roles and permissions.
Use cases, large enterprises,again, there we talked about
them being the ones that havehundreds, or if not thousands,
of employees based on theirroles and responsibilities.
Regulated industries, they haveto have this.
So you'll see a company I'mworking with now, and well, many
(23:54):
companies, or especially as thegovernments get involved, they
do require specific roles, andthen that these roles have to be
audited, and that these roleshave to be managed.
This again, strict accesscontrols that are based on job
function.
And then IT systems, controllingaccess to applications,
databases, network resources,and so forth are a lot of tied
to roles.
So again, those are the at thepros, the cons, and then some of
(24:16):
the use cases around role-basedaccess controls.
Rule-based access controls.
Now, the rule-based, these arethese are accesses granted based
on a set of predefined rules bythe administrator or system
administrator.
These rules dictate theconditions under which can be
allowed or potentially denied,right?
So you have two different typesof rule-based access.
(24:37):
You have predefined and static,and you have condition-based
decisions.
So let's go into predefined.
What is that?
These are established inadvance, right?
So you have this already set up.
So it's like an access controllist, right?
They're already set up, theydon't change frequently.
They're designed to cover thetypical scenarios and the
conditions.
So if you know in your networkthat I'm going to allow port 443
(24:59):
is allowed through, but port XYZ62,252 is not allowed.
That would be static, right?
You would know 443 is going togo through.
Those would be the predefined orstatic types of, and I'm talking
porous on an access controllist, but I'm talking that's
what kind of role you would say.
The user, that's a predefinedstatic user account.
That's doesn't change frequentlybecause every user is going to
(25:21):
get it.
That's static.
Condition-based decisions, theseare accessed based on the
specific conditions, such as atime of day, user location, type
of transaction being performed.
So if you say that I only wantpeople to make changes based on
if they are in Dallas Fort Wortharea.
(25:41):
Okay, that's very close togeofencing in that local
localized area, but let's justsay Dallas Fort Worth.
Anybody outside of Dallas, no,that won't work.
Now, the gotcha on this is ifyou have people that are
remoting in from otherlocations, do you allow the
virtual environment to be ableto fall under that condition?
And that might be, that might bethe condition you set is that
(26:03):
the only can have people thathave remote access into our
environment are the ones thatcan do this.
So that again, that's thecondition-based decisions.
So there's various components toit: rules, subjects, and
objects.
Rules, these are the specificconditions that must be met for
access to be granted.
For example, rule might statethat access to a financial
system is only allowed duringbusiness hours and not after
(26:25):
business hours.
Subjects, these are users orentities requesting access to
the resources, such as myself, Iwould be a subject, and this
would be evaluated against therules to determine if I should
be given access or not.
So again, rules are specific tobe specific conditions.
Subjects are the users andentities.
Objects, these are the resourcesor the data that subjects are
(26:47):
trying to access.
So this is the stuff I'm tryingto get to.
So if you do files, databases,applications, whatever it is.
All right.
So you have rules, those are theconditions, subjects, that's the
users or the entities, and thenthree is the objects.
These are what we're trying toget.
Okay.
Okay, so what are the advantagesaround rule-based access
(27:07):
controls?
It simplifies the management.
Okay, so it does by automatingthese access decisions on a
predefined set of rules,administrators can reduce the
complexity of managing accesscontrols.
Ensures consistency, they are itensures that the rules are
applied uniformly, right?
Their consistent approach togranting, denying, removing
(27:28):
access, it's all veryconsistent.
And I think it works very well,especially when you're dealing
with large organizations.
The disadvantages of this thoughis the lacks of lack of
flexibility.
So when you're dealing withstatic rules, they may not be
sufficient to cover allscenarios.
They also could be where you'redealing with rules that maybe
are not as static, maybe moredynamic, uh, then you have
(27:50):
keeping these rules up to dateand relevant will be a very
ongoing and arduous process.
Takes a lot of attention todetail for administrators.
So you need the right personthat can do this.
You wouldn't want to let me inthere.
That would be bad.
We would have everybody havingaccess all over the place.
But the point of it is thatthose are some of the challenges
that come along with rule-basedaccess.
(28:10):
So some of the use cases aroundthis, financial transactions,
implementing time-basedrestrictions to ensure
transactions that can only bedone during business hours would
be a huge part of a financialpiece.
So if you know you have peoplethat are employees that are
remoting in from a certain time,that it's only limited to a
certain time in which there'llbe updates to the system.
(28:30):
Otherwise, it's cued.
That way, at least then therearen't people trying to do this
in the middle of the night, andthen the next day you come back
and all your money's gone.
That's a challenge.
Location-based access is anotherone that's where you you deal
with like geofencing of somekind, granting access to
sensitive data only when they'rein a specific geographic
location, such as the officepremises.
(28:51):
So if you had a certain set ofIP addresses where they're
allowed, that might be somethingyou would do from a specific
rule-based access control.
So now let's get into mandatoryaccess controls.
Mandatory access control, thisis granted on policies set by a
central authority dealing withwhat we talked about, security
labels, right, to classify theresources and the users.
(29:12):
This is an this we talk aboutthe fact of this, it was the
mandatory access of this, isit's a non-discretionary access
control.
And so therefore, it's designedto have your different security
levels, such as confidential,secret, and all these are
granted by clearances that arecorrespond to these specific
levels.
So, as an example, beforemilitary, I had classified uh
(29:34):
security clearance, and I wasable to reach certain levels of
classification based on mysecurity clearance, which I
don't have anymore because aftertime it all goes away.
And which is good, right?
You want that to happen.
But you based on what myclearance was, I was allowed
access to certain types ofinformation from secret, top
secret, whatever that might be.
That was all dependent upon myrole.
(29:54):
Now, these labels are if youwant to have access to certain
data, you for example, we talkabout top secret.
Secret, that needs to be, we weused to call it a ticket.
You have your ticket punch to beable to go and access top secret
information or secretinformation.
Or in the case of top secret, itmight be even compartmentalized
and caveats that only allows youinto certain areas.
(30:16):
So that you guys, everybodyknows is that just because you
have access to top secretinformation doesn't mean, oh, I
now know where the aliens are.
I can go find the aliens becauseI have top secret information.
No, that's not true.
You the wherever the aliens areat, there is a special ticket
that is probably written ininvisible ink that you can't get
access to if they even exist.
(30:36):
And so therefore, that's aspecial ticket to get punched on
a certain ride at Disneyland.
But no, that you have to have acertain caveat to allow you
access.
So then when you deal with thecomponents, so we talked about
labels already, as far as whatlabels are just top secret, then
the clearances, these areassigned to determine the level
of access that are permitted.
A user with a secret clearanceis access to resources that are
(30:59):
secret or lower.
Top secret, top secret or lower.
If you're access to justunclassified, that's all you
get.
You can't go any higher thanthat.
Then you have to have thecentral authority that's
responsible for defining andenforcing the access control
policies.
It ensures that the accessdecisions are consistent and
aligned with the organizationalsecurity requirements.
(31:20):
So advantages of this highsecurity, right?
Really limit what people can do.
That does not stop people fromstealing classified information.
unknown (31:27):
I.
SPEAKER_01 (31:28):
Edward Snowden, good example of that.
But it continues to happen, butit is limited because of these
high access controls.
The thing is, is where the EdwinSnow Snowdons of the world get
the access out is when they buywhen these security controls are
not fully managed correctly.
That's how Edward Snowden gotaccess and had access to stuff
(31:50):
that he should have not hadaccess to, for one, and then
two, when he did have access toit, have the ability to get data
out of the organization.
That was a big failure.
And I know they've fixed that,but they shouldn't have ever
gotten that far.
So again, these strict policies,Mac provides a high level of
security and control over accessto sensitive resources.
It prevents unauthorized access.
(32:11):
The use of security labels andclearances ensures that only
authorized users can accessclassified information.
Hopefully, right, in most cases.
Disadvantages of this, it is avery complex beast, and you have
to have a person that'sspecifically set aside in each
organization just to deal withclassified data.
And then you have to havetraining on how to label it.
(32:32):
Only certain people can labelit, only certain people can
remove the label.
There's a lot of complex movingparts on clap are on dealing
with mandatory access controls.
Reduce flexibility, it's a rigidstructure of Mac can hinder
collaboration and adaptability,especially in dynamic
environments.
So again, it reduces theflexibility of your
organization.
The military is good with that.
(32:53):
They don't like, they likeflexibility, but when it comes
to classified stuff, they arenot flexible.
They are they are unbending,very much so.
Talked about the military andthe government dealing with
classified information and alsofinancial institutions.
They are required to havesensitive labeling put on a lot
of this.
Healthcare industries as well.
There's a lot of pieces andparts that need some level of
(33:13):
labeling around access.
Okay, attribute-based accesscontrols.
Now, access is granted onattributes of the user,
resource, and the environment,allowing for a dynamic and
content, context-aware accesscontrol decisions.
Now, I will say this issomething that's gonna, you're
gonna start seeing more of thistype of activity, I feel in my
mind, as we get into AI and thatbecomes more involved.
(33:36):
It's gonna be more context awareof what's actually going on and
allow access in and out.
So the characteristics this isdynamic and context aware
basically means decisions aremade based on the combination of
attributes which can come, whichcan change over time and
different context.
The attributes of such as userrole, resource type, and
environmental conditions areevaluated to determine what the
(33:56):
access might be.
So based on this the user'ssituation, it may allow the
access depending upon the need.
Um, I have not dealt with thisspecifically.
I'd I've read of it, but I'venever actually dealt with it
completely.
So such of these attributeswould be characteristic of the
root of the user, role,department, and so forth.
What are the resources that theyneed to have access to?
(34:17):
Classification, type of data,and then the environment, which
would be time and location.
So you're bringing all thesethings together, and that would
be the attribute of which itwould be able to be context
aware of what it's trying toallow.
Now, these policies will definehow attributes are evaluated to
grant or deny access.
And these policies can be verycomplex and they could consider
(34:38):
multiple attributes.
But this is where you're goingto need something that has the
logic to be able to all look atthis.
So Sean's allowed access fromHong Kong at a certain time of
the day, and he has to use acertain specific IP address to
be able to get access becausemaybe he's using a device from
his work, and that's and or he'sin a geo, I should say, an IP
(35:00):
address coming from the officelocation.
Those three things have to be incontext and have to be working
for Sean to have access that heneeds.
Then there becomes a policydecision point, or they call it
PDP.
This is the component isresponsible for evaluating
policies and making accessdecisions based on the
attributes and the rules.
So this is where the brains ofthis thing figures this out.
(35:22):
Again, you're not going to beable to do it, it has to have a
smart HAL.
You know, it's got to havesomething that a brain that will
think through this to allow ordeny the access.
Hopefully it won't launch youinto space.
If you guys got the HALindication, you would understand
what I just said.
So 2000, what was that?
It was uh see, I can't rememberthe name of the, it was like
(35:43):
Odyssey 2000.
I can't even think of the nameof the movie, but it's got HAL,
the big red eyeball.
Okay, attribute-based accesscontrols, the advantages of
this.
See, the ADD kicks in every oncein a while.
Squirrel.
High event, high flexibility.
ABAC supports complex accesscontrol requirements and can
adapt to changing conditions andcontext because it has the
ability, the flexibility to dothat.
(36:04):
It is scalable, right?
So its attribute-based approachallows for scalable access
controls in large and diverseenvironments.
This really happens a lot,especially if so, so like if
you're dealing with a largecompany, I don't know if you've
all dealt, I get lots ofdifferent people listening to
this podcast from I got peoplefrom Spain, I got people from
Brazil, I got people in theUnited States, all over the
place, right?
Listening to the podcast, whichis awesome, right?
(36:26):
And they all have come fromdifferent backgrounds and
different lifestyles.
The thing around this, though,is interesting, is that if
you've dealt with a largeorganization, I've done MA,
which is mergers andacquisitions.
You bring in people fromcompanies, your company goes and
buys one, you merge it into yourorganization.
So you have to deal with MA.
Well, when you're dealing withdiverse companies, you have your
(36:48):
way that you did your company,right?
So this is the way your namingconvention is, this is the way
you do your IP structure, all ofthis stuff is based in a certain
way.
Well, now, and you have acertain way you do roles.
Now you bring in somebody else,right, from the outside.
And they did a whole differentway of doing business.
So how do you merge the twotogether?
And this is whereattribute-based access controls
could be very valuable.
(37:09):
Again, I haven't ever seen it inplace.
I've just read about it.
And I think if you could make itwork, this would be really,
really cool.
The disadvantages though isdefining and managing attributes
and policies can be challengingand requiring a very strong
infrastructure and expertise.
Again, got to find the one, theunicorn.
And sometimes unicorn is outthere, but sometimes they're
(37:29):
not.
If you do find the unicorn,sometimes they want a lot of
money, and therefore you don'twant the unicorn.
So you have to build and trainyour own little unicorn, which
means you get a mule and youstick a cone on its head, and
then you hope that someday itwill grow into a beautiful
unicorn.
Uh, but right when it startsgrowing into a beautiful
unicorn, it moves on to anotherrole.
Yes.
So I just kind of, yeah, I wenton a tangent there, but it's
(37:52):
true, it's so true.
Okay, so disadvantages.
We talked about that.
Manages can be challenging,requiring robust infrastructure.
Infrastructure requirements.
Implementing ABAC also requiresa system for managing and
evaluating attributes andpolicies.
Again, you got to havesomething, and it's going to be
expensive to do this.
But it could be extremelyvaluable to you, especially if
you're dealing with mergers andacquisitions, that you you could
(38:12):
put a case together for how thiswould reduce the risk to your
organization, especially from aninsider standpoint.
One of the big issues you runinto from an insider point of
view is when you start mergingcompanies together, watch out,
watch your data leave yourorganization because it goes out
the door faster than you caneven imagine because of the fact
that nobody's watching it.
Use cases, you have cloudenvironments.
These provide dynamic accesscontrols for user bases, and
(38:35):
then organizations with dynamicneeds.
Again, they support environmentswhere access control needs
change frequently based oncontext and conditions.
Again, so these are kind of theareas in which you would deal
with attribute-based accesscontrols.
Okay, that is all I have for youtoday.
So I want you guys to head onover to CISSP Cyber Training.
Go check it out.
Go check out all the free stuffthat's there.
(38:57):
Go purchase the products.
Again, the products go to anonprofit.
Not taking the money.
It's all good.
Again, we want to help kids thatuh we want parents that want to
adopt children.
We want to try to help in thefinancial aspects of this
through low interest loans,grants, and so forth.
And so, therefore, that's thewhole purpose of our nonprofit.
Again, I'm doing this stuff.
(39:18):
I be honest with y'all.
I enjoy working with this, Ienjoy talking to you all.
And this is kind of a bit of atherapy for me, but I also want
to let you know that I don't do,I don't, I don't need to do
this.
I want to do this to one, tohelp you, but then also as we
start going forward, going, howdo I help families?
And that's the overall purposeof CISSP Cyber Training is to
help that.
Last thing is head on over toReduce Cyber Risk as well.
I'm a consultant, and sotherefore, if you are looking
(39:39):
for any sort of consultingneeds, uh, I can help you with
those.
Between myself and the team thatI work with, we can pretty much
help you in almost everythingthat comes down to
security-related products.
Again, reduce cyberrisk.com, gocheck that out for any of your
consulting needs.
Okay, I sound like the guythat's on that's trying to sell
you the uh what is that?
I can't think of that.
(40:00):
That shamu guy.
Whatever the guy is trying tosell you a uh this is a towel
that if you take it and you fillup the water with it, it will
work you forever.
Yeah, no, that that's not whatwe're doing here.
So, anyway, go tocspcybertraining.com, check it
out, head on over to ReduceCyber Risk if you need
consulting work.
Have a wonderful, blessed day,and we will catch you on the
flip side.
See ya.
Welcome to the CISSP Cyber Training Podcast, where we
provide you the training andtools you need to pass the CISSP
exam the first time.
Hi, my name is Sean Gerber, andI'm your host for this
action-packed informativepodcast.
Join me each week as I providethe information you need to pass
the CISSP exam and grow yourcybersecurity knowledge.
(00:21):
Alright, let's get started.
SPEAKER_01 (00:25):
Hey I'll Sean Gerbert with CISSP Cyber
Training, and hope you all arehaving a blessed day today.
Today is an amazing day.
It truly is.
Yeah, I uh you know why?
Because of the fact is we get totalk about role-based,
mandatory, discretionary, andattribute-based access controls.
Giddy up, yeeha! It's gonna befun today.
(00:47):
Yeah, hope you all don't fallasleep on your morning commute.
Yeah, no, we talk about that.
Actually, if you have a Tesla,kick it in self-drive as we get
going because you're gonna enjoythis so much that you will be
riveted to the point where youwill not be able to break.
Yes, that is very true.
Actually, it's probably becausethere'll be drool coming out of
your mouth as you fall asleep.
No, I you know I'm just joking,all this stuff.
(01:07):
It's designed to be superriveting and super enjoyable.
So, hey, let's get started.
But before we do, right, beforewe do, uh, one real quick
article.
I don't know if you all sawthis.
If you're listening to this andyou are in the United States, or
you're listening to your nextpat and you're listening to it
overseas, you may have beeninformed that your social
security number has been leaked.
(01:28):
Oh no, this is the end of theworld as we know it, right?
Q song.
Yeah, no, I don't have thatsong.
But anyway, the thing of thecool part about all this is,
well, so not really cool, butthe interesting part, I should
say, is the fact that there waslike a gob, like three billion
personal records were in stolen,uh basically because of they
were tied to social securitynumbers, addresses, you name it,
(01:50):
all that stuff.
Now, the interesting part on allthis is that with there's three
billion records, the positivepart is they're gonna have to go
through a lot of records to findyour stuff.
The other thing is, is if you'vebeen part of listening to CISSP
Cyber Training, you obviouslyare someone who's probably been
around a little while with yoursecurity stuff, and therefore,
one, you probably haveprotections in place, but two,
(02:11):
you know as well as I do thatyour stuff has been compromised
and pwned multiple times.
So this is not a new developmentfor you.
But that being said, uh, thiswas part of the national public
data.
I never heard of it, I honestly.
But what they do is a companythat makes money by collecting
and selling access to yourpersonal data to credit
(02:32):
companies, employers, andprivate investigators.
These guys, there's so manypeople have access to your data.
That's the part is justunnerving, honestly.
It's just craziness.
But this group called USDODsnatched about three billion
records, and which of thoseincluded addresses, social
security numbers, all that kindof stuff.
Uh, they basically have yourhistory, address history for the
(02:55):
past three decades worth.
Uh, if you're old like me,you'll have an address for three
decades.
If you're not, you probably begoing, uh, dude, I've I've got
like a decade, if that.
Yeah.
So, but it doesn't reallymatter.
The fact is, I got your stuff.
That being said, don't be outthere and go, don't go jump off
a cliff and say, oh, this is theend of the world.
It's it's not.
You just obviously have to putsome protections in place.
(03:18):
And I'm telling you all thisbecause you probably already
know this, but I would recommendthat you talk to people that you
love that are close to you, thatmay not know this.
And so it's important that wetalk through these things just
so it is a refresher for youall.
First thing you need to do isobviously go to Have I Been
Pwned and see if your recordswere part of this breach.
Um, as of right now, my recordswere not, as of right now.
(03:40):
Yeah, who knows?
But they've been part of a lotof other breaches that have been
in place.
So go there, check it out, seewhat's going on.
Obviously, if you if you'relistening to this, you probably
already have a credit freezeenabled with your uh your
overall credit.
Go in, do that.
I would also recommend that youtalk to your family members
about how to do this themselves.
(04:01):
I've got a couple podcasts thathave gone through the enabling
your credit and or not enablingyour credit, but enabling the
overall freezes.
And I would recommend that youdo that.
Just whatever it takes, getpeople to go and freeze their
credit because that's the bestway to protect them in this
situation.
Also, enabling the multi-factorthat goes along with it, an
important part.
So monitor your credit, go outthere, freeze it.
(04:23):
The other thing to do is if youthought that you've been caught
with any sort of your data'sbeen compromised, like your
social security numberspecifically, um, he this this
is from Dark Reading.
Actually, it's from ZDNet, andit's actually a really good
step-by-step guide on what youshould do to deal with a social
security number that has beenpotentially compromised.
And I will tell you though, ifyou do this, it don't anticipate
(04:48):
it to be done within a coupleweeks.
Um, yeah, it might be a couplemonths and it could take even
longer than that.
But the bottom line on all thisis if you know, here's the thing
I have learned in security anddealing with lawyers.
If you know that your stuff hasbeen compromised, just the date
that which you submit it isperfect.
That's what you need.
You need to let them know thatyou know it and you found out
(05:09):
about it and you are submittingit.
And then keep all thatdocumentation because if at any
point in time your socialsecurity number or your your
benefits get stolen and theystart doing stuff with your
account, you have the the trackthat you actually submitted it,
you knew it, and you dealt withit.
Um, it's a whole lot easier togo from there, at least trying
to get claw back any potentialmoney that may have been taken
(05:32):
from your account when you knowthat you've actually submitted
to it.
So go check it out.
I'd highly recommend you go dothat as soon as you possibly
can.
Uh obviously don't do it nowwhile you're driving.
The reason I say that is many ofthe people that listen to this
podcast are going to and fromwork and they they use this as
their morning commute.
But when you get a chance, gocheck out Have I Been Pwned and
PC if you're part of thisoverall breach.
(05:53):
But at a minimum, go out andfreeze your credit and tell
people that you love to freezetheir credit as well.
So again, it's a real goodarticle on ZDNet on your social
security numbers.
You can go check that out.
It's relatively new, so if youGoogle it, it'll pop up.
So go check it out.
Now, let's get started in ourmost riveting content ever.
To this date, it's been the mostimportant content you will ever
(06:14):
listen to.
Yeah, well, maybe not, but it'sgonna be very helpful for your
CISSP.
So we're gonna get intorule-based, mandatory,
discretionary, andattribute-based access controls.
You'll be able to go to CISSPCyber Training.
You can actually see thiscontent in the video format.
It will be on YouTube as well,uh, but it's gonna be out there
for you and available.
Also let you know if you go toCISSP Cyber Training and
(06:35):
purchase one of the productsthat we have available for you.
We've got a bronze, silver, andgold.
It's not in in commensurate withthe Olympics that have just
passed, but it's just to kind ofput it in a tier system.
That if you purchase any ofthat, it all goes to charity.
Yes, we are putting all of thisin our charity for non our
nonprofit for parents who wantto adopt children, and uh that's
where it's all gonna go.
(06:56):
I don't, I'm not gonna keep anyof it, just gonna give it all
away.
So I highly recommend it.
Go do it.
Uh again, there's the content'samazing, the content is awesome,
and you'll get some great helpwhen you're taking the CISP, but
also know that anything youpurchase goes to a good cause.
So, rule-based, mandatory,discretionary, and
attribute-based access controls.
(07:17):
What exactly are this?
Are this?
That's a really good English.
You wouldn't know.
I'm from Kansas, and so we don'ttalk real well around here.
Um, yeah, we don't really eventalk like that at all.
But introduction to accesscontrol models.
So, as we're talking aboutthese, we're gonna get into some
of the various aspects and whythey're important.
We're gonna get into a littlebit about non-discretionary and
(07:38):
discretionary access controls,and then we're gonna roll into
rule-based, mandatory,discretionary, and
attribute-based controls.
And you're gonna see those.
Now, I will tell you the onething that is a bit confusing
when you go and you'll see onthe test, you have rule-based
and role-based.
They both had the same acronympotentially.
And I've seen differations ofthat.
The they they call RO for ROL,they've got R U for RUL.
(08:02):
But just know that if you globone of the under the acronym,
you could be wrong.
So make sure you understand it'sRULE and ROL.
They're very different uh inwhat they do, even though the
acronyms are extremely similar.
So we're gonna go through all ofthose today and just kind of
walk you through what you cananticipate for the CISSP and
what should you be aware of.
(08:23):
So, first we're gonna get intowhat we call discretionary
control, kind of differentiatebetween discretionary access
controls and non-discretionaryaccess controls.
A discretionary access controlis a type of control where the
resource owner has the authorityto determine who can access the
resources and at what actionsthey can perform.
So, this is the person who isacting as God.
(08:45):
They are the one that candetermine what is going on.
Uh, these owner controls, theseset the permissions, they set
the access, and they allow forthe flexibility and the autonomy
to autonomy to be able to go anddo what you want to do.
Now, one and uh one thing tothink about this is uh an access
control list.
Now, if you've dealt withfirewalls, you understand that
they are access control lists orACLs.
(09:08):
And these ACLs are what pertypically allow you to have
access to various aspects on afirewall, right?
So they'll that allow you to goto certain routing, different
routing tables, allow to go torouting locations.
These are what an ACL typicallydoes.
Well, these are these ACLs willspecify in the case of access
controls, users and groups whocan access a resource and what
(09:30):
actions they can perform.
Read, write, execute, and soforth.
So that's the characteristics ofa discretionary access control.
Now we're gonna kind of get intothe advantages, the
disadvantages, and somepotential use cases around it.
The advantages of this is thatthe resource owners can easily
adjust permissions to meet anychanging needs that you may have
within your organization.
(09:51):
And they work really good likethat, right?
So you know Billy Bob Joe, soyou got three first names, Billy
Bob Joe.
Billy Bob Joe has the ability togo and make these permissions.
And then you can go talk toBilly Bob Joe and they can make
the changes for you, which isreally cool.
And especially when you have ADDlike myself, it's nice to go,
hey Bob, let's go.
(10:12):
Okay.
Uh he goes by Bob instead ofBilly Bob Joe.
If you go to Bob and he says,yes, let's do it, you're good,
right?
Ease of implementation, DACs arerelatively straightforward and
it to implement and to manage.
They make it very good for smallorganizations and for very
collaborative environments.
Again, if you know Billy Bob Joeis the person in your
organization, it's very easy togo to him and get that
(10:35):
information you may need.
The disadvantages, though, is ithas inconsistent access control.
Because it's decentralized,right?
There's only there's Billy Bobis the only guy that knows how
to do it, it can lead toinconsistencies in providing
access.
And so you may have to go backto Billy Bob a few times to get
this information taken care ofthe right way.
Whereas if it's centralized, younow click a button and it
(10:58):
becomes very consistent acrossan organization.
Again, small organizations withvery few resources, that this
can work pretty well.
When you're dealing with a muchlarger organization, then the
inconsistencies can get unrulyand it can actually cause you
more challenges.
There's a higher risk ofunauthorized access.
Again, without centralizedoversight, there is a greater
risk that somebody would haveunauthorized access due to
(11:21):
misconfigurations of thepermissions.
So again, there's pros andthere's cons with doing the
discretionary access controls.
Again, we talked about some ofthe use cases, would be small
organizations that need flexibleabilities to go kick this on and
kick it off.
And then your collaborativeenvironments, which is our
allowing resource owners toshare resources and set
permissions based on the needsfor the collaboration.
(11:43):
So you have a small group, youmaybe you have SharePoint sites,
maybe you have a developmentteam, and this development team
is the ones that are set up togo and do this, then that that
would be someone you reach outto.
Or not reach out to, you wouldset it up for though that small
development team.
But again, this does not scalevery well.
And so therefore, it's importantthat if you got to consider your
use case as a securityprofessional of going, is this
(12:06):
going to need to scale?
Is it not going to need toscale?
Okay, so non-discretionaryaccess controls.
These refer to the accesscontrol models where access
decisions are made by acentralized authority based on
the predefined policies ratherthan what individual resource
owners may want or choose.
So if you're a person who likesto have the fly by the seat of
(12:28):
your pants, non-discretionary isnot what you want.
If you want something that isallowing you to have some level
of control or a strong level ofcontrol, consistency, uh,
deployability, non-discretionaryaccess controls are what you may
be wanting to go after.
So here's just a couple, whichwe'll talk about.
Obviously, these are just a fewof them, but the types of
(12:48):
non-discretionary accesscontrols would be your Mac, your
mandatory access, role-basedaccess, rule-based access
controls.
All of those will fall under thenon-discretionary access
controls.
Now, just real quickly,mandatory access controls, they
are granted on security labelsand clearance set by the central
authority.
So that they're the ones thatwill set up the mandatory
(13:09):
controls.
Okay, users cannot alter thesepermissions.
Role-based is what are grantedassigned to users by the
administrator.
Okay, these are predefined anddetermined to basically for each
specific user.
And then role-based, they'redetermined based on the set
preset defined rules such astime of day, location, and so
forth.
So just kind of we'll get intomore of that here shortly, but
(13:31):
just know that types ofnon-discretionary access
controls are your RBAC, yourrule-based, your mandatory
access controls.
Okay.
So characteristics, central wetalked about ever again,
centralized control allows forthe authority to be consistent
and adherence to organizationalpolicies.
So a good example around this isif you're in a large enterprise,
and in this enterprise, I knowthat all users that join our
(13:54):
organization are going to havethese set of limitations, these
set of things they can go do.
They may not be able to do anysort of admin uh administrative
adding of names, and they maynot be able to do anything as
far as their account goes otherthan just a normal user account.
Now, when you once you get intoadded levels of uh ability, then
(14:15):
you can increase what thatperson might be.
So a role-based could be a goodexample of this, where I'm a
standard user, then I want to bean admin.
Well, then I get the admin addedto my user ability.
If I want to be a domain admin,that's a whole separate
additional ad that would need tobe added to me.
Um, if I wanted to be able toaccess a certain server at a
certain time of day, becauseit's it's basically in a walled
(14:39):
garden per se, then you wouldhave a rule-based access
control.
So again, it's very centralized,it's very policy driven.
So we talk about policies.
Policies aren't like, okay,you're having a policy for the
government.
This is what we talk about.
Policies are basically thesecurity rules by which you're
creating something.
And these are this access mightbe granted based on these
(15:00):
predefined policies, whichinclude classifications, roles,
or rules.
And so these policies are setup.
So I'll I'll give you oneexample of a policy.
I'm setting up policies for adata loss protection and insider
risk program.
These policies are set up that aUSB will only be able to be used
at X, Y, and Z.
Or if you are uploading to acertain file share, only a
(15:22):
certain file share at a certaintime of day.
Those are policies that are setup specifically to control
access.
They're control what you can andcannot do with the tool.
So yeah, that's thepolicy-driven piece of this.
Advantages of it, it's highsecurity.
Again, centralized control,strict policies provide a high
level of security and preventunauthorized access.
(15:43):
They don't allow access toanything except for what you
allow them to.
So that can be really good.
Consistency, we talked aboutthat earlier as well.
It allows you to have some levelof consistency within your
enterprise and it just makesthings flow much better.
Disadvantages, though,obviously, is complex of
management.
The management of this can getvery out of control at times,
(16:04):
can get, especially if you letsomebody like me who gets a
little bit distracted.
My wife tells me this all thetime.
I'm working on something, andall of a sudden, squirrel, put
something pulls me aside, and Igo over and work on that, and I
go, wait a minute, what was Idoing a minute ago?
And so, because of that, and youguys might even see that in
CISSP cyber training, becauseI'll do a PowerPoint that looks
really cool, and then I'll do iton a piece of paper.
(16:24):
Yeah, because I forgot what Idid.
Yeah, that's just kind of crazyat times.
But that being said, I don'tknow where I was going with
this.
Other than the fact that it'sit's consistency.
You want to have some level ofconsistency to ensures the
application access controls aremeeting your organization.
Okay, no, it's complexmanagement, right?
Complex brain, complexmanagement.
Reduce flexibility.
(16:45):
It does have a registeredstructure which can hinder the
collaboration and adaptability,especially in a dynamic
environment.
So when you're dealing withsomething, this is a great
example of this.
Organization I'm working withnow, really good organization,
lots of great people, but it isa monster company, huge company,
right?
And it is very complex and it isnot very flexible.
(17:07):
And it's it makes things verychallenging when it is not as
easy to make changes within theorganization.
That can happen with thesedifferent types of access
controls.
It can be frustrating and it cantake time.
That being said, there's risksthat are being in place.
These the bureaucraticchallenges can add a level of
protection to keep from manychanges occurring too quickly or
(17:29):
too randomly.
So it's important that you havesome of that in there as well.
It's just that's that trade-offyou have to be able to go back
and forth with.
Use cases, again, military andgovernment, they ensure that the
classified information is onlyprotected in a certain way.
We've talked about this invarious podcasts.
We get into the ability aroundthe military and how it protects
you.
And then large organizations,obviously, very large
(17:52):
enterprises, they have to haveconsistent access control
policies across a very diverseand complex environment.
So it's important that they havethat as well.
So you got to keep that in mindthat these there's just there's
times and places in which youwould want to use these.
All right, role-based accesscontrols.
So that's the one we're gonnaget into right now.
And this is typically calledRBAC.
Now, role-based access controlsare a security approach which
(18:14):
restricts system access to usersbased on the role in which they
are within your organization.
Now, these permissions areassigned to the role, okay, to
the to the role itself.
Like Sean is security analyst A.
It's it is assigned to Sean, thesecurity analyst, rather than
the individual user, than toSean Gerbert, okay?
Or as my friends call me,Enrique.
(18:35):
Okay, the ultimate point is tosimplify the management of the
access rights.
So all users that come in getthis.
All analysts that come in get Y.
Now these characters are set upfor basically role assignment.
These users are assigned theroles based on their job
function, and then each role isset on permissions that define
what actions the users in thatrole can perform.
(18:56):
So again, what can they actuallydo?
The authorization, this is wherethe user's active role must be
authorized, ensuring that onlyusers with the appropriate role
can access certain resources.
So you get the assignment, youhave the authorization, and then
you have the permission, right?
These are then when it's grantedto you.
That's when the permissions aregiven to you.
So again, role, Sean theanalyst, is sign the role.
(19:19):
The will go up to my boss, theapproval will go up to my boss,
my boss will boss will authorizeit.
Then once my boss authorizes it,then the permission is granted,
and I now have access to what Ineed to do.
Large organizations will havethis very automated, and it
doesn't have to actually go toBob.
Now, or I should say it will goto my boss.
So this is Sean, going to myboss, Billy Bob Joe, and Billy
(19:42):
Bob Joe will see this, he'llclick, he'll mash a button and
say, Yep, approved, and thenit'll see it'll kick through an
automated process by which Seanwill get all of the
entitlements, all thecredentials that he is supposed
to have for the role.
Again, that's thecharacteristics of a role-based
access control.
Now, again, we talked aboutroles, permissions, and users.
So roles are defined in the jobfunctional responsibility.
(20:04):
Again, administrator, manager,analyst, employee, depends.
Permissions, these are thespecific rights that are
assigned to the role, such asread, write, execute, so on and
so forth.
Okay, those are what's thepermissions that allow Sean to
do what he's going to do.
And then the other also it couldbe a set of other entitlements
outside of read, write, execute.
(20:24):
It could be administrator and soforth.
But those are, that would be, Ishould say, administrator would
be a role that Sean would have,and it would just be tied to
Sean's name.
Users, uh, individuals who areassigned to roles, and then they
inherit permissions associatedwith those roles.
Now, what this is the part thatcan get really squirrely is the
inheritance issue of this.
When you have a certain set ofcredentials, these some
(20:46):
sometimes, depending upon whereyou're at within your
organization, and depending uponthe active directory structure
within your organization,sometimes these role, these
individuals can inheritpermissions based on where
they're at within the overallActive Directory tree.
And so we're not going to getinto that today, but the point
of it is that it's importantthat when you have these, you
(21:07):
set this up, you have to be veryspecific on how you set up the
roles with individuals.
And then also know yourenvironment to know that if
these individuals are put intoother areas within the
organization, they don't inherittypes of permissions just
because of where they were put.
You need to understand thatoverall plan.
One of the things I've learnedas a red teamer, and then also
(21:28):
just being a CISO for a largecompany, that is not a
well-known topic.
People do not totally understandtheir infrastructure and were to
the point of going, yes, Seangets put into this group.
Well, Sean has access to allthese things because Sean was
put into this group.
Well, Sean was also put intoanother group, which gives him a
lot more access to a lot ofother things that Sean really
(21:49):
shouldn't have access to.
And Sean didn't have control of,I didn't request that access.
Somebody just put me in there.
Or you were in that group andyou moved on to a new role, and
guess what?
They stayed in that group.
They didn't pull you out.
So there's a lot of challengesthat go along with especially
dealing with individual userentitlements and user roles.
(22:09):
So, what are the advantagesaround this?
Simplified management, obviouslyassigning permissions to roles
rather than users.
Okay, RBAC reduces thecomplexity of managing access
rights.
Principle of least privilegeensures that only you have
access that's necessary toperform the job functions,
again, reducing the risk ofunauthorized access.
So that's a big positive aroundthis.
(22:30):
Great for large organizationswith many users, and it allows
for efficient management.
Those are the positives.
Here come the downsides.
Initial setup can be verycomplex, right?
So just setting all this up cantake very careful planning and
it can be complex, which cancause some challenges.
You need to think about it whenyou're planning this out.
And the best thing I havelearned is it's better to start
(22:50):
small and work your way up thanto start big, like basically
saying, give them access to allthis stuff, and then we'll start
whittling it down over time.
No, you want to start them offsmall, and then as you build
this out, you realize, oh, wereally should be giving people
access to this.
But that's it, that needs to gothrough a committee rather than
you just saying, oh, okay, Billneeds access to this.
(23:12):
Click.
Now all of a sudden, instead ofBill getting access, all those
roles got access.
And now that's when you can getinto yourself into a lot of
challenges.
Role explosion, again, dynamicenvironments, the number of
roles can proliferate, big$10word, making the management
challenging, right?
We talked about that there.
The roles grow, you gotchallenges.
(23:33):
Rigidity, changes in jobfunctions or responsibilities
can cause frequent updates,roles and permissions.
Use cases, large enterprises,again, there we talked about
them being the ones that havehundreds, or if not thousands,
of employees based on theirroles and responsibilities.
Regulated industries, they haveto have this.
So you'll see a company I'mworking with now, and well, many
(23:54):
companies, or especially as thegovernments get involved, they
do require specific roles, andthen that these roles have to be
audited, and that these roleshave to be managed.
This again, strict accesscontrols that are based on job
function.
And then IT systems, controllingaccess to applications,
databases, network resources,and so forth are a lot of tied
to roles.
So again, those are the at thepros, the cons, and then some of
(24:16):
the use cases around role-basedaccess controls.
Rule-based access controls.
Now, the rule-based, these arethese are accesses granted based
on a set of predefined rules bythe administrator or system
administrator.
These rules dictate theconditions under which can be
allowed or potentially denied,right?
So you have two different typesof rule-based access.
(24:37):
You have predefined and static,and you have condition-based
decisions.
So let's go into predefined.
What is that?
These are established inadvance, right?
So you have this already set up.
So it's like an access controllist, right?
They're already set up, theydon't change frequently.
They're designed to cover thetypical scenarios and the
conditions.
So if you know in your networkthat I'm going to allow port 443
(24:59):
is allowed through, but port XYZ62,252 is not allowed.
That would be static, right?
You would know 443 is going togo through.
Those would be the predefined orstatic types of, and I'm talking
porous on an access controllist, but I'm talking that's
what kind of role you would say.
The user, that's a predefinedstatic user account.
That's doesn't change frequentlybecause every user is going to
(25:21):
get it.
That's static.
Condition-based decisions, theseare accessed based on the
specific conditions, such as atime of day, user location, type
of transaction being performed.
So if you say that I only wantpeople to make changes based on
if they are in Dallas Fort Wortharea.
(25:41):
Okay, that's very close togeofencing in that local
localized area, but let's justsay Dallas Fort Worth.
Anybody outside of Dallas, no,that won't work.
Now, the gotcha on this is ifyou have people that are
remoting in from otherlocations, do you allow the
virtual environment to be ableto fall under that condition?
And that might be, that might bethe condition you set is that
(26:03):
the only can have people thathave remote access into our
environment are the ones thatcan do this.
So that again, that's thecondition-based decisions.
So there's various components toit: rules, subjects, and
objects.
Rules, these are the specificconditions that must be met for
access to be granted.
For example, rule might statethat access to a financial
system is only allowed duringbusiness hours and not after
(26:25):
business hours.
Subjects, these are users orentities requesting access to
the resources, such as myself, Iwould be a subject, and this
would be evaluated against therules to determine if I should
be given access or not.
So again, rules are specific tobe specific conditions.
Subjects are the users andentities.
Objects, these are the resourcesor the data that subjects are
(26:47):
trying to access.
So this is the stuff I'm tryingto get to.
So if you do files, databases,applications, whatever it is.
All right.
So you have rules, those are theconditions, subjects, that's the
users or the entities, and thenthree is the objects.
These are what we're trying toget.
Okay.
Okay, so what are the advantagesaround rule-based access
(27:07):
controls?
It simplifies the management.
Okay, so it does by automatingthese access decisions on a
predefined set of rules,administrators can reduce the
complexity of managing accesscontrols.
Ensures consistency, they are itensures that the rules are
applied uniformly, right?
Their consistent approach togranting, denying, removing
(27:28):
access, it's all veryconsistent.
And I think it works very well,especially when you're dealing
with large organizations.
The disadvantages of this thoughis the lacks of lack of
flexibility.
So when you're dealing withstatic rules, they may not be
sufficient to cover allscenarios.
They also could be where you'redealing with rules that maybe
are not as static, maybe moredynamic, uh, then you have
(27:50):
keeping these rules up to dateand relevant will be a very
ongoing and arduous process.
Takes a lot of attention todetail for administrators.
So you need the right personthat can do this.
You wouldn't want to let me inthere.
That would be bad.
We would have everybody havingaccess all over the place.
But the point of it is thatthose are some of the challenges
that come along with rule-basedaccess.
(28:10):
So some of the use cases aroundthis, financial transactions,
implementing time-basedrestrictions to ensure
transactions that can only bedone during business hours would
be a huge part of a financialpiece.
So if you know you have peoplethat are employees that are
remoting in from a certain time,that it's only limited to a
certain time in which there'llbe updates to the system.
(28:30):
Otherwise, it's cued.
That way, at least then therearen't people trying to do this
in the middle of the night, andthen the next day you come back
and all your money's gone.
That's a challenge.
Location-based access is anotherone that's where you you deal
with like geofencing of somekind, granting access to
sensitive data only when they'rein a specific geographic
location, such as the officepremises.
(28:51):
So if you had a certain set ofIP addresses where they're
allowed, that might be somethingyou would do from a specific
rule-based access control.
So now let's get into mandatoryaccess controls.
Mandatory access control, thisis granted on policies set by a
central authority dealing withwhat we talked about, security
labels, right, to classify theresources and the users.
(29:12):
This is an this we talk aboutthe fact of this, it was the
mandatory access of this, isit's a non-discretionary access
control.
And so therefore, it's designedto have your different security
levels, such as confidential,secret, and all these are
granted by clearances that arecorrespond to these specific
levels.
So, as an example, beforemilitary, I had classified uh
(29:34):
security clearance, and I wasable to reach certain levels of
classification based on mysecurity clearance, which I
don't have anymore because aftertime it all goes away.
And which is good, right?
You want that to happen.
But you based on what myclearance was, I was allowed
access to certain types ofinformation from secret, top
secret, whatever that might be.
That was all dependent upon myrole.
(29:54):
Now, these labels are if youwant to have access to certain
data, you for example, we talkabout top secret.
Secret, that needs to be, we weused to call it a ticket.
You have your ticket punch to beable to go and access top secret
information or secretinformation.
Or in the case of top secret, itmight be even compartmentalized
and caveats that only allows youinto certain areas.
(30:16):
So that you guys, everybodyknows is that just because you
have access to top secretinformation doesn't mean, oh, I
now know where the aliens are.
I can go find the aliens becauseI have top secret information.
No, that's not true.
You the wherever the aliens areat, there is a special ticket
that is probably written ininvisible ink that you can't get
access to if they even exist.
(30:36):
And so therefore, that's aspecial ticket to get punched on
a certain ride at Disneyland.
But no, that you have to have acertain caveat to allow you
access.
So then when you deal with thecomponents, so we talked about
labels already, as far as whatlabels are just top secret, then
the clearances, these areassigned to determine the level
of access that are permitted.
A user with a secret clearanceis access to resources that are
(30:59):
secret or lower.
Top secret, top secret or lower.
If you're access to justunclassified, that's all you
get.
You can't go any higher thanthat.
Then you have to have thecentral authority that's
responsible for defining andenforcing the access control
policies.
It ensures that the accessdecisions are consistent and
aligned with the organizationalsecurity requirements.
(31:20):
So advantages of this highsecurity, right?
Really limit what people can do.
That does not stop people fromstealing classified information.
unknown (31:27):
I.
SPEAKER_01 (31:28):
Edward Snowden, good example of that.
But it continues to happen, butit is limited because of these
high access controls.
The thing is, is where the EdwinSnow Snowdons of the world get
the access out is when they buywhen these security controls are
not fully managed correctly.
That's how Edward Snowden gotaccess and had access to stuff
(31:50):
that he should have not hadaccess to, for one, and then
two, when he did have access toit, have the ability to get data
out of the organization.
That was a big failure.
And I know they've fixed that,but they shouldn't have ever
gotten that far.
So again, these strict policies,Mac provides a high level of
security and control over accessto sensitive resources.
It prevents unauthorized access.
(32:11):
The use of security labels andclearances ensures that only
authorized users can accessclassified information.
Hopefully, right, in most cases.
Disadvantages of this, it is avery complex beast, and you have
to have a person that'sspecifically set aside in each
organization just to deal withclassified data.
And then you have to havetraining on how to label it.
(32:32):
Only certain people can labelit, only certain people can
remove the label.
There's a lot of complex movingparts on clap are on dealing
with mandatory access controls.
Reduce flexibility, it's a rigidstructure of Mac can hinder
collaboration and adaptability,especially in dynamic
environments.
So again, it reduces theflexibility of your
organization.
The military is good with that.
(32:53):
They don't like, they likeflexibility, but when it comes
to classified stuff, they arenot flexible.
They are they are unbending,very much so.
Talked about the military andthe government dealing with
classified information and alsofinancial institutions.
They are required to havesensitive labeling put on a lot
of this.
Healthcare industries as well.
There's a lot of pieces andparts that need some level of
(33:13):
labeling around access.
Okay, attribute-based accesscontrols.
Now, access is granted onattributes of the user,
resource, and the environment,allowing for a dynamic and
content, context-aware accesscontrol decisions.
Now, I will say this issomething that's gonna, you're
gonna start seeing more of thistype of activity, I feel in my
mind, as we get into AI and thatbecomes more involved.
(33:36):
It's gonna be more context awareof what's actually going on and
allow access in and out.
So the characteristics this isdynamic and context aware
basically means decisions aremade based on the combination of
attributes which can come, whichcan change over time and
different context.
The attributes of such as userrole, resource type, and
environmental conditions areevaluated to determine what the
(33:56):
access might be.
So based on this the user'ssituation, it may allow the
access depending upon the need.
Um, I have not dealt with thisspecifically.
I'd I've read of it, but I'venever actually dealt with it
completely.
So such of these attributeswould be characteristic of the
root of the user, role,department, and so forth.
What are the resources that theyneed to have access to?
(34:17):
Classification, type of data,and then the environment, which
would be time and location.
So you're bringing all thesethings together, and that would
be the attribute of which itwould be able to be context
aware of what it's trying toallow.
Now, these policies will definehow attributes are evaluated to
grant or deny access.
And these policies can be verycomplex and they could consider
(34:38):
multiple attributes.
But this is where you're goingto need something that has the
logic to be able to all look atthis.
So Sean's allowed access fromHong Kong at a certain time of
the day, and he has to use acertain specific IP address to
be able to get access becausemaybe he's using a device from
his work, and that's and or he'sin a geo, I should say, an IP
(35:00):
address coming from the officelocation.
Those three things have to be incontext and have to be working
for Sean to have access that heneeds.
Then there becomes a policydecision point, or they call it
PDP.
This is the component isresponsible for evaluating
policies and making accessdecisions based on the
attributes and the rules.
So this is where the brains ofthis thing figures this out.
(35:22):
Again, you're not going to beable to do it, it has to have a
smart HAL.
You know, it's got to havesomething that a brain that will
think through this to allow ordeny the access.
Hopefully it won't launch youinto space.
If you guys got the HALindication, you would understand
what I just said.
So 2000, what was that?
It was uh see, I can't rememberthe name of the, it was like
(35:43):
Odyssey 2000.
I can't even think of the nameof the movie, but it's got HAL,
the big red eyeball.
Okay, attribute-based accesscontrols, the advantages of
this.
See, the ADD kicks in every oncein a while.
Squirrel.
High event, high flexibility.
ABAC supports complex accesscontrol requirements and can
adapt to changing conditions andcontext because it has the
ability, the flexibility to dothat.
(36:04):
It is scalable, right?
So its attribute-based approachallows for scalable access
controls in large and diverseenvironments.
This really happens a lot,especially if so, so like if
you're dealing with a largecompany, I don't know if you've
all dealt, I get lots ofdifferent people listening to
this podcast from I got peoplefrom Spain, I got people from
Brazil, I got people in theUnited States, all over the
place, right?
Listening to the podcast, whichis awesome, right?
(36:26):
And they all have come fromdifferent backgrounds and
different lifestyles.
The thing around this, though,is interesting, is that if
you've dealt with a largeorganization, I've done MA,
which is mergers andacquisitions.
You bring in people fromcompanies, your company goes and
buys one, you merge it into yourorganization.
So you have to deal with MA.
Well, when you're dealing withdiverse companies, you have your
(36:48):
way that you did your company,right?
So this is the way your namingconvention is, this is the way
you do your IP structure, all ofthis stuff is based in a certain
way.
Well, now, and you have acertain way you do roles.
Now you bring in somebody else,right, from the outside.
And they did a whole differentway of doing business.
So how do you merge the twotogether?
And this is whereattribute-based access controls
could be very valuable.
(37:09):
Again, I haven't ever seen it inplace.
I've just read about it.
And I think if you could make itwork, this would be really,
really cool.
The disadvantages though isdefining and managing attributes
and policies can be challengingand requiring a very strong
infrastructure and expertise.
Again, got to find the one, theunicorn.
And sometimes unicorn is outthere, but sometimes they're
(37:29):
not.
If you do find the unicorn,sometimes they want a lot of
money, and therefore you don'twant the unicorn.
So you have to build and trainyour own little unicorn, which
means you get a mule and youstick a cone on its head, and
then you hope that someday itwill grow into a beautiful
unicorn.
Uh, but right when it startsgrowing into a beautiful
unicorn, it moves on to anotherrole.
Yes.
So I just kind of, yeah, I wenton a tangent there, but it's
(37:52):
true, it's so true.
Okay, so disadvantages.
We talked about that.
Manages can be challenging,requiring robust infrastructure.
Infrastructure requirements.
Implementing ABAC also requiresa system for managing and
evaluating attributes andpolicies.
Again, you got to havesomething, and it's going to be
expensive to do this.
But it could be extremelyvaluable to you, especially if
you're dealing with mergers andacquisitions, that you you could
(38:12):
put a case together for how thiswould reduce the risk to your
organization, especially from aninsider standpoint.
One of the big issues you runinto from an insider point of
view is when you start mergingcompanies together, watch out,
watch your data leave yourorganization because it goes out
the door faster than you caneven imagine because of the fact
that nobody's watching it.
Use cases, you have cloudenvironments.
These provide dynamic accesscontrols for user bases, and
(38:35):
then organizations with dynamicneeds.
Again, they support environmentswhere access control needs
change frequently based oncontext and conditions.
Again, so these are kind of theareas in which you would deal
with attribute-based accesscontrols.
Okay, that is all I have for youtoday.
So I want you guys to head onover to CISSP Cyber Training.
Go check it out.
Go check out all the free stuffthat's there.
(38:57):
Go purchase the products.
Again, the products go to anonprofit.
Not taking the money.
It's all good.
Again, we want to help kids thatuh we want parents that want to
adopt children.
We want to try to help in thefinancial aspects of this
through low interest loans,grants, and so forth.
And so, therefore, that's thewhole purpose of our nonprofit.
Again, I'm doing this stuff.
(39:18):
I be honest with y'all.
I enjoy working with this, Ienjoy talking to you all.
And this is kind of a bit of atherapy for me, but I also want
to let you know that I don't do,I don't, I don't need to do
this.
I want to do this to one, tohelp you, but then also as we
start going forward, going, howdo I help families?
And that's the overall purposeof CISSP Cyber Training is to
help that.
Last thing is head on over toReduce Cyber Risk as well.
I'm a consultant, and sotherefore, if you are looking
(39:39):
for any sort of consultingneeds, uh, I can help you with
those.
Between myself and the team thatI work with, we can pretty much
help you in almost everythingthat comes down to
security-related products.
Again, reduce cyberrisk.com, gocheck that out for any of your
consulting needs.
Okay, I sound like the guythat's on that's trying to sell
you the uh what is that?
I can't think of that.
(40:00):
That shamu guy.
Whatever the guy is trying tosell you a uh this is a towel
that if you take it and you fillup the water with it, it will
work you forever.
Yeah, no, that that's not whatwe're doing here.
So, anyway, go tocspcybertraining.com, check it
out, head on over to ReduceCyber Risk if you need
consulting work.
Have a wonderful, blessed day,and we will catch you on the
flip side.
See ya.
Popular Podcasts
Stuff You Should Know
If you've ever wanted to know about champagne, satanism, the Stonewall Uprising, chaos theory, LSD, El Nino, true crime and Rosa Parks, then look no further. Josh and Chuck have you covered.
Dateline NBC
Current and classic episodes, featuring compelling true-crime mysteries, powerful documentaries and in-depth investigations. Follow now to get the latest episodes of Dateline NBC completely free, or subscribe to Dateline Premium for ad-free listening and exclusive bonus content: DatelinePremium.com
The Breakfast Club
The World's Most Dangerous Morning Show, The Breakfast Club, With DJ Envy, Jess Hilarious, And Charlamagne Tha God!