A core foundational component of information security is controlling how resources and assets are accessed so they can be properly protected. The methods that enforce access control can be technical, physical or administrative in nature and should be integrated throughout an organization's security program.
Access controls are put into place to regulate how users and systems interact with resources. These controls protect resources from unauthorized access and compromise, and can be components that participate in determining the level of authorization after an authentication procedure has successfully completed. In the realm of access control, the entity that is actively trying to access something is referred as the "subject." The item that the subject is attempting to access is called an "object." Access controls are the controls and rules that are put into place to ensure that subjects can only interact with objects using pre-approved and secure methods.
Access is one of the most exploited aspects of security because, when compromised, it can provide direct access to critical assets. Access controls need to be applied in a layered defense-in-depth method, and an understanding of how these controls are exploited is extremely important.
In this spotlight article for the Access Control domain of the Certified Information Systems Security Professional (CISSP) exam, I will discuss how access controls support the core security principles of availability, integrity and confidentiality by requiring subjects to not only properly identify themselves but also prove they possess appropriate credentials and the necessary rights and privileges to obtain access to the target object.
Access control principles
During user-based access control, before access is allowed the requesting entity must be properly identified, authenticated and authorized. Identification describes a method of ensuring that the entity requesting access to a resource is who it claims to be. Identification can be provided with the use of a username, user ID or account number.
To be properly authenticated, the requesting entity is usually required to provide a second piece to the credential set, such as a password, passphrase, cryptographic key or security token.
Once the entity provides its credentials and is properly identified and authenticated, authorization needs to take place. This is the process of verifying the permissions and access rights of the requesting subject. Accountability is enforced if the entity's access activities are properly captured and recorded, most commonly in a type of system log.
Although identification, authentication, authorization and accountability have similar and complementary definitions, each has its own distinct functions that fulfill a specific requirement in the process of access control.
There are three main methods that can be used for authentication:
- Something a person knows, which can be a password, PIN value or answers to authentication security questions.
- Something a person has; for example, a smart card, USB, key or access card.
- Something a person is, based upon a unique physical or behavioral attribute, which is commonly captured through biometric systems.
In the CISSP online training, credentials used in identification are discussed, (e.g., username, personal identification numbers or smart cards), as are authentication methods (tokens, biometrics and cryptographic material). Once identified and authenticated, access control matrices are typically used to determine if the subject is authorized (equipped with the appropriate rights or privileges) for access to the target object. By using all three of these security controls, accountability for the use of the resource can be traced and monitored.
Instead of user-based, access control can also be device-based. When a system or device needs to be authenticated before being authorized to gain access to a network, for example, the device might need to provide an IP address, MAC address, digital certificate or unique authentication code. In wireless environments, a wireless device (e.g., laptop or tablet) may be required to provide its MAC address and an SSID value before being allowed access to the wireless network. Once the device is authenticated, the user may need to also be authenticated before being allowed to access to the resources on a central server.
Device authentication is becoming increasingly important as more users are connecting their personal devices (e.g., smartphones and tablets) to corporate networks and as traditional networks are allowing for connectivity to take place in new ways. A verifiable unique device identity allows the establishment of the trustworthiness of devices and thus facilitates secure device provisioning within networked environments.
Access control models and technologies
In the CISSP domain, three types of access control models are discussed that dictate how subjects can access objects. The highly restrictive mandatory access control model (MAC) is compared to the discretionary access control model (DAC) which allows the creator/owner of an object to grant access as he or she sees fit. Then the benefits of the role-based access control model (RBAC) are presented, which provides access to resources based on profiles connected to a user's role in an organization.
These three access control models are high-level conceptual structures that provide direction for software architects when developing and integrating access control within software. While access control is a straightforward concept, it is not easily implemented throughout something as complex as an operating system; access control within an operating system is not just focused on users attempting to access files or network devices. To provide a secure and predictable working environment, access controls must be intertwined in various places to control process-to-process interaction, process-to-memory functionality, thread-to-CPU communication, and so on. An operating system is a complex organism that has hundreds of subject-to-object interactions taking place at any one time. If any of these interactions takes place in an unapproved or insecure manner, the whole system could be compromised.
Most operating systems and applications carry out access control based on the discretionary access control model, in which the entity that created or controls a specific resource decides what subjects can access it and what operations are allowed. The DAC model is commonly enforced through the use of access control lists (ACLs) and matrices. The matrices are generally referred to as "capability tables" where the rows within the tables contain the subjects, and the columns contain the objects. When a program (e.g., word processor) attempts to access a file on the behalf of a user, the security kernel within the operating system checks the preconfigured capability table to verify that this type of access is allowed. If the program (subject) is allowed to access the file (object), then the security kernel reviews the listed operations that can take place. In some instances, the program may only be able to read the file; thus, the security kernel will make sure that no unauthorized changes take place to it. If the program has "full control," then the user who is interacting with the word processor can make changes to the requested file.
A system that is built on the mandatory access control model is much more restrictive than a system built upon the DAC model. Most operating systems and applications that are built upon the MAC model are used in environments that process highly classified data. Where the DAC model enforces access rules through the use of ACLs and capability tables, the MAC model's access rules are enforced through the use of security labels. These security labels allow an MAC-based system to enforce classification and need-to-know rules when governing subject-to-object interactions. Each security label has two core pieces: the classification and the categories. The classification indicates the sensitivity level (e.g., confidential, top secret, etc.), and the category portion enforces need-to-know rules. As an example, a user may have the clearance level of top secret but not have a need-to-know approval for a particular object, and is therefore not allowed to access certain resources.
The role-based access control model is used when network and system administrators need to be able to assign access rights to organizational roles instead of individuals within an organization. For example, it is much more efficient to be able to give members of the accounting group access to the accounting files on a central server rather than having to configure and maintain access rules for each and every employee in the accounting department. RBAC allows for a more controllable and standardized approach to enforcing access control across enterprises.
Carrying out access control functions (identification, authentication, authorization and auditing) in a secure and standardized manner across enterprise environments and systems can be overwhelming and close to impossible without the use of identity management (IdM) systems. While there are many different technologies within the world of IdM, for the most part these technologies work together to provide user account management, access control, password management, single sign-on functionality, managing rights and permissions for user accounts, and auditing and monitoring all of these items.
IdM provides the management of uniquely identified entities, their attributes, credentials and entitlements. Identity management also allows companies to create and manage digital identities' lifecycles (their creation, maintenance and termination) in a timely and automated fashion rather than a time-consuming and error-prone manual approach.
IdM systems are also used to reduce administrative costs, increase security, meet regulatory compliance and business needs, and improve upon service levels throughout enterprises. The continual increase in complexity and diversity of heterogeneous networked environments only increases the complexity of keeping track of who can access what and when.
When attempting to define access control across an enterprise as a whole, companies should first answer the following questions:
- How do we control access for our employees, customers and partners?
- What should each user have access to?
- Who approves and allows access?
- Why do employees have eight passwords to remember?
- How do we ensure that users are not overly burdened when needing to access multiple systems within a heterogeneous environment?
- How do the access decisions map to policies?
- How do we keep up with our dynamic and ever-changing environment?
- Do former employees still have access?
- What is the process of revoking access?
- How is access controlled and monitored centrally?
How do we provide a centralized access control model in a decentralized environment? How do we make sure we are compliant with the necessary regulations? Most IdM systems available today are made up of the following components:
- Automated user management
- Single sign-on
Directories within identity management systems are considered "identity stores" and contain resource information, users' authorization profiles, entitlement attributes, roles and possibly even access control policies so that all systems throughout an enterprise have one centralized resource from which to gather this information.
Identity stores can be meta-directories, which physically contain all of these access components within one directory, or virtual directories. A virtual directory is often used in an environment where it would be impossible to gather and maintain all access data (user profiles, resource ACLs, authorization rules, access control policies, etc.) on one central system. Often, these items are stored on different systems throughout a network and need to be virtually linked to act as though they are one physical system. Using IdM directories, administrators only need to configure and maintain one set of access control rules and policies for an environment instead of having to configure and maintain multiple access control rules on multiple systems and applications.
The identity management services that oversee and maintain directories and identity stores facilitate the bidirectional flow of data due to synchronization of changes between the directory and other identity stores. They also process the unidirectional flow of data coming from authoritative sources and send data into the identity management system. Identity data must originate from one directory, which is called the "authoritative source." The data within an authoritative source is replicated to individual identity stores throughout the environment in a unidirectional manner. It is important to protect the original identity data from being overwritten, which is why data can only flow one way from the authoritative source. Identity stores that are not considered authoritative sources replicate identity data in a bidirectional manner to ensure that each directory contains the most up-to-date access control information.
IdM systems also provide an automated workflow component to allow for standardized user management and automated provisioning functions. "User provisioning" refers to the creation, maintenance and deactivation of user accounts and attributes as they exist in one or more systems, directories or applications.
Since most networks are made up of heterogeneous systems, it would be overwhelming for users to have to remember credential sets for each system and application they need to access to fulfill their daily tasks. Identity management systems commonly contain single sign-on functionality to streamline the authentication process for users.
A federated identity is the means of linking a person's electronic identity and attributes that are stored across multiple distinct identity management systems. This is an expansion of the traditional single sign-on concept. Federated identity management encompasses a common set of policies, practices and protocols to manage the identity of users and devices across different organizations.
Federation allows for cross-domain Web-based single sign-on, user account provisioning, entitlement management and user attribute exchange. Federated identity offers businesses and consumers a more convenient way of accessing distributed resources and is a key component of e-commerce.
Access control threats
There are many types of threats and attack types that put companies and their critical assets at risk. While different access controls can be put in place to protect assets from them, compromises still happen every hour of every day, so finding a way to identify these threats is critical. The two types of technologies commonly used for this are intrusion detection systems (IDS) and intrusion prevention systems (IPS).
The main categories of IDS technologies are signature-based and anomaly-based. Signature-based IDSes carry out pattern matching similar to how antivirus software uses virus signature databases. This category of IDS is commonly broken down into pattern-based and state-based. Anomaly-based IDS technologies do not carry out signature-matching techniques; instead they look at the behavior of a system or network. If the behavior is not considered normal, the IDS assumes an attack is underway. Anomaly-based IDS uses protocol, heuristic and traffic-anomaly detection techniques.
To wrap up, this domain covers:
- How identification, authentication, authorization and accountability are accomplished.
- The three main access control models (DAC, MAC, RBAC) and how each model aligns with specific security requirements and business needs.
- How access control has expanded and evolved to include enterprise technologies such as identity management.
- How to extend IdM technologies to cross organizational boundaries with federated identity management.
CISSP® is a registered certification mark of the International Information Systems Security Certification Consortium, Inc., also known as (ISC)2.
NEXT: Continue learning about the Access Control domain with an exclusive multimedia presentation on identity management by Shon Harris.
RETURN to the main page of SearchSecurity's CISSP Essentials Security School.