Читать книгу The Official (ISC)2 SSCP CBK Reference - Mike Wills - Страница 121

Access control is all about subjects and objects (see Figure 2.1). Simply put, subjects try to perform an action upon an object; that action can be reading it, changing it, executing it (if the object is a software program), or doing anything to the object. Subjects can be anything that is requesting access to or attempting to access anything in a system, whether data, metadata, or another process, for whatever purpose. Subjects can be people, software processes, devices, or services being provided by other web-based systems. Subjects are trying to do something to or with the object of their desire. Objects can be collections of information, or the processes, devices, or people who have that information and act as gatekeepers to it. This subject-object relationship is fundamental to your understanding of access control. It is a one-way relationship: objects do not “do anything” to a subject. Don't be fooled into thinking that two subjects, interacting with each other, is a special case of a bidirectional access control relationship. It is simpler, more accurate, and much more useful to see this as two one-way subject-object relationships. It's also critical to see that every task is a chain of these two-way access control relationships. It's clearer to see this as two one-way trust relationships as well.

FIGURE 2.1 Subjects and objects

As an example, consider the access control system itself as an object. It is a lucrative target for attackers who want to get past its protections and into the soft underbellies of the information assets, networks, and people behind its protective moat. In that light, hearing these functions referred to as data center gatekeepers makes a lot of sense. Yet the access control system is a subject that makes use of its own access control tables and of the information provided to it by requesting subjects. (You, at sign-on, are a subject providing a bundle of credential information as an object to that access control process.)