Access Control Systems

The information security professional should be aware of the access control requirements and their means of implementation to ensure a system’s availability, confidentiality, and integrity. In the world of networked computers, this professional should understand the use of access control in distributed as well as centralized architectures.

The professional should also understand the threats, vulnerabilities, and risks which are associated with the information system’s infrastructure, and the preventive and detective measures that are available to counter them.

Rationale

Controlling access to information systems and associated networks is necessary for the preservation of their confidentiality, integrity, and availability. Confidentiality assures that the information is not disclosed to unauthorized persons or processes. Integrity is addressed through the following three goals:

1. Prevention of the modification of information by unauthorized users.

2. Prevention of the unauthorized or unintentional modification of information by authorized users.

3. Preservation of the internal and external consistency.

a. Internal consistency ensures that internal data is consistent. For example, assume that an internal database holds the number of units of a particular item in each department of an organization. The sum of the number of units in each department should equal the total number of units that the database has recorded internally for the whole organization.

b. External consistency ensures that the data stored in the database is consistent with the real world. Using the example previously discussed in (a), external consistency means that the number of items recorded in the database for each department is equal to the number of items that physically exist in that department.

Availability assures that a system’s authorized users have timely and uninterrupted access to the information in the system. The additional access control objectives are reliability and utility.

These and other related objectives flow from the organizational security policy. This policy is a high-level statement of management intent regarding the control of access to information and the personnel who are authorized to receive that information.

Three things that must be considered for the planning and implementation of access control mechanisms are the threats to the system, the system’s vulnerability to these threats, and the risk that the threat may materialize. These concepts are further defined as follows:

§Threat. An event or activity that has the potential to cause harm to the

information systems or networks.

§Vulnerability. A weakness or lack of a safeguard, which may be exploited by a threat, causing harm to the information systems or networks.

§Risk. The potential for harm or loss to an information system or network; the probability that a threat will materialize.

Controls

Controls are implemented to mitigate risk and reduce the potential for loss. Controls can be preventive, detective, or corrective. Preventive controls are put in place to inhibit harmful occurrences; detective controls are established to discover harmful occurrences; corrective controls are used to restore systems that are victims of harmful attacks.

To implement these measures, controls can be administrative, logical or technical, and

physical.

§Administrative controls include policies and procedures, security awareness training, background checks, work habit checks, a review of vacation history, and i ncreased supervision.

§Logical or technical controls involve the restriction of access to systems and the protection of information. Examples of these types of controls are encryption, smart cards, access control lists, and transmission protocols.

§Physical controls incorporate guards and building security in general, such as the locking of doors, securing of server rooms or laptops, the protection of cables, the separation of duties, and the backing up of files.

Controls provide accountability for individuals who are accessing sensitive information. This accountability is accomplished through access control mechanisms that require identification and authentication and through the audit function. These controls must be in accordance with and accurately represent the organization’s security policy.

Assurance procedures ensure that the control mechanisms correctly implement the

security policy for the entire life cycle of an information system. Models for Controlling Access

Controlling access by a subject (an active entity such as individual or process) to an

object (a passive entity such as a file) involves setting up access rules. These rules can be classified into three categories or models:

Mandatory Access Control. The authorization of a subject’s access to an object is dependent upon labels, which indicate the subject’s clearance, and the classification or

sensitivity of the object. For example, the military classifies documents as unclassified, confidential, secret, and top secret. Similarly, an individual can receive a clearance of confidential, secret, or top secret and can have access to documents classified at or below his/her specified clearance level. Thus, an individual with a clearance of secret can have access to secret and confidential documents with a restriction. This restriction is that the individual must have a need to know relative to the classified documents involved. Therefore, the documents must be necessary for that individual to complete an assigned task. Even if the individual is cleared for a classification level of information, unless there is a need to know, the individual should not access the information. Rule-based access control is a type of mandatory access control because this access is determined by rules (such as the correspondence of clearance labels to classification labels) and not by the identity of the subjects and objects alone.

Discretionary Access Control. The subject has authority, within certain limitations, to specify what objects can be accessible. For example, access control lists can be used. This type of access control is used in local, dynamic situations where the subjects must have the discretion to specify what resources certain users are permitted to access. When a user, within certain limitations, has the right to alter the access control to certain objects, this is termed as user-directed discretionary access control. An identity-

individual’s identity. In some instances, a hybrid approach is used, which combines the features of user-based and identity-based discretionary access control.

Non-Discretionary Access Control. A central authority determines what subjects can have access to certain objects based on the organizational security policy. The access controls may be based on the individual’s role in the organization (role-based) or the subject’s responsibilities and duties (task-based). In an organization where there are frequent personnel changes, non-discretionary access control is useful because the access controls are based on the individual’s role or title within the organization. These access controls do not need to be changed whenever a new person takes over that role. Another type of non-discretionary access control is lattice-based access control. In this type of control, a lattice model is applied. In a lattice model, there are pairs of elements that have the least upper bound of values and greatest lower bound of values. To apply this concept to access control, the pair of elements is the subject and object, and the subject has the greatest lower bound and the least upper bound of access rights to an object.

Control Combinations

By combining preventive and detective controls, types with the administrative, technical (logical), and physical means of implementation, the following pairings are obtained:

§ Preventive/administrative § Preventive/technical § Preventive/physical § Detective/administrative § Detective/technical § Detective/physical

These six pairings and the key elements that are associated with their control mechanisms are discussed next.

Preventive/Administrative

In this pairing, emphasis is placed on “soft” mechanisms that support the access control objectives. These mechanisms include organizational policies and procedures, pre- employment background checks, strict hiring practices, employment agreements, friendly and unfriendly employee termination procedures, vacation scheduling, labeling of sensitive materials, increased supervision, security awareness training, behavior awareness, and sign-up procedures to obtain access to information systems and networks.

Preventive/Technical

The preventive/technical pairing uses technology to enforce access control policies. These technical controls are also known as logical controls and can be built into the operating system, be software applications, or can be supplemental hardware/software units. Some typical preventive/technical controls are protocols, encryption, smart cards, biometrics ( for authentication), local and remote access control software packages, call-back systems, passwords, constrained user interfaces, menus, shells, database views, limited keypads, and virus scanning software. Protocols, encryption, and smart

cards are technical mechanisms for protecting information and passwords from

disclosure. Biometrics apply technologies such as fingerprint, retina, and iris scans to authenticate individuals requesting access to resources, and access control software

packages manage access to resources holding information from subjects local to the

information system or from those at remote locations. Callback systems provide access protection by calling back the number of a previously authorized location, but this

control can be compromised by call forwarding. Constrained user interfaces limit the functions that can be selected by a user. For example, some functions may be “grayed- out” on the user menu and cannot be chosen. Shells limit the system-level commands that can be used by an individual or process. Database views are mechanisms that restrict the information that a user can access in a database. Limited keypads have a small number of keys that can be selected by the user. Thus, the functions that are intended not to be accessible by the user are not represented on any of the available keys.

Preventive/Physical

Many preventive/physical measures are intuitive. These measures are intended to restrict the physical access to areas with systems holding sensitive information. The area or zone to be protected is defined by a circular security perimeter that is under access control. Preventive/physical controls include fences, badges, multiple doors (a man-trap that consists of two doors physically separated so that an individual may be “trapped” in the space between the doors after entering one of the doors), magnetic card entry systems, biometrics ( for identification), guards, dogs, environmental control systems (temperature, humidity, and so forth), and building and access area layout. Preventive/physical measures also apply to areas that are used for storage of the backup data files.

Detective/Administrative

Several detective/administrative controls overlap with preventive/administrative controls because they can be applied for prevention of future security policy violations or to detect existing violations. Examples of such controls are organizational policies and procedures, background checks, vacation scheduling, the labeling of sensitive materials, increased supervision, security awareness training, and behavior awareness. Additional detective/administrative controls are job rotation, the sharing of responsibilities, and reviews of audit records.

Detective/Technical

The detective/technical control measures are intended to reveal the violations of security policy using technical means. These measures include intrusion detection systems and automatically-generated violation reports from audit trail information. These reports can indicate variations from “normal” operation or detect known signatures of unauthorized access episodes. In order to limit the amount of audit information flagged and reported by automated violation analysis and reporting mechanisms, clipping levels can be set. Using clipping levels refers to setting allowable thresholds on a reported activity. For example, a clipping level of three can be set for reporting failed log-on attempts at a workstation. Thus, three or fewer log-on attempts by an individual at a workstation will not be reported as a violation, thus eliminating the need for reviewing normal log-on entry errors.

Due to the importance of the audit information, audit records should be protected at the highest level of sensitivity in the system.

Detective/Physical

Detective/physical controls usually require a human to evaluate the input from sensors or cameras to determine if a real threat exists. Some of these control types are motion detectors, thermal detectors, and video cameras.