The access management layer consist of access control mechanisms, such as authentication and authorization. This layer also consists of accountability mechanisms such as logging and monitoring activities.
One of the primary concepts in access control is that of subject and object.
A subject maybe a person, process, or technology component that either seeks access or controls the access. A physical entry to a data center and login to a system are examples of access. Hence, an employee trying to access their business e-mail account is a subject; similarly, the system that verifies the credentials, such as the user name and password, is also termed as subject.
An object can be a file, data, a physical equipment, or premises that needs controlled access. For example, the e-mails stored in the mailbox are an object that a subject is trying to access is data.
Controlling access to the object by a subject is the core requirement of an access control process and its associated mechanisms. In a nutshell, a subject either seeks or controls access to an object.
An access control mechanism can be classified broadly into the following two types:
- If access to an object is controlled based on certain contextual parameters such as location, time, sequence of responses, access history, and more, then it is known as context-dependent access control. In this type, the value of the asset being accessed is not a primary consideration. The following are the examples of such an access control mechanism:
- Providing username/password combination followed by a challenge/response mechanism such as CAPTCHA
- Filtering access based on a MAC address in wireless connections
- Firewall filtering the data based on packet analysis
Note
Completely Automated Public Turing test to tell Computers and Humans Apart (CAPTCHA) is a challenge-response test used to ensure that the input to an access control system is supplied by humans and not machines. This mechanism is predominantly used by websites to prevent Web roBots (WebBots) from accessing the controlled section of the website by brute force methods.
- Here is an example of CAPTCHA:
- If access is provided based on the attributes or content of an object, then it is called content-dependent access control. In this type, the value and attributes of the content that is being accessed determines the control requirements. The following are few examples of content-dependent access control mechanisms:
- Hiding or showing menus in an application
- Views in databases
- Controlling access to confidential information
Access control models define methods by which a system controls the access to an object by a subject. The upcoming headings are some of the models that are predominantly used in the access control domain.
Discretionary access control employs an access control scheme where the subject has some authority to specify the objects that are accessible to them. In simpler terms, access to an asset is based on the discretion of the owner of the asset.
Access control list (ACL) is an example of discretionary access control, wherein users and privileges are mapped. The following is a simple example of an access control list that allows or denies a connection from a specific IP addresses by a router:
10 permit 10.1.1.1 20 permit 10.1.1.2 30 permit 10.1.3.0, wildcard bits 0.0.0.255
In the preceding example, the router allows connections from 10.1.1.1, 10.1.1.2, and all the IP addresses in the 10.1.3.0 to 10.1.3.255 range, and denies any other connections. ACLs implicitly deny anything not defined in the list.
Identity-based access control is a form of discretionary access control in which the control is based on an individual's identity. For example, biometrics-based access control systems are based on this type.
When the access to an object is based on certain rules, then it is called Rule-Based Access Control (RBAC). For example, the clearance level of the subject and the classification level of the object determines the access levels. Some practical examples include your college providing Internet access during specific hours of the day (the rule here is based on time).
When access is controlled based on mandatory rules, then it is known as Mandatory Access Control (MAC). This type of access control is based on security labels. The security label is applicable to a subject as well as an object. A subject should have an equal or higher security label than the object to access it. For example, most of the modern-day operating systems, such as Vista or certain Linux variants, restrict the permissions of applications to access certain processes, based on integrity or sensitiveness labels.
If a centralized authority controls access based on a specific policy, then this is referred to as non-discretionary access control.
Centralized access control is a facility in which all the core functions of access, such as Authentication, Authorization and Accountability (AAA), are performed from a centralized location.
Role Based Access Control (RBAC) is a type of non-discretionary access control based on the subject's role or position in the organization. The majority of applications, such as Enterprise Resource Management (ERP) and Manufacturing Execution Systems (MES), use this control as a default or a preferred option. For example, an Active Directory setup may contain server admins, domain admins, and so on. Hence, people put in groups the permissions assigned to groups based on the role.
Task-based access control is based on a subject's responsibilities in the organization. A role may contain multiple tasks. For example, a role may contain tasks such as creating a user record, and then provisioning the user to a specific system. In task-based access control, the access is allowed only for specific tasks within a role and not all of them.
Lattice-based access control is one where there is a pair of values that determine the access rights. The pair of values are related to least upper bound and the greatest lower bound in the lattice model. This is another type of non-discretionary access control. This model is usually represented in a grid-like setup where a subject and object are mapped.
In the following example, user levels and file levels are mapped in a lattice model to represent access levels:
Decentralized access control or Distributed access control is such that the core functions of the access are distributed over a network. A distributed database is an example of such a system. In a distributed access control mechanism, authentication may be handled by a centralized server, such as an Active Directory, and authorization may be handled by a different source, such as a database.
Identity and access management consists of two distinctive activities. One is related to the identification of the subject by the system. The other is authentication and authorization, which is the system's ability to validate the credential supplied by the subject and determine access levels.
The authentication process may require more than one type of credential to validate the identity. This type of validation is called factoring. Access security is enhanced when more than one factor of authentication is used.
When an entity (subject) is validated against a single credential, then it is called a one-factor authentication. For example, providing a user name and password to the system is a single-factor authentication. Generally, the user name/password combination authenticates the credentials from the principle of what you know (the user name and password).
When an entity (subject) is validated against two different credentials, then it is called a two-factor authentication. For example, providing a PIN along with the ATM or smart card to the system is a two-factor authentication. In this scenario, the system authenticates the credentials from the principle of what you have (a smart card) and what you know (a PIN)
When an entity (subject) is validated against two or more different credentials, then it is called a multi-factor authentication. For example, providing a PIN along with the ATM or smart card and also swiping your finger on the fingerprint (biometric) reader is a multi-factor authentication. In this scenario, the system authenticates the credentials from three factors, such as what you are (fingerprint), what you have, and what you know.
Hence, strong authentication includes more than one factor. The more factors of authentication using different mechanisms, the stronger the security is.
Authorization is a process of determining the levels of access a subject may have on the object. For example, when an employee accesses an intranet portal, based on the employee type such as manager, administrator, or an ordinary employee, then the functions and sections that are accessible to them may vary.
Authentication determines whether a user identification is valid and whether the user can have access to the resource, whereas authorization determines what the user can access or which resource the user can access.
From an information security perspective, attacking and compromising authorization mechanisms gives higher privileges of access to the attacker. Such types of attack are called privilege escalation attacks.