IntroductionAccess controls are security features that control the communication and interaction of users and systems with the other users and systems. Access control is more than simply requiring usernames and passwords when users want to access resources. There is much more to it. There are multiple methods, techniques, technologies and models that can be implemented; there are different ways to administer controls and there are a variety of attacks that are launched against many of these access control mechanisms.DefinitionsHere are some basic definitions of terms that are most frequently used in access control:
|
Access Control Properties
There are three important features of access control:
- Identification
- Authentication
- Authorization
Identification describes a method of ensuring that a subject (user, program or process) is the entity it claims to be. Some examples of identification mechanisms are username, account number and memory card.
Authentication is the second part of a credential set to verify the identity of the subject. These mechanisms could be passphrases, passwords, cryptographic keys, PIN numbers or tokens.
Authorization is the process of determining what this identified subject can actually access and what operations it can carry out. Authorization is based on some type of predefined criteria, which is enforced through access control lists, security labels, capabilities tables or user profiles.
Identification and Authentication
In IT Security Management, Identification is usually providing a public piece of information (username and account number) and authentication is providing a private piece of information (PIN number, passphrase and digital signature). Three important characteristics of the mechanisms that can be used for authentication are as follows:
- Subject must prove something s/he knows, for example password
- Subject must prove something s/he has, for example smart card
- Subject must prove something s/he is, for example fingerprint
If one mechanism providing one of these characteristics is used, it is referred to as one-factor, if two mechanisms are being used, it is known as two-factor and, yes you guessed it, an authentication process that requires all three is referred to as three-factor. For the authentication process to be considered as strong it must be at least two-factor.
Authorization
Authorization is a process of assigning authenticated subjects access and the right to carry out specific operations, depending upon their preconfigured access rights and permissions outlined in access criteria. An access criterion is developed by the administrator or security officer, to support and carry out the organization’s security policy. Criteria can be based on one or both of the following aspects:
Clearance
The security level the subject holds, which directly dictates the objects that are accessible to it.
Need-to-Know
The formal access level approved that correlates to what information should and should not be available to a subject.
In a mandatory access control (MAC) model, users do not have the discretion of determining who can access objects as in a DAC model. An operating system that is based upon a MAC model greatly reduces the amount of rights, permissions and functionality a user has for security purposes. MAC environments use clearances, classifications and need-to-know to determine if a subject can access an object and what are the operations that can be carried out. Discretionary Access Control (DAC) environments use access control lists (ACLs), which are developed strictly based on the subject’s need-to-know.
It is important to only give the subject access to the objects (resources, devices and information) that are required for it to complete its tasks. This concept is referred to as least privilege. This reduces the possibility of fraud and damaging accidents by limiting access to objects based purely on business needs.
It is best for mechanisms that are making access decisions to default to “no access”. This means that if a subject is not explicitly allowed, it is implicitly denied.