CHAPTER 19

Access Control

An access control system prevents actions on an object by unauthorized individuals (subjects). To permit or deny access to an information asset correctly, an organization must manage identification, authentication, authorization, audit, and eventually accountability (refer also to Chapter 2).

A few key concepts are essential for understanding access control. A subject is the party or system seeking access. Since a subject can be a user, a program, or simply a machine, sometimes the word party is used because it is more generic. An object is the target to be accessed by the subject. The object is one of information assets, as discussed in Chapter 10. The subject will execute actions on objects through a controlled access.

As a principle, access to an information asset should be granted for a specific need to fulfill a specific purpose and suspended once the need is no longer there. With these expectations, access control is never trivial. This chapter presents a discussion about the importance and the techniques commonly used for access control.

Access Control: The Benefits

In today’s global business, an authorized user should have access to required resources at any time and from anywhere (availability). Organizations may work around the clock (24/7) to provide customers with “anytime, anywhere, any device” access. For some organizations, provision of access itself is core to their business. E-commerce organizations are a perfect example of this. You should consider that although access to resources is critical for running the business, a single breach might cost an organization its entire reputation or tangible assets. Access breaches today have grown from mere annoyances to causing enormous financial losses (confidentiality).

Access control should protect vital resources not only from unauthorized external access but also from internal attacks. Since an internal attacker knows exactly what to look for and how to find it, internal access breaches are sometimes more damaging than external ones. Access control is the first line of defense to protect the system from unauthorized modification (integrity). A benefit of access control is that it serves as an auditing tool. You can use auditing tools to trace information security breaches, incidents, and events.

Access Control Types

There are two broad types of access control: physical and logical. Organizations usually manage physical access with human, technological, or mechanical controls. A physical control might be biometric identification technology used to restrict entry to a property, a building, or a room to authorized persons. Logical access controls manage access based on processes such as identification, authentication, authorization, and accountability. Examples of logical access controls are digital signatures and hashing.

Access Control Models

An access control model defines how subjects access objects. There are three types of access control models: discretionary, mandatory, and nondiscretionary (also known as role based). An organization’s mission or business requirements will drive the type of model used. An organization can opt for one of the following mentioned models or a combination of them. Organizations should also consider their culture and the nature of business to decide which model to use.

Discretionary Access Control Model

In a discretionary access control (DAC) model, the owner of the object determines the access policy. The owner decides which subjects may access the object and what privileges the subject has. For example, the file owner on a network defines which subjects (who) can access files and what privileges a subject can have over those files, such as reading, deletion, or modification. Windows, Apple, and various Linux systems adopt the DAC model.

DAC Example

      • It is through the discretionary model that Sean can share his hard drive with Michelle so that Michelle can copy all of Sean’s presentations.

      • Sean can also block access to his hard drive from his manager since the manager may not approve of his sharing presentations with other divisions.

      • A further weakness of DAC systems is that if Sean receives malicious code, it executes at Sean’s privilege level.

      • Finally, if Sean doesn’t know what every person is involved in, he may inadvertently give access to the wrong person for the wrong reason. This necessitates a strong need for information assurance AT&E programs in organizations using DAC.

Role-Based Access Control Model

A problem with the DAC model is that as the number of subjects and objects grows, subjects are bound to gain unnecessary privileges, which may be unhealthy for system information security. The role-Based Access Control (RBAC) model uses a centrally managed set of rules, which grants access to objects based on the roles of the subject.

Since subjects are not assigned permission directly like with other models, they acquire it through their role (or roles), and the management of access becomes relatively easier.

One of the biggest challenges of RBAC is establishing it. Ensuring that the design and implementation meets the company’s business model is challenging, but once implemented, it scales for growth and requires less maintenance.

Do not confuse RBAC with access control lists (ACLs) used in discretionary access control systems. ACLs assign permissions to operations defined by the organization chart or systems design rather than to low-level data objects.

Mandatory Access Control Model

A mandatory access control (MAC) is a more sophisticated model commonly used to control access to sensitive or controlled data in systems with multiple levels of classification. In MAC systems, the owner does not establish the access policy. In fact, the system decides on the access control based on the information security classification and policy rules.

Here subjects have labels reflecting their category or classification (e.g., secret, top secret, and confidential), and objects are similarly categorized or classified. Therefore, when a subject wants to access an object, the system checks the labels for the subject and the classification of the object as well as the policy rules. The information security officers define policy rules. In general, higher-level subjects dominate lower-level subjects; a subject may access (read) any object at its level or lower (Bell-LaPadula rule). A corollary is the Biba rule, which is designed to protect the integrity of data by not allowing a subject to access (write) only to an object at its level or higher. Refer to Chapter 10 for more information regarding categorization, classification, and more information regarding labeling.

MAC Example

      • Gereon has a clearance for documents classified secret, but the document he has requested has the classification of top secret.

      • His access in this case will be denied because his clearance is not equal to, or higher than, the classification of the object.

      • Gereon may also have a secret document that he wants to post to the top-secret file system.

      • In this case, he will be denied because the label of the object he wants to post is not equal to, or higher than, the file system he wants to use (based on the Biba rule).

SELinux is a security enhancement to Linux developed by NSA to allow users and administrators to implement MAC and other tools to control access. System policies determine how SELinux grants access independent of the application or user. Several Android mobile phone manufacturers are implementing SELinux. Trusted Solaris is another good example of an operating system using the MAC model.

Access Control Techniques

Selecting an access control model needs to complement the selection of proper access control techniques. The following section sheds light on the techniques that can be used based on the model that has been selected.

Rule-Based Access Control

A rule-based access control uses simple rules to determine the result of privileges, which a subject can have over an object. This just determines what can and cannot be allowed. It is simply an “if A, then B” rule. These rules are general in nature and are not identity-based as is the case with DAC. Access properties are stored in ACLs associated with each resource object in the same way they are with discretionary access control. Rule-based access control is often confused with role-based access control. Rule-based access control uses sets of rules such as access control lists to determine access between subjects and objects. Role-based access control uses the role of the subject to determine access to an object.

The configuration rules of routers are another good example of rule-based access controls, which are the same for all, rather than specific to an individual. When a particular account or group attempts to access a resource, the operating system checks the rules contained in the ACL for that object.

Access Control Matrix

An access control matrix or access matrix is usually a static, abstract, formal computer protection and information assurance model used in computer systems. When implemented, it characterizes the relationship of each subject to every object in the system. An access control matrix represents the relationship of subjects and objects in a tabulated form. Each cell (intersection of the subject and object) defines the privileges for the “right to use” the object by the subject.

Access Control Lists

An ACL is another technique used to represent accessibility. An ACL is a list containing information about the individual or group permission given to an object; the ACL specifies the access level and functions allowed onto the object. There are two types of ACLs. Network ACLs are implemented on servers and routers (layer 3). File system ACLs implement file access by tracking subjects’ access to objects. Clearly, an ACL should be well protected from unauthorized modification.

Capability Tables

A capability table is an authorization table that identifies a subject and specifies the access right allowed to that subject. The rows of the table list the capabilities that the subject can have with respect to all of the objects. A capability table is bound to a subject, whereas an ACL is bound to an object. Capability tables are frequently used to implement the RBAC model.

Constrained User Interfaces

A constrained user interface is a way to limit access of subjects to a resource or information by presenting them with only the information, function, or access to the resource for which they have privileges.

For example, the operating system of an ATM is capable of all kinds of commands, but a user is presented with the constrained/limited options to do personal banking. Similarly, a limited user in Windows 8 is not presented with certain administrative options. Another example is an online academic result system, which restricts the display to view results only, despite the fact that the system is capable of doing much more than mere display of results.

Content-Dependent Access Control

This technique is used in databases. As the name suggests, access to objects is dependent on the content of the objects themselves. This access control technique aims at controlling the availability of information by means of views.

Example of a Content-Dependent Access Control

      • Jack and Jill are two customer service employees of a bank.

      • When Jack logs on to the client complaints system, he can just see the pending complaint details handled by him but will not be able to see the pending complaint details handled by Jill.

Context-Dependent Access Control

Context-dependent access control defines the access controls of a subject on objects based on a context or situation.

A firewall is a good example of context dependent access control because it understands the necessary steps of communication pertaining to specific protocols. For example, in a TCP connection, the sender sends a SYN packet, the receiver sends a SYN/ACK, and then the sender acknowledges that packet with an ACK packet. A firewall reviews this communication to check whether anything is out of order. However, it should be noted that not all firewalls are capable of tracking TCP connections.

Access Control Administration

The administration of access controls is critical to implementing access controls. Access control administration can be centralized or decentralized. The following section discusses the two modes of access control administration.

Centralized Access Control Administration

The central administration may be contained in a department, unit, or information security administrator. This management approach ensures uniformity across the organization. Centralized access control is a simplified method of managing access controls and is thus cost effective. However, this approach can be slow because all changes are processed by a single entity. Examples of centralized access control protocols are Remote Authentication Dial-in User Service (RADIUS), Terminal Access Controller Access Control Systems (TACACS), and DIAMETER.

Decentralized Access Control Administration

Decentralized management gives control to people who are closer to the objects. This mode is usually faster since changes are made to a function rather than to the whole organization. It does not have the organizational momentum caused by just one entity making all the changes. However, decentralized access control does not ensure uniformity. Decentralized access control is more relaxed compared to centralized access control. This becomes more complicated if an employee is a member of more than one function and enjoys more privileges than they should.

Further Reading

      • Hu, Vincent, D.F. Ferraiolo, and D.R. Kuhn. Interagency Report 7316, “Assessment of Access Control Systems.” NIST, September 2006. http://csrc.nist.gov/publications/nistir/7316/NISTIR-7316.pdf.

      • Hu, Vincent, and K. Scarfone. Interagency Report 7874, “Guidelines for Access Control System Evaluation Metrics.” U.S. National Institute of Standards and Technology, September 2012. http://csrc.nist.gov/publications/nistir/ir7874/nistir7874.pdf.

      • Information Security Media Group. “NIST Issues Access-Control Guidance.” Bank Info Security, Sept. 23, 2012. www.bankinfosecurity.com/nist-issues-access-control-guidance-a-5134.

      • International Organization Standardisation and the International Electrotechnical Commission 2005. Information Technology – Security Techniques – Code of Practice for Information Security Management (ISO/IEC 17799). ISO/IecIEC, 2005.

      • NASA IT Security Handbook: Access Control. U.S. National Aeronautics and Space Administration, Dec. 21, 2011. www.nasa.gov/pdf/613762main_ITS-HBK-2810.15-01_%5BAC%5D.pdf.

      • Nichols, R., D. Ryan, and J. Ryan. Defending Your Digital Assets Against Hackers, Crackers, Spies, and Thieves. McGraw-Hill Education, 2000.

      • Schou, Corey D., and D.P. Shoemaker. Information Assurance for the Enterprise: A Roadmap to Information Security. McGraw-Hill Education, 2007.

      • Tipton, Harold F., and S. Hernandez, ed. Official (ISC)² Guide to the CISSP CBK 3rd edition. ((ISC)²) Press, 2012.

Critical Thinking Exercises

        1. An organization has recently acquired a contract that involves processing and storing sensitive information for a government client. The organization uses a decentralized approach to information technology, often letting employees purchase whatever systems they like and connect them to the organization’s network. Given the new contract, what access control changes, if any, should the organization consider?

        2. Given the cost and resources involved in mandatory access control, why would an organization consider implementing it instead or other less expensive options?