Access Control
Access control refers to the process of managing how individuals and hosts get access to other systems and resources. Access control helps ensure that only authorized users and systems gets access to the systems and resources they need access to.
This means that unauthorized users and systems are prevented from accessing organization’s properties, premises, systems, and resources.
Subjects and Objects
A subject is a user, process, or host that requests access to a system or resource.
An object is the resource or system that the subjects need access to. An object could be a file, directory, database, an open tcp/udp port, or a host (computer).
AAA
The AAA (pronounced triple A) stand for Authentication, Authorization, and Accounting.
Authentication is the process of proving the identity claimed by a subject. As we said above, the identification process is a claim without proof in most cases. You can insert your debit card in the ATM machine. This is a claim. To prove you are the actual owner of the card, you need to enter your “secret” PIN number. Similarly, in the SSH connection example, the administrator types his username when prompted to do. But, will that prove he is trusty? Definitely, no; anybody can initiate such connection and provide the username (The username is echoed to the screen when the user types it, so there is big chance that somebody catches it over the shoulder of the admin). In this case, a password is required to authenticate the connecting user. In the special case of the biometric methods (like fingerprint and retina), the same method serves both as identification and authentication means.
Authorization
The authorization process determines what a subject is allowed to do with an object. This comes after successful authentication. Authorization usually depends on an access control matrix that specifies the rights of each subject versus each object.
Accounting
Each subject must be accountable for his actions. Accounting is done by collecting logs and audit trails.
Authorization
Authentication verifies your identity and authentication enables authorization. An authorization policy dictates what your identity is allowed to do.
Role-Based Access Control (RBAC)
Role Based Access Control, also called nondiscretionary access control, is a common access control method. The role-based access control model is used when network and system administrators need to be able to assign access to resources based on organisation roles that the user hold within the company. The separation of work roles is what fuels this access control method. Thus, RBAC is considered a good industry-standard practice.
Rule-Based Access Control
Rule-based access control implements access control based on predefined rules. Think of available printers for sites. This is a great way of automating access management and making the process more dynamic. Even when someone transfers sites, the old access would be automatically removed.
Mandatory Access Control (MAC)
Mandatory Access Control (MAC) is system-enforced access control based on subject’s clearance and object’s labels. Subjects and Objects have clearances and labels, respectively, such as confidential, secret, and top secret. The MAC method ensures confidentiality. While not as dynamic as DAC, it provides higher security since access isn’t as quickly changed through individual users.
Discretionary Access Control (DAC)
In a Discretionary Access Control model, every object is owned by a subject and the owner has full control over the object. For example, when a user creates a file, the user owns the file and can modify the permissions. Common operating systems such as Windows and Linux use the DAC model. DAC is seen as a model that is useful when you need granular control over rights of an object, such as a file share. You can also configure the rights to be inherited by child objects. DAC is decentralized, flexible and easy to administer. As such, it’s in widespread use. Since users can change rights on the fly, it can be difficult to track all changes and overall permission levels to determine access level.
Attribute-Based Access Control (ABAC)
The Attribute-Based Access Control (ABAC) model is often described as a more granular form of Role-Based Access Control since it looks at more user attributes other than just the user’s role in order to gain access. The attributes can cover many different descriptors such as departments, location, and more.
Risk-Based Access Control
Risk-based authentication assesses the probability of account compromise with each login. If the request seems unusual or suspect, the user must do something extra to gain access. Additional factors (like biometrics) ensure that the request comes from a valid user. Risk-based authentication uses real-time intelligence to gain a holistic view of the context behind each login.
When a user attempts to sign in, a risk-based authentication solution analyzes factors such as:
- Device. Is the user on a known computer? Or is the user on a mobile device that has never logged in before?
- Location. Is the user in the same building that houses the server? Or is the person in another time zone?
- Network. Is the person logging in from a familiar IP address? Or is that data foreign?
- Sensitivity. Is the requested file crucial for the company? Or is it a relatively unimportant piece of information?
Data Classification
Military or Government
Classified by the type of damage the involuntary divulgence of data would cause.
- Top Secret is the highest level of classified information. Information is further compartmentalized so that specific access using a code word after top secret is a legal way to hide collective and important information. Such material would cause “exceptionally grave damage” to national security if made publicly available.
- Secret material would cause “serious damage” to national security if it were publicly available.
- Confidential material would cause damage or be prejudicial to national security if publicly available.
- Unclassified is technically not a classification level, but this is a feature of some classification schemes, used for government documents that do not merit a particular classification or which have been declassified. This is because the information is low-impact, and therefore does not require any special protection, such as vetting of personnel.
Private Sector
Corporate or organizational classification system. Similarly structured to military or government classification.
- Confidential is the highest level in this classification scheme. A considerable amount of damage may occur for an organization given this confidential data is divulged. Proprietary data, among other types of data, falls into this category. This category is reserved for extremely sensitive data and internal data. A “Confidential” level necessitates the utmost care, as this data is extremely sensitive and is intended for use by a limited group of people, such as a department or a workgroup, having a legitimate need-to-know.
- Private are data for internal use only whose significance is great and its disclosure may lead to a significant negative impact on an organization. All data and information which is being processed inside an organization is to be handled by employees only and should not fall into the hands of outsiders.
- Sensitive is data that have been classified and are not public data. If these data where disclosed, a negative impact for company may happen.
- Public are data already published to the outside of the company or with no value. If these data had to be disclosed, no impact for the company would happen.
Managing Identity and Access
User Access Review – Periodic access reviews are an important, but often forgotten, method of reviewing rights and permissions. Do users have appropriate access to do their jobs? If not, what is the process for increasing access?
System Account Access Review – System accounts, sometimes called service accounts, are accounts that are not tied users. They are used for running automated processes, tasks, and jobs. It’s important to not use user accounts to do this. Especially since some of the system accounts require administrative privileges, these accounts require regular review as well. Be sure to keep detailed records of what this account is, what it’s used for, who asked for it, and so on.
Provisioning and Deprovisioning Users – Provisioning and deprovisioning refer to creation and deletion of users. These key tasks are important so no dormant accounts lie available to bad actors. It’s best to automate these important tasks, not just in time savings, but also human error due to repetitive tasks. These of course, are set to guidelines and other organizational requirements.
