Authorization and accountability build and depend upon the cybersecurity objective of identity management. The reason for developing a strong identity management program is to support strong authorization and accountability management. Once a user's identity is authenticated by the identity management system, the user is then granted access in accordance with access control models and policies, by the authorization management system. Accountability management provides an ability to gain a complete picture of how network resources are being accessed and used.
The key function of authorization management is controlling access by subjects to objects on the network. A subject is an active entity, such as a user or process. An object is a passive entity, such as a file.
There are several access models and controls that need to be considered for authorization management. Here are a few examples:
Attribute-based access control
Attribute-based access control (ABAC) models use attributes that subjects and objects have to make access control decisions. For example, a file object may have an access control list that contains all the subject identities that can access the file. In this case, permissions are an attribute of the object. This type of access control model may be easy to set up, but it can be very difficult to maintain and manage in a dynamic environment where changes occur frequently and rapidly. There is a variation of the ABAC model where permissions are attached to the subject rather than the object. In this case, a subject has a list of all the objects it has access rights to. Permissions are an attribute of the subject. This variation can be extended where a group or role definition has a list of attributes that describe what objects may be accessed and membership of the group or exercising the role permits access to those objects.
Mandatory access control
Mandatory access control (MAC) is a rule-based model that users have no control over. The rule-based access decisions depend on attributes of both the subjects and objects. This model is called mandatory in that the rules must be followed, without exception. Mandatory access control is often used where protecting confidentiality is a key concern. An example is the type of classification scheme that the government uses. A user with a government clearance of SECRET cannot access a document classified as TOP SECRET. That access decision is mandatory even if the document custodian wishes to allow access. In this example, the clearance labels of SECRET and TOP SECRET are attributes of both the subject and object upon which access decisions are made.
Discretionary access control
Discretionary access control systems allow the owner of the object to decide which subjects can access the object. The owner of the object has discretion over which subjects can access it and is not dependent upon any particular attribute of either the object or subject.
Role-based and group-based access control
Role-based access control (RBAC) is a model where access is controlled by what role or job function a user has. Access attributes in a role-based model are attached to a role or job function rather than a user identity. Group-based access control (GBAC) is a model where access is controlled by membership in a particular group. Access attributes in a GBAC model are attached to the group and membership in a group is required to gain access rights.
Functionally, role-based and group-based access control models are similar, but an RBAC model generally permits only a single role to be exercised at a time and allows for roles that are mutually exclusive, enforcing separation of duties. GBAC models are different in that they generally allow access based on the sum of all the access rights of all the groups that a subject is a member of at any time.
Combining access control models
Access control models are often combined to obtain a greater degree of control. For example, a mandatory access control model may be combined with a role-based access control model. The MAC system decides that a user with a TOP SECRET clearance may access a document with a SECRET classification. The mandatory access control system grants access and then passes control to a role-based access control system. The RBAC system decides that the user, based upon her current role, has not been granted access rights to the document and access is denied, overriding the MAC system.
The other significant benefit that a strong identity management system allows in addition to authorization management is accountability management. Accountability management is knowing which subjects are accessing which objects, when and where those objects are being accessed and what is being done with them. Accountability management can provide a complete, accurate and verifiable audit trail for tracking access and the ability to monitor activities on systems and the network. Accountability management can help in complying with regulations, including the Sarbanes-Oxley Act and the Gramm-Leach-Bliley Act. Being able to know who is doing what on the network can greatly improve your security posture. Accountability management allows for the following:
- confidentiality: recognizing unauthorized attempts to access information;
- integrity: detecting changes to files and configurations; and
- availability: monitoring of networks, devices, hosts and applications for availability.
Authorization and accountability management is enabled by and dependent upon strong identification and authentication. Being able to tightly control access and understand how that access is being utilized is a tremendous benefit to the secure operation of network systems and is a core requirement of achieving cybersecurity readiness.
Discover how DNS reverse mapping can be used for IPv6 address scanning
Read more on the best ways to organize an enterprise cybersecurity team
Find out what monitoring outbound enterprise traffic can reveal