Access Control Models

Successfully managing access to resources relies on pairing certain elements of information about the resource (discussed in Section 9.1) with information about the user (discussed in Section 9.2) within the appropriate context to make an access decision. An agency can employ various access control models to determine how user and resource attributes should be handled within access control transactions. Access control models are conceptual ways to express how an access control system implements specific policies using its underlying infrastructure components and security mechanisms. This section discusses common access control models, their benefits and limitations, and examines when a particular model could be employed based upon the needs of the agency. Many of the definitions and characteristics of various access control models within this section are drawn from NISTIR-765741.

Many systems today rely on Access Control Lists (ACLs), a basic method for performing access control that grants access based on a list of the authorized entities and the actions they are allowed to perform. ACLs offer a simple approach to managing access and require minimal infrastructure; as such, they have been implemented widely across numerous applications. Maintaining ACLs for individual resources or an enterprise can be time-consuming and prone to errors. Additionally, approval processes for adding a user to an ACL often involve personal knowledge of the individual, such as by a supervisor approving the request. Over time, as a user‟s role or access needs change, it can be difficult to identify and remove access that is no longer needed.

Terminology

Situational Access Control – An approach for adapting access control decisions for a resource to support the current operational environment. In this approach, the attributes about a user or resource typically do not change; however, their relevance to the

situation impacts the access control decision. For example, an individual may be granted access to a location that he/she does not routinely have access to during an emergency situation based on his/her designation as an Emergency Response Official.

Situational Access Control is not a separate access control model but may be supported by several of the more robust access control models (e.g., Role-Based Access Control (RBAC), Policy-Based Access Control (PBAC), Attribute-Based Access Control (ABAC), and Risk-Adaptable Access Control RAdAC)42 available.



As agencies move toward enterprise approaches to access control in the ICAM target state, many ICAM implementers are looking for more flexible, granular approaches for managing access. Several additional access control models are available that automate access based upon user attributes and contextual resource information, including Attribute-Based Access Control (ABAC), Role-Based Access Control (RBAC), Policy-Based Access Control (PBAC), and Risk- Adaptable Access Control (RAdAC). Figure 18 describes each of these access control models and discusses the benefits and limitations inherent to each model.

Access Control Model How Access Determinations are Made Benefits Limitations Access Control List (ACL) Access to resources is granted on a resource- by-resource basis, based upon an

individual’s inclusion and corresponding

privileges, as noted on the resource’s ACL.

 Simple framework which does not require pre-existing infrastructure.

 Supported by common operating systems.  Widely used and accepted

throughout the Federal Government.

 Controlled locally at the resource level.

 Ability to evaluate individual access privileges becomes extremely complex as the list grows larger over time.

 Criteria for access and individual role/job duties are fluid over time, thereby placing a significant administrator burden on resources owners.

 Nearly impossible to manage at an enterprise level due to the sheer volume of resources and ACLs.  Requires manual changes to ACL,

a time consuming and error prone process.

 Revocation of access privileges may be delayed due to non- automated communication methods (e.g., word of mouth, e-mail, paper form distribution, etc.).

Role- Based Access Control (RBAC)

Individuals are assigned to various roles within an organization, down to the resource level based upon certain identity and entitlement attributes. Access is determined by having a particular role assignment that

 Supports groupings of individuals with particular roles based upon well defined and trusted attributes.

 Can accommodate centralized management.  Can be implemented at

various levels within an

 Can be difficult to manage as each protected resource generally has unique role requirements, thereby resulting in large numbers of potential role assignments within an organization.

 Difficult to manage granular access of individuals due to the rigid nature of role assignments.

Access Control Model How Access Determinations are Made Benefits Limitations corresponds to one or more resources. organization, as long as a valid role is defined.  Supported by common

operating systems and capable of group support as well.

 Difficult to implement in a highly distributed agency (not centrally managed).

 Requires significant level of effort to determine appropriate alignment of privileges for users not tied to the agency’s organizational structure.

Attribute- Based Access Control (ABAC) Focuses on characteristics that describe people, resources and environments. The requester provides attributes which are compared to those documented as requirements for granting or denying access, at which point a decision is made.

 Requires no advance knowledge of requestors.  An individual’s attributes can

be correlated from multiple sources to create a unified identity.

 Highly adaptable to changing needs; efficient for agencies where individuals come and go frequently.

 Lengthy implementation time due to the need to correlate information and attributes from multiple sources for all potential users.

 Reliant on authoritative

identity/entitlement data – difficulty managing attribute conflicts between source systems.

 Not natively supported by common operating systems.

 Not appropriate for all environments (i.e., those with significant changes in risk level). Policy- Based Access Control (PBAC)43 Determines access using rule sets, which consider the

circumstances of the transaction and the policy.

 Promotes compliance with standardized access controls.

 Flexible in not being tied to only one type of access control.

 Adapts quickly to new policy rules.

 PBAC requires the design, deployment, and seamless integration of enterprise level systems (databases, directory services, etc.).

 Policies must be absolutely unambiguous to avoid

unintentional, unauthorized access.  Entire enterprise must use the

same attributes for access and those attributes must be authoritative.

 Not natively supported by common operating systems. Risk- Adaptable Access Control (RAdAC) Amount of information required of requesters to verify their identity depends on the current threat level, information includes personal trustworthiness and environmental factors.

 Has the ability to make real time access control available.

 Can control multiple diverse systems- including digital policies as some systems may require different authentication levels for the same user based

transactions.

 Supports flexible situations.

 Cannot always be automatic, user judgments are needed.

 Integrated systems must use standardized data exchange formats.

 Policies must be unambiguous to avoid unintentional, unauthorized access.

 Extensive considerations in adhering to policy and law – involves great care to be taken to ensure compliance.

 Not natively supported by common operating systems.

Figure 18: Common Access Control Models

The elements described above are intended to help agencies better understand access control models and the value that they can provide. However, implementers should recognize that no single model is perfect in all situations. There are several important considerations that ICAM implementers should consider when evaluating access control models for a particular agency, including44:

 Complexity vs. Simplicity. Agencies should seek to achieve a balance between

complexity and simplicity of the access control system‟s underlying architecture. Simpler architectures are easier to manage and maintain; however, they may offer comparatively fewer enhanced capabilities. Implementers should consider the agency‟s unique situation in terms of its user base, resources, infrastructure, and attribute stores in order to

determine which model balances complexity with simplicity. Additionally, an agency may begin with a simple architecture that is designed for extension to a more complex model over time, which can be an effective way to support achievement of short and long-term objectives.

 Performance. Agencies should consider their mission needs and operating requirements and evaluate against the access control system‟s ability to process user requests within a time that is consistent with the needs of the enterprise. This can be accomplished by examining the complexity of the decision-making algorithm, as well as through process modeling and prototyping.

 Policy Support. Access control models should support the organization‟s overall access control policies, such as mandatory access control, discretionary access, separation of duties, workflows, etc. Certain models may also be capable of combining various policies to achieve enhanced capabilities, should they be desired.

 Ease of Administration. Agencies should consider the level of administrative and technical support necessary to manage the access control system. For example, the need to support special languages and capabilities represents a significantly higher

administrative burden than use of a simple graphical user interface (GUI) to compose and administer access control policy.

FAQ

Isn’t there one access control model that is the best?

Each of the access control models is a conceptual approach for how to use resource, user, and environmental data to drive the appropriate types of access control policies. In practice, agencies should review their access requirements choose the model or a combination of the capabilities of several models in order to best suit their needs. More robust access control models, such as role-based access control or policy-based access control, can help an agency achieve the automation and efficiency goals and enhanced security capabilities associated with the target state ICAM segment architecture.



Each access control model has been presented individually in order to allow for a comparison of the benefits and limitations. In implementation, however, it is likely that many agencies will utilize some type of hybrid approach that combines various aspects of multiple access control models depending on the requirements of the resource. For example, RBAC often provides a sufficient level of granularity to define access policies for many agency resources; however, an application that has an extensive remote user population may require additional access

mechanisms capable of handling RAdAC contextual information. In this case, when a user from an unknown location attempts to gain access, they may be prompted for additional information for verification. Several of the access control models in this section provide efficiencies or more granular security that is not possible in the current environment. The following section discusses how these models may be applied to define and manage access control policies within an agency.