Administrating Access Control

After an appropriate access control system has been chosen, developed, and implemented comes the long-term workload of properly administrating access control. This involves many factors including account administration, determining rights and permissions, management of access control objects, monitoring, securing removable media, and management of any data caches. This section covers each of these and examines how each relates to the administration of access control. It also discusses some industry best practices for each part of access control administration. Always remember that without ongoing maintenance and administration, access control systems will be ineffective and unable to perform their function.

Account Administration

A major portion of access control administration is that of account administration. This encompasses the administration of all user, system, and service accounts used within the access control system. Account administration can be broken down into three parts: creation, maintenance, and destruction. These three parts account for the entire lifecycle of an access control account. This lifecycle is shown in Figure 2.11. A documented process for each part of account administration is a must for a well-designed access control system.

Figure 2.11: Access Control Account Lifecycle

The creation of accounts should be done only with proper approvals from the appropriate management entities. A major vulnerability of access control systems is a lack of good control over the account creation process. This can cause accounts to be created with more rights and permissions than they need. The key to remember at this time is that no account should be created without proper approvals and a specific list of rights and permissions that should be granted to the account.

Ongoing maintenance for access control accounts typically consists of assisting users with password changes and unlocking accounts that have been locked out due to bad passwords. Another important part of account maintenance is the development and implementation of security policies requiring regular password changes and specifying password requirements. Account destruction is the final part of the access control account lifecycle. This does not necessarily mean the deletion of accounts, as some access control systems require that accounts never be deleted. A more common practice is to disable and/or rename the access control account. Whether the access control system used recommends deletion or disabling of accounts, the destruction activity must be accomplished quickly. A large security vulnerability is created when accounts are left enabled after an employee is terminated. This has the possibility of allowing potentially vindictive ex-employees a method of access the system, which is never a good idea.

One of the best practices for account administration is to work hand-in-hand with the human resources or personnel office of the company. With this relationship in place, accounts can be authorized and created when employees are hired, and immediately destroyed when they are dismissed. This security practice goes a long way to decrease vulnerabilities within the company's access control system.

Determining Rights and Permissions

In most access control systems, the determination and configuration of appropriate rights and permissions for accounts is the most difficult part of the access control process. The owner of the data they want to gain access to should authorize any rights and permissions for a specific account. This ensures that the owner of the data is aware that the specific account will have access to the data, and allows the owner to designate what level of access the account should have. Following this process will ensure that the data that the access control system is meant to protect is properly secured.

One of the most important concepts to apply here is the principle of least privilege. The idea behind the principle of least privilege is to grant all the rights and permissions necessary to an account, but no more than what is needed. For example, if a user needs to gain access to specific log files in a specific directory on a remote server, the best practice is to give them read-only rights to the files in that directory. This way, the user has the level of access necessary to perform the job functions, but no more than that. This helps eliminate many security vulnerabilities that could be caused by accounts having more rights than they need.

Management of Access Control Objects

Working with access control involves management of not only the access control subjects or accounts, but also the access control objects. This includes several management processes such as ensuring secure storage, applying appropriate security controls, ensuring proper classification and declassification, and ensuring secure data destruction.

When access control objects are stored on any device, controls must be in place to ensure that the storage place is as secure as possible. This includes not only logical security, but also ensuring that the storage location is physically secure. Both of these security requirements fall under the heading of access control, but there is a third area that must be considered to make sure that the access control object storage location is secure. This is the application of appropriate security processes to eliminate vulnerabilities in the storage location and data transmission itself. This part of security encompasses all of the remaining concepts covered in this book and on the SSCP exam.

Access control objects that are classified using the methods described in the MAC section of this chapter have additional management that must be performed. Whenever an object is created using MAC, it must be classified as one of the levels of the MAC system. Ensuring that the data is classified correctly is the responsibility of the security administrator and is a critical part of access control using the MAC system. Another responsibility of this is the declassification of data in the MAC system as needed. Whenever the security requirements of an object change, its classification must change as well. In most environments implementing MAC, this process is well defined and documented as part of the overall access control policy or security policy.

The last part of access control object management is ensuring that when data is supposed to be destroyed, it is truly destroyed without possibility of retrieval. This is a requirement of high-security systems as well as a legal requirement for some standard security systems. In high-security environments, data destruction ensures that the data will be inaccessible in the event that an intruder compromises the system security of the environment. In a legal sense, destroying data beyond a certain timeframe is desirable due to the legal ramifications of retaining old data. The laws for each state differ, but most only require companies to retain data for a certain length of time. Any data older than this timeframe is eligible for destruction. However, if a company retains data for longer than this requirement, that data can then be used against the company if required by legal action. In other words, the company is best served by destroying any data from outside its required retention period so that the contents of the data cannot be held against them later.

Data destruction in this sense means securely deleting the data from any physical media or from system memory. Typical secure data destruction utilities overwrite the area of the media or memory with a sequence of 0s or 1s in order to obscure the previous contents of the media. The most secure data destruction utilities do this a number of times to ensure that there is no possibility of recovering the destroyed data.

Monitoring

Monitoring the access control system is another part of the overall administration of the system. This includes the constant monitoring of all security and audit logs within the system (covered in the "Access Control Objectives" section earlier in this chapter). The basic requirement is that all behavior regarding the use of privileges, changes to accounts, and the escalation of privileges should be logged. The monitoring of these logs is critical to ensuring that the access control system remains secure.

Securing Removable Media

Any media that can be removed from the control of the access control system is in itself a vulnerability. All removable media should be restricted or controlled in some manner to provide for the best possible system security. Whenever data is taken out of the loop of access control, it means that the data is uncontrolled and accessible to anyone. Some methods of combating this is to encrypt the data stored on the removable media or to use security controls to ensure that removable media does not leave the work area.

Removable media is typically magnetic, optical, or integrated circuit based. Each requires a different method of physically ensuring that the removable media does not leave the premises.

Magnetic media is typically in the form of diskettes, hard disks, or magnetic tape. All of these are vulnerable to magnetic fields and can be erased when brought near these fields. Some data centers have large electromagnets around the doorway to prevent confidential data from leaving the building. If a piece of magnetic media such as a disk or a tape is brought through the electromagnet, it is rendered useless by the magnetic field.

Optical media is more difficult to secure as it is not vulnerable to magnetic fields. It is also very hard to determine when individuals are carrying out a normal music CD or a CD-R containing sensitive corporate data. The only way to help negate this vulnerability is to have a security policy in place that restricts users from transporting optical media in and out of the building as well as restricting the availability of CD-R writers within the building. Some secure organizations do not allow the use of optical devices except in highly secure data centers.

The final type of removable media is integrated circuit-based. This includes everything from flash memory to smart cards. Again, any data stored on this media should be encrypted. Similar to optical media, integrated circuit-based media is not vulnerable to magnetic fields and the only real method to secure this type of media is via strict security policies. These policies are very difficult to enforce, but are typically the only way to try and protect a company from this vulnerability.

Management of Data Caches

To speed up access to commonly used data, most systems employ the use of data caches. These caches can exist either in the system memory or on physical hard disks. Part of access control management is ensuring that the data stored in these caches is not accessible to unauthorized personnel. For example, the access control system implemented in an environment may be very secure, but if an intruder were able to access a file containing a data cache, they may be able to obtain data that would normally have been secured by the access control system.

There are a few steps that should be taken to properly manage data caches. First, whenever a system holding a data cache is restarted, the cache should be deleted completely. This may involve the use of secure destruction procedures. Next, any system containing a data cache should ensure that the cache itself is as secure as possible from unauthorized access. Finally, whenever a data cache is no longer in use, it should be destroyed completely. This will ensure that the data in the cache is inaccessible in the future should the system containing the cache ever be compromised.