Important Access Control Concepts

Access control follows the identification and authentication process, and once users are authenticated, security and network administrators use access controls to ensure that only authenticated users get access to the resources they are authorized to access. There are several models of access control, but before we can discuss these different models, it’s wise to mention a few of the principles of access control.

The Principle of Least Privileges

There’s a very popular principle you’ll often hear in cybersecurity over and over again, which is the Principle of Least Privileges. This principle specifies that users should only be granted only the rights and permissions needed to perform their job, and no more. Rights refers to actions. An administrator, for example, has the right to install certain applications, join a computer to a VLAN, or enforce a security policy on a domain. A permission, on the other hand, refers to the type of access for a file. Users in your organization might have either read, write, or modify permissions on a file depending on their job or assignment. The chief purpose of this principle, and for the most of the principles I’m going to discuss, are to reduce risk. To see an example of how this works, let’s look at a hospital scenario. Only healthcare practitioners (e.g., doctors, nurses, technicians, etc.) and patients should have access to the server holding their personal healthcare information. However, should the environmental services staff (e.g., plumbers, electricians, HVAC experts, etc.) and janitorial staff have access to this server? Absolutely not! They may be employees at the hospital, but there is no requirement for these employees to see patient healthcare information in order to do their jobs. Unfortunately, some organizations have very relaxed security controls. You might walk into an organization that grants everybody administrative access simply because it’s easier to manage. But, this implementation severely jeopardizes the confidentiality of data and opens up the opportunity for malicious insiders to steal or leak confidential information.

The Need to Know Principle

The Need to Know Principle is fairly similar to the Principle of Lease Privileges; however, it means users are granted access only to the data and information that they need to know in order to do their job. This is more focused on data and information rather than rights and permissions. The U.S. government uses the Need to Know Principle in their access control models. For example, a U.S. government agent may be granted Top Secret access in one area of intelligence, but it doesn’t mean they are granted access to all other compartments of Top Secret data. If the agent does not need to know the information in order to do their job, then there is no reason to grant them access to that information (even if the agent does have a Top Secret clearance).

The Separation of Duties

The Separation of Duties Principle is when more than one person is required to complete a particular operation. This distributes control over a system, infrastructure, or particular task. It’s a “checks and balances” system for security. This access control limits the power of one user to control processes. The more people involved, the less the company relies on one user for all the job tasks and the less chance the job can be compromised.

Mandatory Vacations

Mandatory Vacations are more of a policy implementation rather than a principle. With mandatory vacations, the organization forces an employee to take several days of vacation. During the vacation time, another employee takes over their role, which helps the organization discover any long-term malicious activity that might have been occurring. A network administrator, for example, might discover that his colleague was unfairly restricting Internet access for users.

Job Rotation Policies

Job Rotation is a type of access control that cycles through users to rotate their job assignments. It’s one of the most expensive options for access control because an organization needs multiple people to perform the same task. However, job rotation  increases user insight into overall operations, reduces employee boredom, and enhances employee skill level. Another great thing about job rotation is that it removes a single point of failure from critical job roles. For example, if your organization only has one person who can configure the network firewalls, and that person leaves the company, it puts the company at significant risk not only from outside attacks, but also from the employee if they are disgruntled.

Implicit Deny

One final concept I’d like to discuss is an Implicit Deny, which is a network security best practice. An implicit deny (deny all) rule can be set for any service or system. In other words, security access must be explicitly granted, otherwise it is denied by default. Implicit deny should always be set. If users do not fit an explicit allow, all these specific users will be implicitly denied. An implicit deny rule can be found at the end of a firewall policy, that is, if none of the firewall rules apply to the particular traffic, it will be denied as a security precaution.

Access Control Models

Now, that we’ve discussed several of the important concepts of access control, we can analyze and compare some of the main access control models.

Role-Based Access Control (Role-BAC)

The first access control model is Role-Based Access Control, or Role-BAC, for short. In this model, users in an organization are assigned to a role, such as Administrators, Sales, Accounting, Audit, Finance, Student, Human Resources, Management, Help Desk, IT Specialist, and so forth. These roles are essentially just groups that mimic the employees’ job title, which makes this access control model fit really well with Group Policy in Active Directory. This makes Role-BAC a favorite amongst security administrators because there’s very little management overhead. All an administrator needs to do is put a new employee in their correct role group and all security policies and access controls apply for that specific group. This eliminates the need to manage each employee individually.

Rule-Based Access Control (Rule-BAC)

In this model, access is determined by “rules” in an Access Control List (ACL). As we’ll see below, the Discretionary Access Control (DAC) model also uses rules to allow and restrict access. Normally, we see Rule-BAC being used in network infrastructure devices, like firewalls and routers. Firewalls contain ACLs that either allow or deny traffic.

Discretionary Access Control (DAC)

The Discretionary Access Control (DAC) model uses rules inside of an ACL, except the ACL in a DAC model is referred to as a Discretionary Access Control List (DACL). A DACL is pronounced “DACK-ul.” In the DAC model, there are objects and owners. Objects are things such as files or folders while owners are the users who own the files and folders. Owners have the ability to assign permissions for the objects they own. For instance, if Bob owns a file called “thecybersecurityman.txt,” he can grant other users read, write, or modify permissions for that file. The Microsoft Windows New Technology File System (NTFS) uses DAC.

Mandatory Access Control (MAC)

The final access control model I’ll discuss is the Mandatory Access Control (MAC) model. MAC uses data labels and subjects. The U.S. government uses the following data labels to classify objects: Top Secret, Secret, Confidential, and for Official Use. A subject is a user. Data labels are assigned to each subject and object. Therefore, if Bob wanted to view a Top Secret document, he would have to have a Top Secret clearance. There is an exception to this rule, however. Higher level labels will include lower level labels, but lower level labels will not include higher level labels. If Bob has a Top Secret clearance, he may view Confidential documents. Also, just because Bob is granted Top Secret access to one compartment, that does not mean he is granted access to another, different top secret compartment. This concept is based on the “Need to Know Principle.”

 

References

Gibson, D. (2017). CompTIA SECURITY+ Get Certified Get Ahead SY0401 Study Guide.   Virginia Beach, VA: YCDA, LLC