In this chapter, you learned the basics of access control. The purpose of access control is to regulate interactions between a subject (such as a human user) and an object (such as data, a network, or a device). The key difference between the subject and the object is passivity: The subject acts upon a passive object. There are three key components of access control: identification, authentication, and authorization. First, both the subject and object must be identified. Second, the subject’s identity must be proven or authenticated. Finally, the authenticated subject is authorized to act upon the object. You can establish logical access controls for individual subjects, groups of subjects, and objects.
Authentication methodologies are based on three factors: something you know, something you have, and something you are. Once the subject is identified and authenticated using one or more of these factors, the authorization system grants access to an object based on a specified rule base.