Access Control Techniques

Now that we've examined the methods of secure authentication and authorization, deeper discussion is required to explain the many system-wide policies (or access control techniques) that dictate the way these parts pull together as a team. Planning an effective security solution involves the selection of a security policy. The security policy you choose will characterize the behavior of your information security system regarding control over access and the distribution of resources. There are different access control techniques that achieve this goal in varying ways. Some restrict access based on users' identities while others focus on what role the user plays in an organization. In this section, we'll discuss the intricacies of these different techniques and clarify their objectives.

Discretionary Access Control (DAC)

Discretionary Access Control restricts access to resources based on the identity of users and/or groups of which they are members. This technique is referred to as discretionary because it also allows users to pass on access permissions to other users within the organization. For instance, a set of users could have permission to grant or deny access to a file they own, such as a text document. They can select the users that need access to it based on their own opinion of who should have such access; based on their own discretion, in other words. Furthermore, they can decide who should have only read access and who should be able to read and write to the file in question. One drawback of DAC is that its effectiveness is limited by the ability of users to make concrete security decisions. It's very possible that an inexperienced or careless user could inadvertently grant full access to files or objects to an entire organization's users. Although also employed by other operating systems, to gain a better understanding of how this works, we'll examine Microsoft's implementation of DAC and the parts that provide its functionality.

Microsoft Windows NT/2000 DAC

At the heart of Windows NT/2000 DAC is the Access Control List (ACL). ACLs come in two types: discretionary and system. Simply stated, an ACL is a list of who may access an object and what rights to that object they possess. The Discretionary Access Control List (DACL) is maintained by the owner of an object and determines the specific users or groups who can access the object. An ACL is kept current by the addition of Access Control Entries (ACEs). An ACE contains a Security Identifier (SID) and the set of access rights that identifies the trusted user for whom the rights are denied, allowed, or monitored. The System Access Control List (SACL) creates the audit messages when protected objects receive access requests. The network administrator typically controls management of the SACL. The Windows NT/2000 DACL also includes a group of Discretionary Access Control Entries (DACEs), which consist of, among other data, an object's access mask. The access mask indicates the kind of access requested, such as Read, Write, or Execute.

ACLs are usually large, complex databases that are subject to the use and abuse of a wide range of users. There is also high overhead involved in maintaining and updating a DAC-based security policy. For these reasons, it can be argued that DAC is more difficult to implement and less secure than other techniques of controlling access. With the exception of added user-controlled access granting capabilities, Mandatory Access Control (MAC) achieves the same or higher level of security while being less difficult to implement and administer.

Mandatory Access Control (MAC)

Mandatory Access Control, also called nondiscretionary, uses a centralized approach to restrict access to data based on the sensitivity of the data in question. There have been several variations of this access control technique published since its inception, but it was Bell and LaPadula, as explained earlier in this chapter, who in the 1970s originated the concept of MAC. This technique assigns hierarchical, multilevel sensitivity labels to users and data (as in the military-unclassified, confidential, secret, and top secret). In this labeling system, user labels are referred to as security clearances while object labels are referred to as security classifications. The idea is that if you've been labeled with top-secret clearance, for instance, you'll be able to view documents classified as top secret.

Opposed to DAC, MAC puts into the hands of system administrators the decisions regarding who sees what. This technique is often used in situations that require exceptionally high security standards, such as governmental agencies. MAC is also highly compatible with an organizational setting because its policies mimic those of the preelectronic methods of document security. As with other security techniques, MAC can be based on a wide variety of traits and responsibilities that the users under its enforcement possess. Next, we will discuss a few important specialized implementations of MAC-inspired access control techniques.

Role-Based Access Control (RBAC)

RBAC is essentially a type of MAC, but rather than sensitivity traits, its access control evaluations are based on the role users play within an organization. RBAC has recently been enjoying growing attention as an alternative to DAC-based systems because of its reduced administration and lower level of complexity. Applications employing RBAC provide a mechanism of formulating the system's structure to compliment the existing structure of an organization. RBAC enables organizational planners to put an access control policy into place that the system must abide by, rather than a policy that changes with the whim of a user or administrator. In other words, within an RBAC system, the organization owns the resources that are protected. This introduces a higher level of security not possible with other techniques. In the simplest of terms, RBAC can be used to enforce easily the minimum amount of privileges a user needs.

Don't confuse role-based access control with rule-based. As in DAC, rule-based access, which also uses ACLs, simply weighs user rights against object-specific security rules to grant a user access.

Lattice-Based Access Control (LBAC)

LBAC uses a mathematical formula, or lattice, to determine whether or not access to a resource should be granted. LBAC was developed to manage the flow of information from one security label to the next (or one object to the next). The idea of LBAC is essentially to combine discretionary and mandatory access control system fundamentals in a way that compels this flow of information. The formula, which is only summarized here, works as follows.

When a secured object receives an access request in a LBAC system, the first step is to check what's called the discretionary access matrix, which can be altered by users. Then, the system-controlled MAC guidelines are referenced. The lattice is then referenced and its formula is applied to the clearances and classifications of the respective users and objects. Its result is what's used to grant or deny access. This two-step process provides the benefit of high-level security while enabling a degree of user discretion with regard to access inheritance.

Task-Based Access Control (TBAC)

TBAC is more than just a bathing suit. It's actually an exciting, relatively new technique for implementing what's known as active security. TBAC bases its access decisions on the current state of works in progress. Suitable for distributed computing environments and working at the application level, the TBAC technique applies a continually updated access control mechanism to work flows or tasks as they near completion. In other words, a TBAC system could be configured to disallow access to documents within a specific area of a project's resources at such a time when it's determined that the specified area has reached a state of conclusion.

As previously stated, MAC-based techniques of authentication use a centralized approach to access control. That is, the user names, access rights, and permissions are all stored on one central server. This is in contrast to the Windows NT decentralized method, which uses a system of trusts and domains. In such a system, access information is stored on the many computers that comprise the network and each system plays a part in determining who has access to what.

There are two more notable implementations of centralized access control that warrant our discussion: RADIUS and TACACS.

Remote Authentication Dial-In User Service (RADIUS)

RADIUS is a scalable, client/server-based UDP protocol used to transfer authentication and authorization data between a dial-in client and a server. RADIUS enlists the use of two servers: one for authentication (RADIUS authentication server), and one that acts as a centralized database for user profiles (RADIUS accounting server). The RADIUS authentication server, which can be a firewall, router, or dial-in server, requests accounting information from the RADIUS accounting server when a user attempts to log on. The accounting server then answers with an encrypted response telling the requesting server what access to provide. The RADIUS protocol supports PAP, CHAP, PPP, and UNIX login authentication methods.

Terminal Access Controller Access Control System (TACACS)

TACACS is a dated, remote authentication protocol typically implemented on UNIX servers. It permits a remote access server to query an authentication server to establish users' access privileges. TACACS works in a similar manner to RADIUS in that it contacts an authentication server over the network and requests verification information from a centralized user database. Unfortunately, TACACS does not encrypt its messages to and from the server. Cisco© has developed a newer, extended version of TACACS called TACACS+. This extended version adds new features, such as encryption and extended logging functionality.

Information Security Control Types

In conclusion, let's talk about some of the categories of security control from an administrative point of view. There are essentially three categories of information security controls:

• Physical

• Logical

• Administrative

Physical controls entail the use of instruments such as locks, fences, motion detectors, battery backups, and burglar/fire alarms. They are the material systems and devices that protect assets from theft, fire, or other means of destruction.

Logical controls refer to the systems such as access control software, antivirus software, communications hardware (routers), passwords, and smart cards. They represent the systems in place that prevent unauthorized access to digital information.

Finally, administrative controls are the personnel-related mechanisms for managing people's behavior. These include security training, background investigations, mandatory vacations, and performance assessments. These categories are also broken down into the five following subcategories that more specifically define their intent:

• Preventative: Avoid violations before they occur.

• Deterrent: Discourage violations from occurring.

• Detective: Investigate violations that have occurred.

• Corrective: Remedy violations that have occurred.

• Recovery: Restore lost resources from a violation that has occurred.