CS406: Information Security

4a. Discuss the need for access control in information systems

• What are some challenges of access control?
• What is the role of access control?
• Describe three main areas of access control to include authentication, authorization, and audit.

Access control is used to protect the confidentiality of data. The challenge is that not all users require the same level of access or have the same clearance level to view data. An employee's role is always changing, and employees in an organization constantly change as well.

Access control is controlling what can be done and by whom on a computer. This means restricting access to data on a system. When gaining access to a system, access control requires a user to authenticate and to be allowed authorization to the system. 

Authentication means that the user proves who they are, usually by entering a password. When the system acknowledges the username and password combination as correct, the system authorizes the user's access to the system. Auditing is recording the user's activity on a server, or that the user accessed the system.

To review, see Access Control.

 

4b. Describe access control terms such as privilege creep, need-to-know, least privilege, separation of duties, access control matrix, and access control list (ACL)

• How are least privilege and need-to-know related?
• How does separation of duties protect from fraud?
• What is the relationship between an access control list (ACL) and an access control matrix (ACM)?

Least privilege means to give a user the least amount of access needed to perform their job. Need-to-know means to give a user access only to the systems and data needed to perform their job. Least privilege and need-to-know are related as both are based on the level of access a user needs to perform their job.

Separation of duties is when more than one person is required to complete a task. This may mean that the same person that builds a server does not also audit the same server. Separation of duties prevents fraud by requiring the collusion of two or more people to commit fraud.

An access control list (ACL) is a list of subjects, the objects they are authorized to access, and the level of authorization. An access control matrix is a table that links a subject's permissions to objects in a system. In the columns of the ACM resides the ACL.

To review, see:

• Least Privilege, Separation of Duties, and Need-to-Know
• Relationship Between Least Privilege and Need-to-Know
• Separation of Duties
• Access Control Matrix and Access Control List (ACL)
• Least Privilege and Privilege Creep
• Least Privilege Affect on Attacks

 

4c. Compare and contrast mandatory access control (MAC) and discretionary access control (DAC), and the advantages and drawbacks of each

• What is the main difference between mandatory access control (MAC) and discretionary access control (DAC)?
• What type of agency typically uses mandatory access control (MAC) and discretionary access control (DAC)?
• What are the advantages of mandatory access control (MAC) and discretionary access control (DAC)?

Mandatory access control (MAC) is based on the security clearance level of the user. A user cannot access data that has a higher security level than that of the user. Discretionary access control (DAC) is identity-based access control. The owner of the data controls who is allowed access.

Mandatory access control (MAC) is typically used by the government and the military. In these organizations, the desire is to own, control, and protect the data. Discretionary access control (DAC) is typically used by most other agencies. In these agencies, users have control over the files they create.

Mandatory access control (MAC) is more secure than discretionary access control (DAC). MAC is not automatically scalable, and users must request access and cannot configure their own access. Discretionary access control (DAC) is easier to maintain and to implement than MAC, but DAC has a lower level of protection than MAC and there is no central access management control.

To review, see:

• Mandatory Access Control (MAC) and Discretionary Access Control (DAC)
• Comparing Bell-LaPadula and Biba Models
• Comparing MAC and DAC
• Bell-LaPadula Model
• Simple Security, Star Property, and Discretionary Security Property
• Biba Model

 

4d. Differentiate between role-based access control (RBAC) and rule-based access control (RB-RBAC)

• What is the set of rules used in an RBAC system?
• When would role-based access control (RBAC) be used?
• How does the rule-based access control (RB-RBAC) model differ from the role-based access control (RBAC) model?

Role-based access control (RBAC) is based on the role of a user in a system. The role can be defined by a particular user, a group, a default role, or specially defined roles. Rules are set by policies that define the access needed for roles.

Role-based access control (RBAC) is used to control access for users based on the role of a user. If an organization has a large turnover of employees RBAC is desired for easier account deletion. When new employees are hired it is also easier to add them and give them permissions based on their job description.

Rule-based access control (RB-RBAC) is based on rules or policies that are set for everyone. If a company wants to restrict hours that employees can work a policy can be written in an RB-RBAC model. Role-based access control (RBAC) sets policies for users based on their role in the organization. 

To review, see Role-Based Access Control (RBAC), Rule-Based Access Control (RB-RBAC), RB-RBAC versus the RBAC Model, and RBAC Access Control.

 

Unit 4 Vocabulary

This vocabulary list includes the terms you will need to know to successfully complete the final exam.

• access control list
• access control matrix
• audit
• authentication
• authorization
• confidentiality
• discretionary access control
• least privilege
• mandatory access control
• need-to-know
• role
• role-based access control
• rule-based access control
• separation of duties