xliv Access Control Models
ity, when Joe takes the data from that machine and copies it to his laptop to
work on when traveling on the airplane, that data has most likely become
compromised unless Joe’s laptop, too, has been reviewed, inspected, and
cleared for processing of that particular level of data sensitivity. If his
machine has not been cleared, there is no assurance that the data has NOT
been compromised. The policies in place at Joe’s organization must be
known to Joe in order to be effective, and they must be enforced in order to
remain effective.
Access Control Criteria
When implementing security access controls, five common criteria are used
to determine whether access is to be granted or denied: location, identity,
time, transaction, and role (LITTR). Location refers to the physical or logi-
cal place where the user attempts access. Identity refers to the process that is
used to uniquely identify an individual or program in a system. Time
parameters can be control factors that are used to control resource use (for
example, contractors are not allowed access to system resources after 8:00
P.M. Monday through Friday, and not at all on weekends). Transaction cri-
teria are program checks that can be performed to protect information from
unauthorized use, such as validating whether or not a database query
against Payroll records that is coming from a user identified as belonging to
the HR department is valid. Finally, a Role defines which computer-related
functions can be performed by a properly identified user with an exclusive
set of privileges specific to that role. All of these criteria are implemented in
varying degrees across the depth and breadth of a security plan. The policies
and procedures used by an organization to make the plan effective deter-
mine the interplay among this criteria.
Access Control Models
When an organization begins to implement access control procedures, there
are three basic models from which an administrator can choose to imple-
ment. These three models are (1) Mandatory, (2) Discretionary, and (3)
Nondiscretionary. Each has its particular strengths and weaknesses, and the
implementer must decide which model is most appropriate for his or her
given environment or situation. It is important to point out that most oper-
ating, network, and application systems security software in use today pro-
vides administrators with the capability to perform data categorization,
discretionary access control, identity-based access control, user-discretion-
ary access control, and non-discretionary access control. This section will
Access Control Models xlv
Introduction
provide an overview of each type of access control model. Armed with this
information, an implementer of access controls will be able to make better
decisions about which model is most appropriate for his or her purposes.
Mandatory Access Control Model
Mandatory access control occurs when both the resource owner and the sys-
tem grant access based on a resource security label. A security label is a des-
ignation assigned to a resource [24] (such as a file). According to The NIST
Handbook:
Security labels are used for various purposes, including
controlling access, specifying protective measures, or
indicating additional handling instructions. In many
implementations, once this designator has been set, it cannot
be changed (except perhaps under carefully controlled
conditions that are subject to auditing).
When used for access control, labels are also assigned to
user sessions. Users are permitted to initiate sessions with
specific labels only. For example, a file bearing the label
”Organization Proprietary Information” would not be
accessible (readable) except during user sessions with the
corresponding label. Moreover, only a restricted set of users
would be able to initiate such sessions. The labels of the
session and those of the files accessed during the session are
used, in turn, to label output from the session. This ensures
that information is uniformly protected throughout its life
on the system.
Security labels are a very strong form of access control. Because they are
costly and difficult to administer, security labels are best suited for informa-
tion systems that have very strict security requirements (such as that used by
government, financial, and R&D organizations that handle classified infor-
mation or information that, if lost, would severely or critically degrade the
financial viability of the organization). Security labels are an excellent
means for consistent enforcement of access restrictions; however, their
administration and highly inflexible characteristics can be a significant
deterrent to their use.
Generally, security labels cannot be changed because they are perma-
nently linked to specific information. For this reason, user-accessible data
cannot be disclosed as a result of a user copying information and changing
the access rights on a file in an attempt to make that information more
accessible than the document owner originally intended. This feature
xlvi Access Control Models
eliminates most types of human errors and malicious software problems
that compromise data. The drawback to using security labels is that some-
times the very feature that protects user data also prevents legitimate use of
some information. As an example, it is impossible to cut and paste infor-
mation from documents that have different access levels assigned to their
respective labels.
Data Categorization
One method used to ease the burden necessary for administration of secu-
rity labeling is categorizing data by similar protection requirements (data
categorization). As an example, a label could be developed specifically for
“Company Proprietary Data.” This label would mark information that
can be disclosed only to the organization’s employees. Another label,
“General Release Data,” could be used to mark information that is avail-
able to anyone.
When considering the implementation of Mandatory Access Controls
with security labels, one must decide between using a rule-based approach
where access is granted based on resource rules or using an administratively
directed approach where access is granted by an administrator who oversees
the resources. Using a rule-based approach is most often preferred because
members of a group can be granted access simply by validating their mem-
bership in that group. Access levels are assigned at a group level so all mem-
bers of the group share a minimum level of access. All files that are created
or edited by any one of the members of that group are equally accessible to
any other members, because the security labels that are instituted have all
members of the group sharing equal access to the group resources. Trust is
extended to the membership as a whole simply because membership in the
group without having proper access would not be allowed.
However, this approach is less administratively intensive than using the
approach where an administrator manually oversees resources, granting or
withdrawing access on an individual case-by-case basis. There are some
instances where this approach is preferable, however. Consider a scenario
where there are only a few members that need access to extremely sensitive
information. The owner of this information may choose to manually over-
see security label application simply to maintain a personal level of control
over the access to highly sensitive materials.
Access Control Models xlvii
Introduction
Discretionary Access Control Model
According to a document [25] published in 1987 by the National Com-
puter Security Center, discretionary access control is defined as:
a means of restricting access to objects based on the identity
of subjects and/or groups to which they belong. The controls
are discretionary in the sense that a subject with a certain
access permission is capable of passing that permission
(perhaps indirectly) on to any other subject.
Discretionary access controls restrict a user’s access to resources on the
system. The user may also be restricted to a subset of the possible access
types available for those protected resources. Access types are the operations
a user is allowed to perform on a particular resource (e.g., read, write, exe-
cute). Typically, for each resource, a particular user or group of users has the
authority to distribute and revoke access to that resource. Users may grant
or rescind access to the resources they control based on “need to know,”
job-essential, or some other criteria. Discretionary access control mecha-
nisms grant or deny access based entirely on the identities of users and
resources. This is known as identity-based discretionary access control.
Knowing the identity of the users is key to discretionary access control.
This concept is relatively straightforward in that an access control matrix
contains the names of users on the rows and the names of resources on the
columns. An access control matrix is a two-dimensional matrix with users
represented on the matrix rows and resources represented as matrix col-
umns. Each entry in the matrix represents an access type held by that user
to that resource. Determining access rights is a simple process of looking up
a user in the matrix row and traversing the resource columns to find out
what rights are allowed for a given resource.
A variant of this is user-directed discretionary access control. Here, an
end user can grant or deny access to particular resources based on restric-
tions he or she decides, irrespective of corporate policy, management guid-
ance, etc. Once the human factor is injected into this equation, as you
might surmise, the level of protection for an organization becomes depen-
dent upon the specific actions of those individuals tasked to protect infor-
mation. One drawback to the discretionary access control model is that it is
both administratively intense and highly dependent on user behavior for
success in protecting resources. This has led to the creation of hybrid access
xlviii Access Control Models
control implementations, which grant or deny access based on both an iden-
tity-based model and the use of user-directed controls.
Nondiscretionary Access Control Model
This access control model removes a user’s discretionary ability and imple-
ments mechanisms whereby resource access is granted or denied based on
policies and control objectives. There are three common variants of this
approach:
1. Role-based, where access is based on user’s responsibilities;
2. Task-based, where access is based on user’s job duties; and
3. Lattice-based, where access is based on a framework of security
labels consisting of a resource label that holds a security classifica-
tion and a user label that contains security clearance information.
The most common of these approaches is role-based access control
(RBAC). The basic concept of RBAC is that users are assigned to roles, per-
missions are assigned to roles, and users acquire permissions by being mem-
bers of roles. David Ferraiolo of the National Institute of Standards drafted
the Proposed NIST Standard for Role-Based Access Control [26], which states:
Core RBAC includes requirements that user-role and
permission-role assignment can be many-to-many. Thus the same
user can be assigned to many roles and a single role can have
many users. Similarly, for permissions, a single permission
can be assigned to many roles and a single role can be
assigned to many permissions. Core RBAC includes requirements
for user-role review whereby the roles assigned to a specific
user can be determined as well as users assigned to a specific
role. A similar requirement for permission-role review is
imposed as an advanced review function. Core RBAC also
includes the concept of user sessions, which allows selective
activation and deactivation of roles.
As an example, Joe is an accountant and serves as the manager of payroll
operations at ABC Company. His role in the company as manager of pay-
roll would, in RBAC, allow Joe to see all materials necessary for successful
conduct of payroll operations. He is also a member of the whole Account-
ing Group at ABC Company. In that role, as a member of Accounting, he is
..................Content has been hidden....................
You can't read the all page of ebook, please click here login for view all page.