| π Back to Exam Syllabus | πΊ RooCloud on YouTube | π RooCloud Practice Exams |
CISSP 14.1 - Comparing Access Control Models (Part 2 of 2)
This episode of the ISC2 Certified Information Systems Security Professional (CISSP) exam prep series finishes the family of access control models within identity and access management in Domain 5. It contrasts each model so you can match the right authorization philosophy to the mission and keep access both strong and manageable.
What this episode covers
- Roles and tasks β privileges tie to the role so movement is trivial, and task-based control is a narrower cousin granting specific tasks.
- Why applications use roles β a ladder of roles, each inheriting everything below, slashes the labor of running an application.
- Rule-based control β one global set of rules judged against everyone, like a firewall ending in an implicit deny.
- Attribute-based control β an advanced rule-based form writing multi-attribute policies in near-plain language for real flexibility.
- Mandatory access control β labels on subjects and objects set centrally, with compartments enforcing need to know.
- The lattice model β classifications run hierarchical, compartmentalized, or hybrid, making it rigid but highly secure.
- Risk-based control β deciding access dynamically from environment, situation, and coded policy, sometimes with machine learning.
Watch the full episode above for the worked examples and detailed explanations of each concept.
Frequently Asked Questions
How do roles keep access clean as people move?
By tying privileges to the role, not the person, so movement is trivial. When someone leaves a group, every privilege that group carried vanishes from their account at once. Users can also sit in several roles, so a manager might hold manager, loan officer, and teller roles together. A close cousin is task-based access control, where each user gets a specific set of tasks rather than a broad role.
What defines a rule-based access control model?
A single set of rules applied globally to every subject, with no exceptions per person. The classic example is a firewall, which carries an ordered list of rules that permit certain traffic and judges every packet against the same list. At the very end sits an implicit deny rule, silently blocking anything the earlier rules did not explicitly allow. The rules do not care who you are, only what the traffic is.
How does attribute-based access control add flexibility?
It is an advanced form of rule-based control that writes policies from multiple attributes, like the userβs group, their department, the device they carry, and the network they sit on. That lets you write a policy in near-plain language, such as allowing managers to reach the wide area network from a tablet or smartphone. You get the structure of rules with the precision of real conditions, which is why software-defined networks lean on it.
How does mandatory access control decide who gets in?
Through labels attached to both subjects and objects, set centrally and never by the user. Give a document a Secret label, and only a subject who also carries a matching Secret clearance may open it. Labels form a hierarchy of sensitivity, and the model layers in compartments, like separate boxes inside a level, so you also need the specific compartment label to enter. That is the need to know principle baked directly into the design.
How does a risk-based model decide access on the fly?
By weighing the environment, the situation, and policies written directly into software code. A doctor in the emergency room during an active crisis is judged low risk and granted full access, while a pharmacist checking for drug interactions gets narrower access to the same records. The model reads signals like the login location, whether multi-factor authentication was used, and whether the device is compliant, and advanced versions use machine learning to compare current behavior against past patterns.
π Master the ISC2 CISSP Exam!
Ready to test your knowledge? Access chapter-specific Multiple Choice Questions (MCQs) and full-length practice exams for the ISC2 CISSP certification at RooCloud.com. Solve the chapter-wise questions to reinforce this lesson before moving to the next episode.
Reference: This article is based on concepts discussed in CISSP 14.1 - Comparing Access Control Models (Part 2 of 2).