Access Control Methodologies

Access Control Methodologies

Access control categories

Access control techniques
Access control administration
Access control models
Authentication methods
Data ownership
Vulnerabilities

Access Control Categories

Definition of access control:
It is a collection of methods and components that supports
confidentiality
integrity

Goal: allow only authorized subjects to access

permitted objects
Subject
The entity that requests access to a resource

Object
The resource a subject attempts to access

Access Control Categories

Least privilege philosophy
A subject is granted permissions needed to accomplish
required tasks and nothing more

Information leak
Lack of controls lets people without need to access data
E.g., physician needs data about the patients health and not
about the insurance

Controls
Mechanisms put into place to allow or disallow object
access

Controls
Controls organized into different categories
Common categories
Administrative
enforce security rules through policies

Logical
implement object access restrictions

Physical
limit physical access to hardware

Access Control Techniques

Techniques that fit the organizations needs
Considerations include
Level of security required
User and environmental impact of security measures

Techniques differ in
The way objects and subjects are identified
How decisions are made to approve or deny access

Policies governing access

Access Control Designs

Access control designs define rules for users
accessing files or devices
Three common access control designs
Mandatory access control
Discretionary access control
Non-Discretionary access control

Mandatory Access Control

Assigns a security label to each subject and object
Matches label of subject to label of object to
determine when access should be granted
A common implementation is rule-based access
control
Subject demonstrates need to know in addition to proper
security clearance
Need to know indicates that a subject requires access to
object to complete a particular task

Mandatory Access Control

Common military data classifications:

Unclassified
Confidential
Secret
Top Secret

Common commercial data classifications:

Public
Private
Sensitive
Confidential

Discretionary Access Control

Uses identity of subject to decide when to grant an
access request
All access to an object is defined by the object owner
Most common design in commercial operating
systems
Generally less secure than mandatory control
Generally easier to implement and more flexible

Includes
Identity-based access control
Access control lists (ACLs)

Discretionary Access Control

Policies governing ACL development
Procedures to implement ACL
Scope of technical solutions in policy

Non-Discretinary Access Control

Uses a subjects role or task to grant or deny object
access
Works well in environments with high turnover of
subjects
Role-based access list may contain just one member,
if necessary
Lattice-based control is a variation of nondiscretionary control
Relationship between subject and object has a set of access
boundaries that define rules and conditions for access

Access Control Administration

Can be implemented as centralized, decentralized, or
hybrid
Centralized access control administration

All requests go through a central authority

Administration is relatively simple
Single point of failure, sometimes performance bottlenecks
Common packages include:
Remote Authentication Dial-In User Service (RADIUS)
Challenge Handshake Authentication Protocol (CHAP)
Terminal Access Controller Access Control System (TACACS)

Access Control Administration

Decentralized access control administration
Object access is controlled locally rather than centrally
More difficult administration
Objects may need to be secured at multiple locations

More stable
Not a single point of failure

Usually implemented using security domains

Accountability
System auditing used by administrators to monitor
Who is using the system
What users are doing

Logs can trace events back to originating users

Process of auditing can have a negative effect on
system performance
Must limit data collected in logs
Clipping levels set thresholds for when to start collecting
data

Access Control Models

Provide conceptual view of security policies
Map goals and directives to specific system events
Provide a formal definition and specification of
required security controls
Many different models and combinations of
models are used

State Machine Model

Bell-LaPadula model
Works well in organizations that focus on confidentiality

Biba model
Focuses on integrity controls

Clark-Wilson Model
Restricts access to a small number of tightly controlled
access programs

Non-interference Model
Often an addition to other models
Ensures that changes at one security level do not bleed over
into other levels

Authentication Methods
Two-factor authentication uses two phases
Identification
Authentication

Security practices often require input from multiple

categories of authentication techniques
Most complex authentication mechanism is
biometrics (detection and classification of a subjects
physical attributes)

Authentication Methods
1-factor

What you
know

Password, PIN,
Challenge question

2-factor

What you
have

Smart Card, token

3-factor

What you are Biometrics

Single Sign-On
Users choice in multi-application environments
Avoids multiple logins
Transfer of identity from one system to another in a
trusted group
Requires additional work for administrators
Kerberos is an example of good SSO systems in use
Kerberos developed at MIT

Kerberos
Uses symmetric key cryptography
Provides end-to-end security
Intermediate machines cannot read message content

Used in distributed environments

Implemented with a central server
Includes a data repository and an authentication
process
Weaknesses:
Single point of failure
Short life for session key

Data Ownership
Different layers of responsibility for ensuring security
of organizations information
Data owner
Bears ultimate responsibility, sets classification levels

Data custodian
Enforces security policies, often a member of IT
department

Data user
Accesses data on a day-to-day basis
responsible for following the organizations security
policies

Vulnerabilities
Brute force attack
Try all possible combinations of characters to satisfy Type
1 authentication (password guessing)

Dictionary attack
Subset of brute force
Instead of all possible combinations, uses a list of common
passwords

Spoofing attack
Create fake login program, prompt for User ID, password
Return login failure message, store captured information

Policies for Vulnerability Handling

Log all data login, transaction

Analyze data in real time
Set security alerts based on data analysis
Develop scenarios for system shut off
Disseminate policies related to vulnerability handling

References
Kerberos: An Authentication Service for Computer
Networks, Clifford Neuman and Theodore Tso, IEEE
Communications Mag., Sep. 1994, 33-38.
Information Security: An integrated collection of
essays, Editors: Marshall Abrams, Sushil Jajodia,
Harold Podell, IEEE Computer Society Press,
Washington D.C., 1995
Essay 5: Abstraction and Refinement of Layered Security
Policy by Marshall Abrams and David Bailey
Essay 7: Information Security Policy by Ingrid Olson and
Marshall Abrams
Essay 13: Supporting Policies and Functions by Marshall
Abrams and Harold Podell

References
Management of Information Security by Michael
Whitman and Herbert Mattord, Course Technology,
2004.
The Business Case for Network Security by
Catherine Paquet and Warren Saxe, Cisco Press,
Indianapolis, 2005
Chapter 5: Policy, Personnel, and Equipment as Security
Enablers
Chapter 10: Essential Elements of Security Policy
Development
Chapter 11: Security is a Living Process

References
Role-based Access Control Models by R. S. Sandhu
et al, IEEE Computer, Vol. 29, Feb. 1996, 38-47.