In general terms, providing security means “freedom from risk and danger”. In the context of information security, it is securing information against:
KeywordsAccess Control Smart Card Access Control Policy Security Guard Access Control Model
Access to information by unauthorized persons
Modification to information by unauthorized persons
Destruction of information by unauthorized persons
This means basically, any type of access to information needs to be protected. Whether the access is physical such as accessing CPUs, hard disks, or logical, as in accessing the system directly or remotely, access needs to be restricted and thus, information needs to be protected.
Access control is considered the most important aspect of information security and is an important pillar of information security. Access control can be implemented in various ways depending on the environment. This may entail locking your computer room, your system, restricting access to the system using login and passwords, protecting your data using file protection or encryption, encrypting network communications, or checking a digital signature before accessing the data.
Access control has two components – authentication and authorization. Authentication is verifying the identity of a user or a host that is accessing the system or network resource. The goal of authentication is also determining from where and how the resource is being accessed – whether the system is being accessed from a private computer or public computer (internet café) or if it is being accessed during normal working hours or after working hours. Authorization is permitting or restricting access to the information based on the type of users and their roles – employee, contractor, administrator, or manager.
Entering into a server room or data center using physical key or finger print authentication or by keying in the access code
User prompted to provide username and password when accessing computing resources
Remote user prompted to provide user name and password when accessing network from outside of the organization
User denied access while accessing confidential documents related to the company or a client
User denied access while accessing personnel related details
Confidentiality and Data Integrity
Different information or data in the organization has different sensitivities as far as confidentiality is concerned. Some data may be accessed by everyone as there is no security risk, even if it is known to the entire world. Other information may be highly confidential and may have to be shared only with a few individuals or be restricted to only a few individuals. Various levels of data sensitivity can be ensured only by controlling appropriate access through proper authentication and authorization.
Similarly, the integrity of the information/data is another important property that is protected through access controls. The importance of data integrity can be illustrated by a simple example. Imagine that you have made an online purchase of $100. By accident or deliberate intervention, your data has been modified and you receive a bill for $1000 – who will take the loss? In another example, your prescription drug dosage of 10 milligrams (mg) has been modified to 100 mg – imagine the consequences. Hence, one of the most important aspects of information security is the integrity of data – whether your data can be modified by all users or not, and any data should be possible to be modified by only authorized users.
Unauthorized modification or destruction of information leads to loss of integrity. Integrity concerns the origin of the source of information, and the correctness and completeness of information. Data Integrity protection can be provided by having preventive mechanisms as to who can access the system, appropriate access controls, and detective mechanisms in regards to who is trying to modify/destroy the data, preventive controls such as locking the systems down after a pre-specified number of unauthorized attempts. This leads to an important element of the overall guidance for information access at any organization – an Access Control Policy.
Who Can Access the Data?
Data is accessed by different types of users within an organization – the data owner, database administrator, data architect, and vendors. Each of them has a different role and function to perform on the data. For the database and its administrators, “data integrity” means to ensure that the data being entered in the database is accurate and consistent. The database designer/database administrator designs appropriate table structures, relations, and views and sets certain rules on them to ensure proper access to, and integrity of, data. For a data owner, “data integrity” means to ensure appropriate business rules that are defined on the data are intact and the data is being accessed as per the defined rules. For a vendor, “data integrity” means accuracy and consistency of the stored data. Between any two transactions and updates, data should not have been altered, and should have proper error checking and validation routines. There is no doubt that there are more definitions and meaning for “data integrity,” but they all mean the same thing – how or who accesses the information/data, and how information/data access can be protected and monitored.
There are different methods for protecting data integrity, such as generating checksums, file integrity software, and encryption. Checksum computes the sum of total digital data. This checksum is verified at both ends of the transmission. If there is no data integrity loss, then the checksum should be the same at both ends – before and after the transmission. There are several algorithms available for calculating the checksum. Most sites today offer either MD5 or SHA-1 checksum to users. File integrity software checks on by whom, how, and when the files have been accessed. It monitors the access of individual documents/files. You can set alerts when an unauthorized user tries to access any file or data. Encryption ensures both the integrity and confidentiality of data.
What is an Access Control?
Network Access – Users on a network can access all the resources on the network. Hence, network access also needs to be restricted, protected, and monitored. For example, users who can access the HR and finance department LAN can be restricted.
System Access – Users accessing the systems on the network. It can be one of the servers, printers, or any other shared device on the network. The access to these devices should be restricted, protected, and monitored continuously.
Data Access – Users constantly accessing data on the network resource. Users accessing and modifying files, documents, and databases. Any data that is being accessed should be restricted, protected, and monitored.
The challenge of security programs is to ensure that data is not modified or deleted by unauthorized users. Although security programs cannot improve the quality of the data, they definitely can help in protecting data by applying access controls to ensure that any changes to data are intended and applied correctly. Access controls are a very critical requirement for both commercial and government organizations to prevent fraud and errors. It is imperative that no user can modify data in a way that renders the data corrupt or causes loss of financial integrity or make it unreliable for appropriate decision making. Examples of government systems include the Air Traffic Control system, Social Security, welfare system, IRS tax information, the birth and death registry, housing, and passport and military records. Examples of commercial systems include medical records, employee personal information, credit/financial reporting, the payroll system, income tax information, and customer details.
Data integrity can be protected by granting access to the resources on a need-to-know and need-to-do basis. Various types of users need different levels of access. For example, internal users may need full access whereas external users and contractors may need read-only access. Users should be granted access based on the roles, responsibilities, and job functions that they perform. Resources should also have different classification levels. For example, documents should be classified as confidential, private, public, or internal use only. A detailed log should be maintained so that in case of any fraud or data loss, logs can be reviewed to find out the root cause and the culprit. Access privileges should be judiciously granted on a need-to-know and need-to-do basis to ensure data is protected.
Authentication and Authorization
Authentication is the first step in granting access to a user for the resources. It is the process of identifying a user and verifying whether he/she is authorized to enter into the organizational network and access the resources. This is very similar to having a photo identification card check at the main entrance of the building. The user name and password are the most commonly used method to authenticate a user. The user name and password provides a relatively weak security as they can be stolen or guessed. Because of increasing threats to security, there are other methods introduced to complement the user name and passwords. Depending on the nature of business, one can consider implementing the appropriate authentication and authorization technique.
Proving who you are (identity card, smartcard)
Verifying who you are (password, finger prints, etc.)
Authentication and Access Control Layers
Administrative Access Controls (Layer)
These controls are administrative in nature and are required to prevent the risk of improper or inappropriate access control or detect such improper or inappropriate access controls. These are ensured through policies and processes; appropriate description of roles and responsibilities; and proper segregation of duties.
Access Control Policy
Each organization has to clearly specify its philosophy of access control which becomes the basis for all access control activities. The policy provides absolute clarity as to the access control models the organization believes in, such as “discretionary,” “mandatory,” “non-discretionary,” or “hybrid”. Some of the attributes of such a policy are the clarity as to whether authorization provided can be further delegated or not. The policy may specify the ground rules for classification of information which becomes the base for the access control. Even though the content and depth of the access control policy may differ from one organization to another, broadly speaking, all access control policies set the tone of the organization’s intent and approach to access controls.
Personnel related – jobs, responsibilities, and authorities
Ideally, each job in the organization may require access to information for different purposes. Certain information must be only “read” by people so that they are aware of the information and/or for executing the information. Some others may require not only to “read” the information, but also to further “update” or “modify” it. Some others may require creation of new information, that is, “writing” the information to organizational repositories. Some may require all of these permissions. Again, there can be “individual” or “group” accesses defined based on the jobs and responsibilities. Authorities may rely on certain persons to further delegate their access or may clearly specify the contours of further delegation of access controls. Data owners are the ones who ideally decide on who, what, and when the data can be accessed, depending upon business requirements and enabling jobs, responsibilities, and authorities.
Segregation of duties
One of the important organizational requirements is to avoid fraud, such as that with financial connotation or frauds due to the violation of the organizational policies. For example, purchase value of an item increased by $1,000 may be a fraud from the perspective of financial implication, whereas the recruitment of a person by changing his qualification and experience or by editing a background verification report may be a violation of organization policy. Hence, it is necessary for there to be appropriate segregation of the duties where the policies have to be enforced and financial integrity has to be ensured. These responsibilities should lie with different individuals. Segregation of duties is traditionally one of the controls deployed by organizations and is important to be considered even while access authorization is provided.
Supporting policies and procedure
The organization also needs to ensure complementary controls through other supporting policies like the following: a) Hiring Policies, b) Disciplinary Policies, c) Employee Termination Policy, and d) User registration for computer access. These policies provide clear direction to the organizational personnel. For example, organizational hiring policies may clearly specify whom not to recruit, like those with criminal backgrounds and so on. Hiring policies may also specify the need for background clearance, such as address, criminal records, education, and earlier employment verification. Disciplinary policies may clearly specify which behaviors or acts of employees are not acceptable in the organization and what are the possible consequences of such violations. Similarly, an employee termination policy may specify when and for what reasons an employee’s services may be terminated. The policy on user registration for computer access may clearly specify the reason for accessing the information, so that the access is provided only upon verification of that intent. Each such policy supports the organization to set the discipline required for providing access to and use of information.
Control Over Information Access to Trade Restricted Persons
If you consider U.S. export laws, a few of the employees or contractors of these organizations may be from trade restricted countries or working in trade restricted countries. Some of the high-end technology and related technical documentation/information may not be shared with such personnel unless a specific license to share such information is obtained from the competent authorities. Proper administrative controls need to be put in place to identify, determine, and control access to such persons to ensure compliance and confidentiality.
Technical (Logical) Controls
Technical controls are usually introduced through or on technological products, tools, or utilities. These again help the organization to either prevent or detect or contain inappropriate and improper access controls. Some of these are passwords, smart cards, encryption, network access controls, and system access controls.
Traditionally, passwords were the only form of access control. However, passwords were also easily prone to being guessed or cracked either because of the ignorance of the users or because of the inappropriate implementation of these on the networks or operating systems or on the applications. Strong passwords are one of the absolute requirements in today’s world which is technologically advanced and the technology can crack the passwords in a matter of seconds if they are found to be weak. The passwords can be “static,” “dynamic,” or a combination of both. A static password is one which is the same for each login. A dynamic password is one which is generated newly each time a user has to enter a password (normally generated using a soft token, a hard token, or by using SMS based interfaces). Some systems use a combination of both.
Smartcards normally complement password controls. These provide an additional layer of security by adding another layer to gain access. These may be implemented through various technologies like HID, RFID, or Chip-based smart cards.
Data encryption protects information from the loss of confidentiality and integrity because it requires a key to decipher the encrypted information and this key is available only with the intended recipient. Encryption provides sufficient security to the information, either stored or transmitted, unless the encryption algorithm is weak, the encryption key is weak, or the encryption key is not well protected. Encryption, if well implemented, can provide access to only the authorized personnel.
A network has many components like routers, switches, and cables. Network components are required to be hardened. Default passwords on them have to be changed. Strong authentication and handshake mechanisms have to be implemented in the network equipment like firewalls, intruder detection/prevention systems, and so on to ensure that only authorized users are allowed connections to be established, attempts by unauthorized users to penetrate are detected or declined. Network components have to ensure that they are establishing connections to only authentic or valid systems to which the connection is intended. Access to ports has to be provided for appropriately and all unwanted/unused ports have to be closed.
There are various levels of access possible to operating systems as well as to applications. These need to be set up appropriately on a need-to-know and a need-to-do basis. Giving administrative privilege to all users for operating systems can lead to serious infections or violations. Similarly, giving unlimited access to applications should be avoided or it will lead to serious integrity issues.
Physical Access Controls
Physical access controls are again one of the important layers of either preventive or detective controls which supplement or complement other forms of control in mitigating the risk of inappropriate or improper access and modifications to the information.
For ease of understanding, let us assume that you are an IT service provider organization and you work for two competing banks. It is necessary that the information pertaining to one bank is not accidentally or intentionally accessed by the personnel who work for the other bank. Physical segregation of the two networks can help ensure high confidence to the customers.
Clearly identifying the organizational boundaries and ensuring that the perimeter is secured, restricts improper and inappropriate access to the organizational resources. Some of the important controls of use are electrical fences, microwave barriers, CCTV cameras, and sensor-based intrusion detection systems.
Security guards are the traditional sources of preventive and detective physical controls. Even today, these security guards provide the assurance of physical access controls by ensuring that the entry and exit controls are appropriately provided for and monitored. Activities such as the checking of identification cards/badges, ensuring that nobody tail gates employees, those without official badges are allowed access only after duly verifying their identity or visitors are allowed access only after due verification and where required only with an escort, monitoring the movement of employees and visitors in secure areas are some of the ways in which security guards are used. They can also ensure the securing and protecting of unlocked and unattended information assets like laptops. Other areas where they are used are for monitoring fire control panels and water leakages. However, for effective protection through security guards, proper background verification of these security guards needs to be ensured.
Badges/identification cards are the traditional mechanisms used to control access and are still the popular means of providing access. Special/secure areas may require special types of badges or other complementary authentication mechanisms like smart cards, passwords, or biometric controls.
Biometric Access Controls
Biometric access controls use some physiological features/aspects of the human body to provide access to human beings. The features used to provide access differ from person to person such as finger print scans, iris scans, retina scans, palm scans, facial scans, and voice. Some of these, like finger prints and iris scans are widely used.
Access Control Strategies
Access control models are based on requirements, technology, and implementations. Different types of access control models exist. The most popular access control models are a Discretionary Access Control (DAC), Mandatory Access Control (MAC), Role Based Access Control (RBAC), and Attribute Based Access Control (ABAC).
Discretionary Access Control (DAC)
In this model, the access control is based on the owner’s discretion. The owner of the resource can decide to whom he/she should grant permission to access, and exactly what they are allowed to access. This is the most common model used in most of the file sharing utilities both in the Microsoft operating system and in UNIX. The CHMOD command in UNIX allows the user to share the files in the network. In DAC, the permission is granted to those who need access and it is classified as a “need-to-know” access model. One of the examples of this type of implementation is Access Control Lists (ACLs).
Mandatory Access Control (MAC)
Role-Based Access Control (RBAC)
Attribute Based Access Control
Access can be granted using attributes – subject attributes like identity, roles; object attributes like device name, file, record, table, applications, programs, and network; environment conditions like location, time, and the like as shown in Figure 4-4. When the role assigned to a subject is used as the single attribute to control access, it is known as a Role Based Access Control (RBAC). An Attribute Based Access Control (ABAC) provides access on the basis of multiple attributes. NIST special publication 800-162:1 “Guide to Attribute Based Access Control (ABAC) Definition and Considerations” defines RBAC as “an access control method where subject requests to perform operations on objects are granted or denied based on assigned attributes of the subject, assigned attributes of the object, environmental conditions, and a set of policies that are specified in terms of those attributes and conditions.”
Implementing Access Controls
In the following section we have described different mechanisms used for implementing access controls effectively.
Access Control Lists (ACLs)
Access Control Lists are the primitive choice for implementing access to network resources. These are implemented in the devices that provide access to a network. A network device or a computer system is configured with the rights that need to be provided to each user to each item on the network. Each resource has two basic rules – deny and allow. When an ACL is configured, for example, user1 is allowed to access a specific server in the network whereas user2 is denied access to the same server. This may seem like a simplistic approach, but the implementation may have several complex rules. Two levels of ACLs are implemented – file system level ACLs and Network level ACLs.
Files have three basic rights – read, write, and execute, respectively allowing a user to read the contents of a file, write to the file, and execute the file if it is a program application or a script capable of running on the system. Further, the file access can be given at the user level as well as the group level. If a user belongs to a particular group, he or she has certain access to files and vice versa. In the case of file systems, a file or a directory may also have multiple access rules attached to it. In UNIX (and many other operating systems), access permission for every file and directory is controlled by two identifications – the User Identification number (UID) and the Group Identification number (GID). Every user has a unique user name and is a member of at least one group. This information is stored in a password file. Only the administrator can create or modify a user name and its permissions.
Field 1: A set of permission flags
Field 2: Link count
Field 3: Owner of the file
Field 4: Associated group
Field 5: Size of a file in bytes
Field 6–8: Date and Time of the last modification
Field 9: Name of the file
Network ACLs, shown in Figure 4-6, provide secured access to a network. It acts as a network filter to filter out unnecessary traffic. It is not as sophisticated as a firewall or other network security devices, however, it provides the basic access security to a network. ACL filter enables you to control traffic into and out of your network. This control is as simple as permitting or denying hosts inside the organizational network. ACLs are normally configured at the access device such as routers or switches. When a packet arrives at the router, the router extracts the ACL rules and based on the ACL rule, the packet is permitted or denied (dropped). ACL is implemented at the network layer of the TCP/IP and OSI model.
Authentication, Authorization, and Accounting (AAA), shown in Figure 4-7, is a security framework to support secured access to a network through the security services – Authorization, Authentication, and Accounting.
Authentication refers to the process of identifying and verifying a particular user by his profile such as the user name, password, phone number, digital signature, and digital certificates. Authentication is the way a user is identified and verified prior to being allowed access to particular resources inside an organizational network and its resources. After the authentication, a user’s authorized credentials are checked to provide the secured access.
Authorization determines whether a particular user is authorized to perform certain activities on the resources. Typically, this function is inherited from authentication when a user logs on to an application or a network. When a user logs on to the network, he is checked for his authorization credentials such as time restrictions, resource access restrictions, multiple access or single access, and same user logging from multiple locations at the same time.
Accounting provides resource utilization information related to users for the purpose of billing and cost allocation. By enabling the accounting feature, you can collect user identities, number of bytes transmitted and received, commands executed on the servers, and start and end times, for the purpose of a security audit.
RADIUS and TACAS+
Remote Authentication Dial-in-User Service (RADIUS) is a protocol enabling centralized AAA for network access. RADIUS protocol supports authentication, authorization, and accounting for remote dial-in access, virtual private network (VPN) access, Digital Subscriber Line (DSL) access, and other network access. The RADIUS protocol is described in RFC 2865 and RFC 2866.
RADIUS is a client/server protocol. A central RADIUS server authenticates RADIUS clients which try to access the network and its resources. The RADIUS server maintains user profiles and server access information in a central database, thus providing better access control security. It also allows companies to setup and maintain policies that can be applied to each user and to track resource usage for billing and for recording network statistics.
TACACS (Terminal Access Control System) is an authentication protocol commonly used in UNIX networks to allow a remote user to access the network after authenticating his login credentials. RADIUS uses UDP whereas TACACS+ uses TCP. Hence, many system administrators recommend TACACS+ because TCP is a reliable protocol. RADIUS combines authentication and authorization in a user profile, whereas TACACS+ separates the two functions. For more details, you can refer to RFC 1492.
LDAP and Active Directory
The Lightweight Directory Access Protocol (LDAP) is an application level protocol that defines the method by which information across an organization can be accessed. LDAP is often used by organizations to store user information for authentication and authorization purpose. It is also used for storing “roles” for information for application users.
LDAP is based on a client/server model. Any client accessing the network resources or an application must first authenticate itself to the LDAP server. Once the LDAP server authenticates the client and checks its resource authorization, only then is access permitted to the client. LDAP implementation can be based on RFC 1777, RFC 4510, RFC 4511, and RFC 2251.
The main benefit of LDAP is that rather than managing user lists for different applications and login IDs to access networks, LDAP can be used as a central directory where any user can be authenticated and authorized from anywhere on the network.
Active Directory is an LDAP compliant database and services are developed by Microsoft. This provides authentication and authorization services. An Active Directory stores information of the user, system, resource, or group as an object and is managed centrally. The objects are organized into organizational units (OUs) and are linked by Group Policy (GP) settings. Active Directory is a trademark of Microsoft service and is an integral part of the Windows 2000 architecture.
Identity and Access Management (IDAM), shown in Figure 4-8, refers to the processes, technologies and policies for managing digital identities and providing authentication and authorization controls to ensure data integrity. An IDAM solution enables a single identity across organizations as well as partner networks.
An IDAM solution helps organizations to protect resources from unauthorized access, and to comply with security regulations. The goal of IDAM is to provide the right information to the right user at right time.
IDAM is comprised of people, processes, and policies to manage user identity and access in an enterprise network. IDAM can be classified into four major categories: authentication, authorization, user management, and data management as shown above. The ultimate goal of IDAM is to provide secured access to the right user, to the right information, at the right time.
Active Directory (AD), Single Sign-On (SSO), Password Manager, Security Token Services (STS), OAuth, and RBAC are technologies and are related to the implementation of IDAM solutions.
Single sign-on (SSO) is a user authentication process that permits a user to enter his credentials only once in order to access multiple applications. The SSO process authenticates the user for all the applications that he has the rights to and eliminates the process of entering the login id and password when they switch to a different application during a particular session.
We examined what authentication and authorization mean. We explored the importance of access controls and the need for an access control in the context of confidentiality and integrity requirements.
We described the different access control types like network access, system access, and data access. Furthermore, we specified the three layers of access controls: administrative layer, technical (logical) layer, and the physical layer. Each of these layers serve as important mechanisms to control access to valuable information. Then, important access control methods like Discretionary Access Control (DAC), Mandatory Access Control (MAC), Role Based Access Control (RBAC), and Attribute Based Access Control (ABAC) were explored. Where required, the pros and cons of these are explained.
We discussed how the effective access controls can be implemented technically. Access Control Lists, AAA Framework, RADIUS and TACAS+, LDAP and Active Directory, and the IDAM Framework were explained in detail with supporting diagrams. Single Sign-On (SSO) as an important component of IDAM Framework was also explained.
NIST special publication 800-162.