Access Control

When discussing access control or configuring a service or system to apply access control, it is important to remember that we can only deploy access controls as a tool in the security process after we have authenticated the user. So in all instances, for access control to be valid it must be assured that a user or system accessing the service is already authenticated.

When deploying an access control scheme we always use the principle of least privilege when configuring any type of access control.

Mandatory Access Controls (MAC)

MAC is used by government and quasi-government organizations such as colleges. It is strictly hierarchical and the data owner cannot override this type of control. MAC can and should apply to much sensitive data stored by corporations as well.

All data objects are classified with security labels and users are assigned security clearances. Non governmental organizations should not use the classification of "Top Secret", which is a US government classification.

Discretionary Access Controls (DAC)

Data owners make the decisions on who can access data using this type of access control. Commonly found in PC and LAN's. The owner of a file can often decide who has rights to a file, and what those rights are.

An ACL is set by the data owner and is enforced by the OS or the Network. An Access Control List (ACL) on a file on a persons desktop machine is an example of a DAC.

Share-Level access control is a particularly weak form of access control because the assumption of authentication for controlled access has not been met.

Rule-Based Access Controls (RBAC)

An ACL on a service, router or firewall is an example of a rule-based access control. Firewall rule-based access controls are a favorite of mine in keeping with the principle of best practices which would say that a service should only be offered to the minimum number of machines that actually need it. So, if only 5 people need a service, you should place an ACL against that service that only allows their MAC addresses to connect. This can solve a lot of problems right from the start, not allowing intruding machines to even attempt a connection to a service. An ACL is Considered a form of MAC, when placed on a router or firewall, since it can only be overridden by a system administrator, and every machine that attempts to connect must meet the rule or be denied outright, before any authentication to the service has been attempted.

Using the typical Unix or Win2000 permission-based access scheme when applied to individual accounts is considered a rule-based system. It is important that you do not deploy a rule-based system in this manner -on your general file server- with the single exception of users' own home directories. The reason is that auditing 'who can see and do what?' becomes geometrically complex if users are not placed in groups and then groups given the various access. On your file server you should be able to answer the question 'who can see or modify this object?' in seconds for everything on the system.

Role-Based Access Controls (RBAC)

This is a set of controls that typically apply to groups. Different groups have different access depending on their group affiliation. The groups that users belong to are based on the roles they play in the organization. Note that peoples' roles change as their career progresses and their access can change accordingly, by simply placing them in the new role-based group.

LAN operating systems have an will depend heavily upon role-based access controls.

Role-based access controls can be divided into one of the following categories:

• task-based access - based on tasks performed by an employee instead of the role that they play
• lattice-baced access - defines the upper and lower bounds of a users permissions, found in MAC situations
• role-based access

| Top |