Access Control Systems : The last line of defence
Image :Threatblock
Access is the ability of a user to perform a specific task, such as view, create or modify a file. A control is a countermeasure or safeguard designed to preserve Confidentiality, Integrity and Availability of information within an organization.
Access control is a security technique that limits who or what can view or use resources according to to set rules to minimize the risk to the business.
There are three types of access controls: physical, logical and administrative. Physical access control limits access to buildings, server rooms and physical information assets. Logical access control limits access to computer networks, operating systems, files, and data. Administrative controls determine which users have access to what information in an organization.
You can use electronic access control systems involving user credentials, card readers to prevent or track unauthorized access to restricted locations such as data centers.
Logical access controls use identification authentication and authorization techniques to allow or disallow user access to resources, which may involve checking passwords, biometric scans, security tokens or pins. Multifactor Authentication (MFA) requires two or more authentication factors, which is a layered defense or defence in depth mechanism.
Firewall is a logical control, which prevents certain type of traffic entering internal network, as well as it can prevent internal information going out, which can be viewed by an unauthorized person. Access controls are not only restrict access to information, they also allow access to authorized persons and processes.
Access is based on three elements: subjects, objects and rules.
Subject:
A subject is any entity which requests access to an asset. The entity can be a user, a client, a process or a program, that initiates a request for a service; hence, a subject is referred to as “active.” The subject must have a level of clearance to access the resource.
Object:
An object is an entity a subject trying to access. it may be a device, process, person, user, program, data or a server. An object is passive, which means that it takes no action until requested by a subject. The object will respond only when a request is received. However, the response will depend on access rights given to the subject regarding the object.
Rule:
Objects do not contain their own access control logic. An access rule allows or denies access to an object by a subject. An object has an owner who determines which subjects should be allowed access to the object.
The rules of access are defined in Access Control List (ACL). For instance, when a user attempts to access a file, a rule validates the level of access assigned to that user, if any, the user will be granted access to the file. A firewall deny access from any address to any address, on any port by default. It require creating additional rules to allow an address to access another address and a port.
A rule contains an object with set of attributes that defines the level of access granted to a subject. Access attributes in a rule can define:
- Who is allowed to access (user, group).
- How much access is allowed (read, write, execute).
- How much time allocated (an hour, 24 hours, unlimited).
- There are four different types of access controls.
- Discretionary Access Control (DAC)
DAC allows owner of the object to decide which subjects will have what levels of access to the object. DAC is very flexible. Google docs is an example for DAC.
The subject who owns the object can:
- Share objects with other subjects.
- Grant object privileges to other subjects.
- Change security attributes on subjects and objects.
- Most systems in the world are using DAC
Mandatory Access Control (MAC)
MAC is the most secure type of access control. It only allows access to owners and custodians only, where access control settings are preset by an administrator. MAC policy is uniformly enforced across all subjects and objects. The administrators who are trusted subjects can modify any of the security rules established for subjects and objects.
MAC systems assign a classification label to each object such as confidential, secret and top secret, and each subject is assigned a similar classification and clearance level. When a subject tries to access an object, the security system will check the subject's credentials to determine whether access could be granted, then allow or disallow access. It is the most strict access control system as well as mostly inflexible. MAC systems are used by the government and military and require high security.
The MAC system disallows:
- Passing the information to unauthorized subjects
- Granting own privileges to other subjects
- Changing security attributes on objects
- Changing the rules of governing access control
Role-Based Access Control (RBAC)
RABC assigns permissions to a specific job title such as accountant, accounts cleark or marketing. Each role will have different access permissions set.
Human Resources staff have access to personnel files only and Finance has access to bank accounts. Each manager only access his own department information. System administrators may have access to everything. The new employees will be given very minimum access to do their jobs.
Monitoring of role-based access is important. If a temperary access granted to a junior staff member covering for a manager leaving the organisation, the access permissions should be reverted when a new manager is hired. This is called privilege creep or permissions creep.
When employees have multiple roles for special needs, close monitoring is required. Its hard to do this manually, hence Identity and Access Management (IAM) systems are used.
Attribute Based Access Control (ABAC)
ABAC uses a policy based on user attributes, such as:
- IP location
- Position
- Time of day
- Security clearance
These attributes are c to each user and resource.
Rule-Based Access Control sets can access permissions based on a specific set of rules. In case business operates during 9am -5 pm, rule-based access control deny access to everyone outside these hours.However, another can be created to allow backup by system administrator after 5pm.
Niranjan Meegammana
Comments
Post a Comment