Unit 4: Access Control
The main goal of information security is to protect data from unauthorized disclosure. Access control models are used in an organization to provide the appropriate access to users based on individual or group privileges.
Privileges can be granted based on clearance levels, discretion, roles, or rules. The types of access control models used to restrict access that will be reviewed in this unit are mandatory access control (MAC), discretionary access control (DAC), role-based access control (RBAC), and rule-based access control (RB-RBAC).
Completing this unit should take you approximately 2 hours.
Upon successful completion of this unit, you will be able to:
- discuss the need for access control in information systems;
- describe access control terms such as permissions, rights, privileges, access control matrix, access control list (ACL), privilege creep, need-to-know, least privilege, and separation of duties;
- compare and contrast mandatory access control (MAC) and discretionary access control (DAC), and the advantages and drawbacks of each; and
- differentiate between role-based access control (RBAC) and rule-based access control (RB-RBAC).
4.1: Access Control
Access control is the mechanism to prevent unauthorized disclosure and access to data and systems. This unit provides information on how access control protects the tenets of the CIA triad, and the role of access control in a system.
In information security, access control is imperative to ensure confidentiality, integrity, and availability. Controlling who has access to a system and the breadth of access a user has is vital to ensure the security of systems and data on the systems. Read this article to understand the terms access control, access, subject, and resource. Note the challenges, the principles, the criteria, and the practices used in access control.
- Watch this video on access control. What is the role of access control? How would you describe authentication, authorization, and audit?
4.2: Access Control Terminology
Access control is required in information security to assure confidentiality, integrity, and availability of systems and to protect the data on systems. Access control is enforced by limiting the permissions and privileges granted to those authorized to access the systems. Authorized personnel, or subjects, are given specific rights and privileges to perform actions at an appropriate level according to the requirements of their position. Permissions are the rights given to a user or subject that can be to read, write, or execute a file. Privileges are given to a role, such as a systems administrator or SA. For instance, a subject or person given the role of SA has root access on a system and has elevated privileges.
To maintain access control, administrative methods for personnel access such as least privilege, separation of duties, need-to-know, and privilege creep should be in place. In addition, systems use access control matrices and access control lists (ACL) to maintain access control. These terms and processes are discussed in more detail in subsequent sections in this unit.- Read this section on access control principles. How would you describe the principle of least privilege, separation of duties, and need-to-know?
This article discusses the principles least privileges and need-to-know are related. You should be able to explain how least privileges and need-to-know can be controlled with correct data labeling and by assigning user roles. Pay attention to how too much security can sometimes be a bad thing.
When considering the principles of least privilege and privilege creep, start with no privilege granted to a user, then grant access as needed. This video explains this concept in more detail.
Watch this video to see how using the principle of least privilege can reduce the impact of an attack on a system.
Separation of duties is used to restrict work and system access to a narrower focus. This principle is more difficult to provide in a smaller organization than in a larger organization, but it is an important concept to understand and to address. Read the section on separation of duties to understand how this concept prevents individuals from attacking systems on their own and requires collusion with other individuals to commit fraud. How does separation of duties protect against fraud? What are some mechanisms that can be used to enforce separation of duties?
The section in this article on access control matrix describes the matrix and discusses how it is related to the access control list (ACL). This section will introduce you to the access control matrix and the ACL. Pay attention to the term Kerberos, which was used in the previous unit.
The access control matrix describes the security state and can be represented by a table or matrix form. Every subject and object are listed as well as the permissions allowed for each subject. The access given to a subject follow the organization's security policy that is written to protect the confidentiality, integrity, and availability of the system. The access control list (ACL) stores the permissions of each object or file. After watching this video, you should be able to explain the concept of access control matrices and the ACL. Where do the rules come from for access control?
4.3: Access Control Models
Now that you understand access control and some access control principles, we move on to some access control models. The model chosen is determined by the type of protection needed in a particular system and may depend on the type of agency where the security professional works. Therefore, it is important to understand that there are different access control models and to have a basic understanding of each model. For example, mandatory access control (MAC) is used by the military and is a more formal type of access approval based on least privilege. Role-based access control (RBAC) is used in the private sector and is based on need to know. This section will introduce access control models to include mandatory access control (MAC), discretionary access control (DAC), role-based access control (RBAC), and rule-based access control (RB-RBAC).
In the previous section, you learned some common ways that access should be limited such as by need-to-know, least privilege, and separation of duties. In this section, you will learn about four access control models: mandatory access control (MAC), discretionary access control (DAC), role-based access control (RBAC), and rule-based access control (RB-RBAC). Read the section in this article on access control models. Pay attention to the basis of each control model and the type of agency that would use each model. This article does not cover RBAC, but it will be discussed in a subsequent section.
4.3.1: Mandatory Access Control (MAC) and Discretionary Access Control (DAC)
Read section 3 on Discretionary Access Control (DAC) and section 4 on Mandatory Access Control (MAC). Why is DAC called discretionary and MAC non-discretionary? What is the main drawback or vulnerability presented when using DAC, and why is MAC not vulnerable as well? What do no read-up and no write-down mean?
Watch this video. Who writes the rules and who owns the files in MAC and DAC? Which type of access control is typically used by military or government agencies, and which type is used in consumer operating systems? What type of security labels are attached to files, and what type of label is attached to a subject?
Watch this video on the Bell-LaPaudula model, which supports both mandatory and discretionary access control. What agency developed the Bell-LaPadula model? What does this model protect, and what tenet of the CIA triad was it designed to protect? Does this mean the model is no read up or no read down? What concept is the Bell-LaPadula model built on?
The Biba model was developed after the Bell-LaPadula model, and it also supports both mandatory and discretionary access control. Which tenet of the CIA triad does the Biba Model address? Was the model no read up or no read down? Why are the Biba and the Bell-LaPadula models used together? On what concept is the model built?
You have encountered the terms read up and read down, but what do these terms mean? To clarify, watch this video and you will learn some new terms as well. While watching, be sure to take note and to be able to explain the simple security property, the star security property, and the discretionary security property.
You have already learned a lot about the Bell-LaPadula and Biba models, but this article will provide some information that has not yet been addressed. View the sections on the Bell-LaPadula and Biba models and compare the two models while you read. What are the rules of each model? When was each model developed? Do the models have other similarities?
4.3.2: Role-Based Access Control (RBAC)
Role-based access control (RBAC) is a method that allows and restricts access to subjects or users based on the role of the user. When reading, pay attention to the description of an RBAC system and be able to describe the system, as well as to name the user that only RBAC can restrict. How does this one restriction increase the difficulty for an attacker to compromise the system? What is the set of rules called that manages the RBAC system? Although you will not be asked to create an RBAC policy, read through the rest of the document and try to follow the examples of how an RBAC policy is coded on a system.
Role-based access control (RBAC) is based on roles. Access rights are assigned to roles and users are assigned to roles. After watching, you will be able to describe how this model is implemented using two matrices. Is this access control model similar to discretionary or mandatory access control? When would this access control model be used? What are some constraints of this model?
4.3.3: Rule-Based Access Control (RB-RBAC)
This section explains the basic of the rule-based access control (RB-RBAC) model. As you read you will understand why this model is called rule-based as this model is based on meeting a set of rules versus being identity-based as in the other models discussed. What is an example of a rule-based access control on a system?
Section 4.2 in this article describes the rule-based RBAC (RB-RBAC) model. This model is an extension of the RBAC model, but is not identical to it. How does it differ from the RBAC model?
Unit 4 Assessment
- Receive a grade
Take this assessment to see how well you understood this unit.
- This assessment does not count towards your grade. It is just for practice!
- You will see the correct answers when you submit your answers. Use this to help you study for the final exam!
- You can take this assessment as many times as you want, whenever you want.