Access Control Models

Access Control Models

• Mandatory access control (MAC): MAC is the strictest control. The design of MAC was
defined, and is primarily used by the government and military. MAC enforces system
administrator-defined access controls to all controlled resources. MAC assigns a security
label to each of the resources containing a classification (such as top secret, secret, and
confidential) and a category (such as the department number and project name). Similarly,
each user account on the system also includes the same classification and category
properties. When a user attempts to access a resource, the system checks the user's
classification and categories and compares them to the properties of the requested
resource's security label. Access is only allowed if the user's two credentials match. For
example, a user with a secret classification cannot access a resource with the top secret
label. MAC requires high system management overhead due to the need to update the
labels to accommodate new data, new users, and changes in the categorization and
classification.
• Discretionary access control (DAC): DAC allows each user to control access to their own
data. Instead of a security label as in the case of MAC, each resource in a DAC-based
system has an ACL associated with it. An ACL contains a list of users and groups to which
the user has permitted access together with the level of access for each user or group. DAC
provides a much more flexible environment than MAC but also increases the risk that data
will be made accessible to unauthorized users. An example of DAC method is file system
permissions. On the file system, each file and folder has an owner. The owner can use ACL
and decide which users or group of users have access to the file or folder.
• Non-discretionary access control: Also known as RBAC, access controls are based on a
user's job function within the organization, and access is allowed or denied based on a set of
rules that are defined by a system administrator. In many organizations in industry and
civilian government, the end users do not "own" the information for which they are allowed
access. For these organizations, the corporation or agency is the actual owner of system
objects, and discretionary access control may not be appropriate. RBAC allows and
promotes the central administration of an organizational specific security policy. An example
of using RBAC is allowing an analyst to be able to only read the firewall logs, but not be able
to change any of the firewall configurations.
Three primary rules are defined for RBAC:
o Role assignment: A subject must be assigned a certain role to conduct a certain
action, called a transaction.
o Role authorization: A user needs a role authorization to be allowed to hold that role.
With rule 1 above, this rule ensures that users can take on only roles for which they
are authorized.
o Transaction authorization: The term transaction here refers to a binding of
transformation procedure and data storage access. A subject can exercise a
permission only if the permission is authorized for the subject's active role. With rules
1 and 2, this rule ensures that users can exercise only permissions for which they are
authorized.
• Context-Based Access Control (CBAC): A feature of firewall software, CBAC intelligently
filters TCP and UDP packets based on application layer protocol session information. CBAC
can be used for intranets, extranets, and the Internet because of its inherent capability to
distill packets (TCP and UDP) based on application protocol session information. Unlike
access control lists (ACL), which are limited to the examination of packets at the network
level, CBAC examines not only network layer and transport layer information but also
examines the application layer protocol information (such as FTP connection information) to
 learn about the state of the TCP or UDP session. This extended examination allows support
of protocols that involve multiple channels created as a result of negotiations in the control
channel. Most of the multimedia protocols (and some other protocols including FTP, Remote
Procedure Call (RPC), and SQL*Net involve multiple channels. CBAC also allows for Java
blocking, filtering HTTP traffic.
• Attribute-based access control (ABAC): ABAC is the next-generation authorization models
that provide dynamic, context-aware, and risk-intelligent access control. ABAC defines an
access control paradigm whereby access rights are granted to users with policies which
combine attributes together. The policies can use any type of attributes like user attributes,
resource attributes, object, environment attributes, and so on. This model supports Boolean
logic, in which rules contain "IF, THEN" statements about who is making the request, the
resource, and the action. For example: If the requestor is a manager, then allow read/write
access to sensitive data. Attribute-based access control is sometimes referred to as policy-
based access control (PBAC) or claims-based access control (CBAC), which is a Microsoft-
specific term. Key standards that implement ABAC are eXtensible Access Control Markup
Language (XACML) and ALFA.
• Rule-based access control (RuBAC): A security model in which the system administrator
defines the rules that to govern access to resource objects. These rules may be parameters,
allowing access only from certain IP addresses, denying access from certain IP addresses,
or something more specific, such as an IP address that is allowed unless it comes through a
certain port (such as the port used for FTP access). RuBAC prevents cybercriminals from
accessing information after they find a way into the network. Rule-based access control can
also be implemented on a file or system level, restricting data access to business hours only,
called time-based access control.
• Time-based access control (TBAC): ACLs perform packet filtering to control the movement
of packets through a network. Packet filtering provides security by limiting the access of
traffic into a network, restricting user and device access to a network, and preventing traffic
from leaving a network. An access list is a sequential list that consists of at least one permit
statement and possibly one or more deny statements. In the case of IP access lists, these
statements can apply to IP addresses, upper-layer IP protocols, or other fields in IP packets.
Access lists are identified and referenced by a name or a number. Access lists act as packet
filters, filtering packets based on the criteria defined in each access list. Time-based access
lists allow network access based on time period, which is useful when you want to restrict
outbound or inbound traffic based on the time of the day or days of a week. For example,
you may configure an access list that denies HTTP traffic during work hours: Monday to
Friday, from 9:00 to 17:00. TBAC is easy to implement and provides greater administrative
control over the traffic, because the traffic can be denied or permitted based on time.
In addition to the access models above, other basic access control principles include the following:

• The principle of least privilege specifies a limited, as-needed approach to granting user and
process access rights to specific information and tools. Access rights should be time-based
to limit the resource's access to only the time that is needed to complete necessary tasks.
Granting access beyond this scope increases the potential for malicious manipulation of
sensitive data or processes by unauthorized actors. The assigning of access rights limits
system-damaging attacks from users, regardless of whether they are intentional. All users
must be authenticated and authorized, and should only be authorized at the lowest privilege
level required to perform their functions.
• Separation of duties is the concept of having more than one person who is required to
complete a task. Separation of duties is an internal control to prevent fraud and error.