Access Controls

Access control types include preventive, detective, corrective, deterrent, recovery, directive, and compensation access controls. They are implemented as administrative controls, logical/technical controls, and/or physical controls

 

Access controls are features that control how users interact and communicate with computers, networks and data. Access control and its component controls what type of access a user has based on their authorization level. There are three main types of access control systems:

  • Discretionary Access Control (DAC),
  • Role Based Access Control (RBAC)
  • Mandatory Access Control (MAC)

Discretionary Access Control: DAC enable the owner of a resource to specify which user can access specific resources. It’s based on the discretion of the owner. The DAC structure is used by many systems from Windows, Linux, to OS X. The most common implementation of DAC is through access control lists (ACLs).

 

In SQL Databases there are additional methods one can use to authenticate users, from login permission, setting up security roles to using windows authentication. You can even create views as to what users can see; but with triggers you can get even more creative.

 

Triggers let you control input down to the column/row level, and even down to a cell within the database table. It can be coded to even roll-back changes that don’t match your database scheme, or give feedback to a user who is entering the wrong data type.

Mandatory Access Control: MAC user cannot install software change file permission, add new users or change their security level. Users are limited to a specific purpose or given what is known as least privileges, just enough access to do their jobs. This type of system is used mostly by governments for top-secret information.

 

The MAC system is based on a security label system and users are given (top secret, secret, or confidential) access only. MAC stores data with security labels that are bound to specific subjects and objects. When a user inputs data to the requested object, it is based on clearance level, classification of the object and security policy on the system. The standard setup of a MAC system utilizes a multilevel security policy where data is classified and labeled based on clarence level; meaning every file, directory, and device has a security label.

Role Based Access Control: RBAC is a centrally administrated control methodology which subjects and object are determined by an admin. The access control levels are based around the role the user holds within the organization in which the user is given the least amount of privileges the user needs to fulfil their responsibilities.

 

A role can be assigned explicitly or implicitly. If the user is explicitly access is assigned directly to a specific individual. If assigned implicitly, they are assigned the role based on the group and the user inherits those attributes. RBAC is used by organizations with high turnover. Because assigning permissions to a role is easier to manage. You can just delete the user from the role, and you don't have to change the ACLs or objects assigned. You just delete the user from the group they had been assigned too. Many users can belong to many groups with various privileges based on roles, permissions, operations, and sessions defined by the security policy.

 

Role-based access control can be managed in a number of ways

  • Non-RBAC - Users are mapped directly to applications and no roles are used.
  • Limited RBAC - Users are mapped to multiple roles and mapped directly to other types of applications that do not have role-based access functionality
  • Hybrid RBAC - Users are mapped to multiapplication roles with only selected rights assigned to those roles.
  • Full RBAC - Users are mapped to enterprise roles.

The physical world and Access controls:

Cameras, guards, smartcards, location, doors, biometrics, Scanners…etc. But training your staff on cyber security should be the number one thing you do.

 

Cameras can see who is coming and going, but they can also have blind spots or can be placed in the wrong locations. The optimal places to install security cameras; the front door, back door and first-floor windows are the most common entryways. Not to forget the computer room itself, and around your building like the alley. One should also think of the type of lens the camera is using, its focal length and field of view. Camera's are a great asset if correctly placed and monitored by trained staff.

 

Security Guards are a nice option for a big operation, but special training may need to be given when it comes to data center operations.

 

Smartcards can add an extra layer of authentication – the three Ss.

  1. Something you know.
  2. Something you have.
  3. Something a user is.

 

Type 1 A Type 1 authentication factor is something you know. Examples include a

Token password, personal identification number (PIN), or passphrase.

 

Type 2 A Type 2 authentication factor is something you have. Physical devices that a

user possesses can help them provide authentication. Examples include a smartcard,

hardware token, smartcard, memory card, or USB drive.

 

Type 3 A Type 3 authentication factor is something you are or something you do. It is

a physical characteristic of a person identified with different types of biometrics.

Examples in the something-you-are category include fingerprints, voice prints, retina

patterns, iris patterns, face shapes, palm topology, and hand geometry. Examples in the

something-you-do category include signature and keystroke dynamics, also known as

behavioral biometrics.

 

Smartcards are not easy to hack, but it can be done if the prize is big enough for the taking and the thief is skilled enough with the right equipment. So, any number of techniques can be employed if the hacker is determined to get in.

 

Password Management is one the most used methods for access control. Using password synchronization systems can reduce the user having to remember many different passwords. Also using self-service password reset systems, can help reduce IT support calls.

Furthermore, going to biometrics, or a token system can also help improve security authentications, but Biometrics like any system can be hacked. Example: Finger Prints can be lifted from a glass, and a mold can be made of a face to fool face recognition systems.

Retina Scans: Retina scans focus on the pattern of blood vessels at the back of the eye. They are the most accurate form of biometric authentication and are able to differentiate between identical twins. However, they are the least acceptable biometric scanning method because retina scans can reveal medical conditions, such as high blood pressure and pregnancy. Older retinal scans blew a puff of air into the user’s eye, but newer ones typically use an infrared light instead

 

The first thing is to analyze your needs and a cost matrix for Access Controls.

  • What Technology and methods do you need?
  • What types of monitoring and accountability do you want?
  • What types of intrusion detection do you need to deploy?
  • What types of threats do you face?
  • How is your information stored?
  • What backup options do you have if you have a ransom-ware attack
  • Have you put together a Business Impact Analysis?
  • Played War games to figure out types of attacks and how to react?
  • How are you going to train your staff for social engineering attacks?
  • Methods of responding to attacks and recovery?
  • Chain of command and IT structure during an attack – Who Will Do What?

Confidentiality is one of the cornerstones of information security. It gives one the assurance that information was or is not disclosed to unauthorized people.  Control mechanisms should be in place to monitor, report and analysis what has been accessed and by whom.

 

In IT there are many different types of technologies one can use to authenticate users and help you manage access controls and each have their strength and weaknesses.

  • Signal Sign-on
  • Account management
  • Password Management
  • Web Access Management
  • Directories
  • Profile Controls
  • Security Level Controls

Overall following a standard either created internal, and an international standard will help you put down a base to build on. But the goal is to have a standard that can be measured in some way and tracked - meaning reporting tools and protocols that are outlined and easy to follow. 

 

Threats on Access Controls can come in many forms:

  • Password brute force attacks.
  • Dictionary attacks.
  • Rainbow table type attacks
  • Social Engineered Attacks, which in the past have been very effective.

                                  ----------------------------------------------------------

  • ISO/IEC 14443-1 Physical characteristics
  • ISO/IEC 14443-3 Initialization and anti-collision
  • ISO/TEC 14443-4 Transmission Protocol

          

There are five basic things one can do to protect your privacy and security

  • Use a Virtual Private Network (VPN)
  • Configure your Firewall Protection
  • Use the latest Antivirus and Anti Spyware
  • Add File Encryption Tools for key data assess
  • Regular OS/Application Updates
  • Put in place a Change Management process.

I could go on and list all the different Tools to track, protect and log your system, but things are changing fast with some of the newer behavioral-based or Heuristic-based methods along with the great advances in AI systems. Not to forget Quantum computers. As I like the to say - the future is Qubits, and it will hurt if you’re not prepared…...!

 

Lance West

 

DigiBrains@msn.com

 

 

  • Cyber-Security

 

  • Information Assurance training

 

  • IT Risk Analysis

 

  • BIA/BCP Development

 

  • Software Security

 

  • Databases
Print | Sitemap
© DigiBrains LLC