Introduction
The following is the evaluation of the access control models for use in the company. The access control models under review are Discretionary access control (DAC), Mandatory Access Control (MAC), and Role-Based Access Control (RBAC). The report will address the positive and negative aspects of each access control method and recommend an access control model to be adopted for the company.
Discretionary Access Control (DAC)
Discretionary access control method enforces the principle that the creator of the object is the owner of the object. The owner has full control of the object, so the owner has the discretion to grant permissions (rights) on the object to other subjects. In this model, access is restricted based on authorization granted to the subject and mostly implemented through Access Control Lists (ACL). DAC attaches an ACL for each object based on which the accesses are granted. Most operating systems such as Linux, Windows, and Macintosh systems implement DAC model. The subject can be an individual or a group .
Advantages of DAC model are that it is dynamic as the ACLs can be updated dynamically. It provides less administrative burden for IT and is flexible. The security policies have to implemented by the owners explicitly. It is an identity based access control model and depends on an authentication process to verify the identity of the user before the accesses are granted.
Disadvantages of DAC model are escalation of privilege and transfer of privilege. A user who is granted read only access to a file is supposed to have only read only access and that is the access granted. However, the user can save a copy of the file using “save as” function. Since the user created this file, he has full control of this file. This is escalation of privilege. The owner can now grant privileges to others, which is the transfer of privilege. The technical controls of DAC system fail in preventing these actions. In DAC, user’s access tokens are bound to each process that is launched by the user. Malware can exploit this and gain access to the user’s access token and gain all the privileges that the user has .
The DAC system can be improved when the objects reside on central network system (in case of an enterprise) where the administrators or custodians of the objects can assume the owner’s role and manage the accesses to objects. In such a case, the permissions are applied in a consistent manner and follow the security policy.
Mandatory Access Control
Mandatory Access control model makes use of classification levels for granting access to objects. The classification levels are labeled called classifications and objects are assigned the labels based on their sensitivity, which cannot be overridden. Similarly, subjects are assigned classification levels called clearance based on the level of trust that the management has for the user and the subject’s need to know. Changing the clearance label is a tedious process by design. As an example, MAC systems could use different levels of sensitivity such as 1) Top Secret, 2) Secret, 3) Confidential, 4) Restricted, and 5) Unclassified. A subject who has the clearance to match the classification can access those objects. A second label called category is applied to the object, while the subject is assigned a label based on “need to know”. So, a subject working for a project “Project1” can be assigned a need to know label “Project1” and a clearance “Top Secret”. This will enable the subject to access any object with the same classification and category. Operating systems such as SELinux, SCOMP, Black, AppArmor, and FreeBSD are some of the operating systems that implement such MAC controls. The MAC system can have four modes 1) Dedicated Security mode, 2) System High-security mode, 3) Compartmented Security mode, and 4) Multi-level security mode.
Advantages of the MAC control model is that it is an implicit deny model. Stricter controls can be established and enforced. The system automatically assigns the labels and categories for objects based on their sensitivity and hence enforcing security policies is easy.
Disadvantages of the model are that it is very costly to implement. It is very difficult to change the classifications and categories of an object and involves extended period of review.
MAC is usually used for high value and highly sensitive objects. Hence the disadvantages such as high cost and slow change are not considered as impediments.
Role-based Access Control
RBAC is a centrally administered set of access controls to determine the accesses that subjects have for the objects. The roles are identified based on the job functions and subjects assigned to those roles based on their job functions. The role determines the access to an object. The objects maintain ACLs, which specify the accesses for the object for each role. The classic RBAC implementation only tracks the roles and not individual identities. A modified RBAC, which tracks the individual identities is normally used.
Advantages of RBAC are that they can be centrally administered. They are easier to administer and greatly reduces the complexity. When there is a frequent turnover of employees in an organization, RBAC simplifies access control as the new user has to be mapped to the appropriate role, instead of going through the entire process of assigning individual access to each object.
Disadvantages of RBAC are that there can be access creeps due to which accesses to objects keep getting added and are never removed and they get inherited by the group that is specified by the role. Unnecessary accesses are added to the role violating least access privilege rule. Initial RBAC assignments are time consuming as it involves the process of converting the job functions to roles and translate the organization policies to permissions.
The disadvantages of RBAC can be overcome by using core RBAC method and other hierarchical groups. In this situation, a user can belong to multiple groups and inherit all those accesses. Separation of duties enforced either static or dynamic separation of duties through RBAC. In static separation of duties mode, the user cannot belong to both the cashier and accounts receivable group, while in the dynamic separation of duties mode, the user cannot logon and perform both the duties at the same time, but can belong to both the groups and perform both functions, one at a time.
Access control model for the organization
Since the organization is a federal government contractor and deals with many sensitive documents, it is best to adopt MAC. To simplify matters, System High-security mode is the mode in which the MAC will be employed. So, all the data in the system will have the same classification, the categories will be different based on their departments (or need to know). Hence, a user with secret clearance can access all data with the classification if the category (based on the need to know) to which the user belongs matches. This has fewer controls and hence easier to set up. The issues that I can foresee are when the system has to communicate with the government system, which has different classification, categories, and different levels of protection. When a system with lower protection communicates with a system of higher protection, security vulnerabilities are introduced. In such as case, guards (NIC card or a software guard) are employed, which will filter, block the data, sanitize the data, or process the requests. This ensures that a less secure system can only get an acknowledgement back when sending information to higher security system.
References
Harris, S. (2013). All-in-one CISSP Exam Guide (6th ed.). New York, NY: McGraw-Hill Companies.
James Michael Stewart, M. C. (2015). Certified Information Systems Security Professional Study Guide (7th ed.). Indianapolis, IN: John Wiley & Sons, Inc.
Miller, D. R. (2013). CISSP Training Kit. Sebastopol, CA: O’Reilly Media, Inc.
