Access Control Systems : The last line of defence

By


Image :Threatblock

Access is the ability of a user to perform a specific task, such as view, create or modify a file. A control is a countermeasure or safeguard designed to preserve Confidentiality, Integrity and Availability of information within an organization.

Access control is a security technique that limits who or what can view or use resources according to to set rules to minimize the risk to the business.

There are three types of access controls: physical, logical and administrative. Physical access control limits access to buildings, server rooms and physical information assets. Logical access control limits access to computer networks, operating systems, files, and data. Administrative controls determine which users have access to what information in an organization.

You can use electronic access control systems involving user credentials, card readers to prevent or track unauthorized  access to restricted locations such as data centers. 

Logical access controls use identification authentication and authorization techniques to allow or disallow user access to resources, which may involve checking passwords, biometric scans, security tokens or pins. Multifactor Authentication (MFA) requires two or more authentication factors, which is a layered defense or defence in depth mechanism.

Firewall is a logical control, which prevents certain type of traffic entering internal network, as well as it can prevent internal information going out, which  can be viewed by an unauthorized person. Access controls are not only restrict access to information, they also allow access to authorized persons and processes.

Access is based on three elements: subjects, objects and rules.

Subject:

A subject is any entity which requests access to an asset. The entity can be a  user, a client, a process or a program, that initiates a request for a service; hence, a subject is referred to as “active.” The subject must have a level of clearance to access the resource.

Object:

An object is an entity a subject trying to access. it may be a device, process, person, user, program, data or a server. An object is passive, which means that it takes no action until requested by a subject. The object will respond only when a request is received. However, the response will depend on access rights given to the subject regarding the object. 

Rule:

Objects do not contain their own access control logic. An access rule allows or denies access to an object by a subject. An object has an owner who determines which subjects should be allowed access to the object. 

The rules of access are defined in Access Control List (ACL). For instance, when a user attempts to access a file, a rule validates the level of access assigned to that user, if any, the user will be granted access to the file. A firewall deny access from any address to any address, on any port by default. It require creating additional rules to allow an address to access another address and a port.

A rule contains an object with set of attributes that defines the level of access granted to a subject. Access attributes in a rule can define:

  • Who is allowed to access (user, group).
  • How much access is allowed (read, write, execute).
  • How much time allocated (an hour, 24 hours, unlimited).
  • There are four different types of access controls. 
  • Discretionary Access Control (DAC) 

DAC allows owner of the object to decide which subjects will have what levels of access to the object.  DAC is very flexible. Google docs is an example for DAC.

The subject who owns the object can: 

  • Share objects with other subjects. 
  • Grant object privileges to other subjects. 
  • Change security attributes on subjects and objects. 
  • Most systems in the world are using DAC

Mandatory Access Control (MAC)

MAC is the most secure type of access control. It only allows access to owners and custodians only, where access control settings are preset by an administrator. MAC policy is uniformly enforced across all subjects and objects. The administrators who are trusted subjects can modify any of the security rules established for subjects and objects.

MAC systems assign a classification label to each object such as confidential, secret and top secret, and each subject is assigned a similar classification and clearance level. When a subject tries to access an object, the security system will check the subject's credentials to determine whether access could be granted, then allow or disallow access. It is the most strict access control system as well as mostly inflexible. MAC systems are used by the government and military and require high security.

The MAC system disallows:

  • Passing the information to unauthorized subjects
  • Granting own privileges to other subjects 
  • Changing security attributes on objects
  • Changing the rules of governing access control 

Role-Based Access Control (RBAC) 

RABC assigns permissions to a specific job title such as accountant, accounts cleark or marketing. Each role will have different access permissions set.

Human Resources staff have access to personnel files only and Finance has access to bank accounts. Each manager only access his own department information. System administrators may have access to everything. The new employees will be given very minimum access to do their jobs. 

Monitoring of role-based access is important. If a temperary access granted to a junior staff member covering for a manager leaving the organisation, the access permissions should be reverted when a new manager is hired. This is called privilege creep or permissions creep. 

When employees have multiple roles for special needs, close monitoring is required. Its hard to do this manually, hence Identity and Access Management (IAM) systems are used.

Attribute Based Access Control (ABAC)

ABAC uses a policy based on user attributes,  such as:

  • IP location
  • Position
  • Time of day
  • Security clearance

These attributes are c  to each user and resource.  


Rule-Based Access Control sets can access permissions based on a specific set of rules. In case business operates during 9am -5 pm, rule-based access control deny access to everyone outside these hours.However,  another can be created to allow backup by system administrator after 5pm. 

Niranjan Meegammana


Comments

Post a Comment

Popular posts from this blog

ISO 27001 ISMS in a Nutshell

By
Image
Image : ISO The ISO 27001 certification is the most comprehensive  information security standard recognized globally. It ensures standardizing of your organisation's information security strategies to ensure confidentiality, integrity and availability of your systems and data to conduct your business effectively.  Gaining the certification is a journey with several milestones. It is a carefully planned systematic activity that transforms an organisation to a secure entity,  where everyone becomes a stakeholder in information security. Follow this processes to get to your goal successfully. Step 1. Obtain Management Support . This is the most critical requirement to achieve ISO 27001 status. Your ISMS project will definitely fail if it does not receive to management support. The management should provide, people, money and strategic direction for your ISMS to be a success story. In the sections below you’ll find some tips on how to convince your management, and how much the implemen
Read more

How easily the data breaches occur? 5 ways to be aware of.

By
Image
Data breaches can occur at any unexpected moment. Unless you do not detect it fast, cybercriminals will have more time to exfiltrate information and cause bigger damage. On average it takes up to 30 days and costs $1 million to address a data breach incident stated 2021 Cost of a Data Breach Study. However, it could be more if you wait longer. Unfortunately, some took 6 months to respond.      Better safe than be sorry! Be prepared against data breaches.  There are 5 ways for your organization to avoid data breaches. Here is how. 1. Weak and stolen credentials  The most simplest way hackers use for data breaches is stealing passwords. Many people use predictable passwords like ‘Password1’ and ‘123456’. With them, cybercriminals don't even need to hack into a system to steal your sensitive data.  There are many tools that can help a cybercriminal to crack passwords. They run millions of popular credentials to break into your system. This requires you to have a strong password policy
Read more

Best Practices for secure Software Development

By
Image
image : OpenSense Labs Are you aware of the  Solarwinds attack in 2020? The hackers exploited software vulnerabilities of Orion IT monitoring and management software used by thousands of enterprises and government agencies. This hack triggered a larger scale supply chain incident which affected thousands of organizations, including the U.S. government. The attackers infliltrated the Solarwinds network, and infected the software used for Network monitoring before it shipped to customers.This insident and many more warn us on the importance of building secure software.  Secure software development is a methodology used for creating robust software by incorporating security practices into every stage of the software development life cycle (SDLC). It begins at planning stage before a single line of code is written, and continue through the life cycle. A bug fixing at implementation stage cost six times than fixing it during design stage. Every new feature added, may carry series of vulnera
Read more