|
Section 1-3
Access Control Administration
Chapter 1-3-1
Implementation of Access Controls
Stanley Kurzban
The decision of which access controls to implement is based on organizational policy and on two generally accepted standards of practice: separation of duties and least privilege. For controls to be accepted and, therefore, used effectively, they must not disrupt the usual work flow more than is necessary or place too many burdens on administrators, auditors, or authorized users.
To ensure that access controls adequately protect all of the organization’s resources, it may be necessary to first categorize the resources. This chapter addresses this process and the various models of access controls. Methods of providing controls over unattended sessions are also discussed, and administration and implementation of access controls are examined.
CATEGORIZING RESOURCES
Policies establish levels of sensitivity (e.g., top secret, secret, confidential, and unclassified) for data and other resources. These levels should be used for guidance on the proper procedures for handling data — for example, instructions not to copy. They may be used as a basis for access control decisions as well. In this case, individuals are granted access to only those resources at or below a specific level of sensitivity. Labels are used to indicate the sensitivity level of electronically stored documents.
In addition, the access control policy may be based on compartmentalization of resources. For example, access controls may all relate to a particular project or to a particular field of endeavor (e.g., technical R&D or military intelligence). Implementation of the access controls may involve either single compartments or combinations of them. These units of involvement are called categories, though the term “compartment” and “category” are often used interchangeably. Neither term applies to restrictions on handling of data. Individuals may need authorization to all categories associated with a resource to be entitled access to it (as is the case in the U.S. government’s classification scheme) or to any one of the categories (as is more representative of how other organizations work).
The access control policy may distinguish among types of access as well. For example, only system maintenance personnel may be authorized to modify system libraries, but many if not all other users may be authorized to execute programs from those libraries. Billing personnel may be authorized to read credit files, but modification of such files may be restricted to those responsible for compiling credit data. Files with test data may be created only by testing personnel, but developers may be allowed to read and perhaps even modify such files.
One advantage of the use of sensitivity levels is that it allows security measures, which can be expensive, to be used selectively. For example, only for top-secret files might:
- • The contents be zeroed after the file is deleted to prevent scavenging of a new file.
- • Successful as well as unsuccessful requests for access be logged for later scrutiny, if necessary.
- • Unsuccessful requests for access be reported on paper or in real-time to security personnel for action.
Although the use of sensitivity levels may be costly, it affords protection that is otherwise unavailable and may well be cost-justified in many organizations.
MANDATORY AND DISCRETIONARY ACCESS CONTROLS
Policy-based controls may be characterized as either mandatory or discretionary. With mandatory controls, only administrators and not owners of resources may make decisions that bear on or derive from policy. Only an administrator may change the category of a resource, and no one may grant a right of access that is explicitly forbidden in the access control policy.
Access controls that are not based on the policy are characterized as discretionary controls by the U.S. government and as need-to-know controls by other organizations. The latter term connotes least privilege — those who may read an item of data are precisely those whose tasks entail the need.
It is important to note that mandatory controls are prohibitive (i.e., all that is not expressly permitted is forbidden), not only permissive. Only within that context do discretionary controls operate, prohibiting still more access with the same exclusionary principle.
Discretionary access controls can extend beyond limiting which subjects can gain what type of access to which objects. Administrators can limit access to certain times of day or days of the week. Typically, the period during which access would be permitted is 9 a.m. to 5 p.m. Monday through Friday. Such a limitation is designed to ensure that access takes place only when supervisory personnel are present, to discourage unauthorized use of data. Further, subjects’ rights to access might be suspended when they are on vacation or leave of absence. When subjects leave an organization altogether, their rights must be terminated rather than merely suspended.
|
