Access Control Methodologies

1
Access Control Methodologies
2
Access Control Methodologies

• Access control categories
• Access control techniques
• Access control administration
• Access control models
• Authentication methods
• Data ownership
• Vulnerabilities

3
Access Control Categories

• Definition of access control
• It is a collection of methods and components that
  supports
• confidentiality
• integrity
• Goal allow only authorized subjects to access
  permitted objects
• Subject
• The entity that requests access to a resource
• Object
• The resource a subject attempts to access

4
Access Control Categories

• Least privilege philosophy
• A subject is granted permissions needed to
  accomplish required tasks and nothing more
• Information leak
• Lack of controls lets people without need to
  access data
• E.g., physician needs data about the patients
  health and not about the insurance
• Controls
• Mechanisms put into place to allow or disallow
  object access

5
Controls

• Controls organized into different categories
• Common categories
• Administrative
• enforce security rules through policies
• Logical
• implement object access restrictions
• Physical
• limit physical access to hardware

6
Access Control Techniques

• Techniques that fit the organizations needs
• Considerations include
• Level of security required
• User and environmental impact of security
  measures
• Techniques differ in
• The way objects and subjects are identified
• How decisions are made to approve or deny access
• Policies governing access

7
Access Control Designs

• Access control designs define rules for users
  accessing files or devices
• Three common access control designs
• Mandatory access control
• Discretionary access control
• Role-based access control

8
Mandatory Access Control

• Assigns a security label to each subject and
  object
• Matches label of subject to label of object to
  determine when access should be granted
• A common implementation is rule-based access
  control
• Subject demonstrates need to know in addition to
  proper security clearance
• Need to know indicates that a subject requires
  access to object to complete a particular task

9
Mandatory Access Control

• Common military data classifications
• Unclassified
• Confidential
• Secret
• Top Secret
• Common commercial data classifications
• Public
• Private
• Sensitive
• Confidential

10
Discretionary Access Control

• Uses identity of subject to decide when to grant
  an access request
• All access to an object is defined by the object
  owner
• Most common design in commercial operating
  systems
• Generally less secure than mandatory control
• Generally easier to implement and more flexible
• Includes
• Identity-based access control
• Access control lists (ACLs)

11
Discretionary Access Control

• Policies governing ACL development
• Procedures to implement ACL
• Scope of technical solutions in policy

12
Role-based Access Control

• Uses a subjects role or task to grant or deny
  object access
• Works well in environments with high turnover of
  subjects
• Role-based access list may contain just one
  member, if necessary
• Lattice-based control is a variation of
  non-discretionary control
• Relationship between subject and object has a set
  of access boundaries that define rules and
  conditions for access

13
Access Control Administration

• Can be implemented as centralized, decentralized,
  or hybrid
• Centralized access control administration
• All requests go through a central authority
• Administration is relatively simple
• Single point of failure, sometimes performance
  bottlenecks
• Common packages include
• Remote Authentication Dial-In User Service
  (RADIUS)
• Challenge Handshake Authentication Protocol
  (CHAP)
• Terminal Access Controller Access Control System
  (TACACS)

14
Access Control Administration

• Decentralized access control administration
• Object access is controlled locally rather than
  centrally
• More difficult administration
• Objects may need to be secured at multiple
  locations
• More stable
• Not a single point of failure
• Usually implemented using security domains

15
Accountability

• System auditing used by administrators to monitor
  
• Who is using the system
• What users are doing
• Logs can trace events back to originating users
• Process of auditing can have a negative effect on
  system performance
• Must limit data collected in logs
• Clipping levels set thresholds for when to start
  collecting data

16
Access Control Models

• Provide conceptual view of security policies
• Map goals and directives to specific system
  events
• Provide a formal definition and specification of
  required security controls
• Many different models and combinations of models
  are used

17
State Machine Model

• Bell-LaPadula model
• Works well in organizations that focus on
  confidentiality
• Biba model
• Focuses on integrity controls
• Clark-Wilson Model
• Restricts access to a small number of tightly
  controlled access programs
• Non-interference Model
• Often an addition to other models
• Ensures that changes at one security level do not
  bleed over into other levels

18
Authentication Methods

• Two-factor authentication uses two phases
• Identification
• Authentication
• Security practices often require input from
  multiple categories of authentication techniques
• Most complex authentication mechanism is
  biometrics (detection and classification of a
  subjects physical attributes)

19
Authentication Methods
20
Single Sign-On

• Users choice in multi-application environments
• Avoids multiple logins
• Transfer of identity from one system to another
  in a trusted group
• Requires additional work for administrators
• Kerberos is an example of good SSO systems in use
• Kerberos developed at MIT

21
Kerberos

• Uses symmetric key cryptography
• Provides end-to-end security
• Intermediate machines cannot read message content
• Used in distributed environments
• Implemented with a central server
• Includes a data repository and an authentication
  process
• Weaknesses
• Single point of failure
• Short life for session key

22
Data Ownership

• Different layers of responsibility for ensuring
  security of organizations information
• Data owner
• Bears ultimate responsibility, sets
  classification levels
• Data custodian
• Enforces security policies, often a member of IT
  department
• Data user
• Accesses data on a day-to-day basis
• responsible for following the organizations
  security policies

23
Vulnerabilities

• Brute force attack
• Try all possible combinations of characters to
  satisfy Type 1 authentication (password guessing)
• Dictionary attack
• Subset of brute force
• Instead of all possible combinations, uses a list
  of common passwords
• Spoofing attack
• Create fake login program, prompt for User ID,
  password
• Return login failure message, store captured
  information

24
Policies for Vulnerability Handling

• Log all data login, transaction
• Analyze data in real time
• Set security alerts based on data analysis
• Develop scenarios for system shut off
• Disseminate policies related to vulnerability
  handling

25
References

• Kerberos An Authentication Service for Computer
  Networks, Clifford Neuman and Theodore Tso, IEEE
  Communications Mag., Sep. 1994, 33-38.
• Information Security An integrated collection of
  essays, Editors Marshall Abrams, Sushil Jajodia,
  Harold Podell, IEEE Computer Society Press,
  Washington D.C., 1995
• Essay 5 Abstraction and Refinement of Layered
  Security Policy by Marshall Abrams and David
  Bailey
• Essay 7 Information Security Policy by Ingrid
  Olson and Marshall Abrams
• Essay 13 Supporting Policies and Functions by
  Marshall Abrams and Harold Podell

26
References

• Management of Information Security by Michael
  Whitman and Herbert Mattord, Course Technology,
  2004.
• The Business Case for Network Security by
  Catherine Paquet and Warren Saxe, Cisco Press,
  Indianapolis, 2005
• Chapter 5 Policy, Personnel, and Equipment as
  Security Enablers
• Chapter 10 Essential Elements of Security Policy
  Development
• Chapter 11 Security is a Living Process

27
References

• Role-based Access Control Models by R. S. Sandhu
  et al, IEEE Computer, Vol. 29, Feb. 1996, 38-47.