Access Control

We’re just going to take a look at the different types of access control systems now. And we’ll start with a lattice-based access control system. This is a very, very simple approach to access control, a very early model, and first formally defined by Denning in 1976. This gives you an idea of how far back they go. So latticed-based access control system lists the subjects on one side, the objects on the other, and you plot, using the lattice, a comparison. So in this type of system here, typically we’ll look for different types of label to be used to establish whether or not access should be authorized or not.

So very, very simple, this can be a paper based system or a digital system.

With access control models, we also have a TCSEC. So TCSEC was established in 1983 by the United States National Computer Security Centre (NCSC), under the National Security Agency (the NSA) And they created the Trusted Computer System Evaluation Criteria. This was known as the Orange Book. It was part of their Rainbow series of books, published by the US government to establish a broad range of standards for computer use within government. It was widely adopted though. Beyond government, it was widely adopted and used as a standard nationally and internationally. So this was replaced later by the Common Criteria in 2005. And Common Criteria is now standardized formally as an international standard as ISO 15408, for the certification of computer systems.

So TCSEC is important because it established the concepts of mandatory access control, discretionary access control, which acted as a precursor to role-based access control. So the reason we’re looking at this now is because it introduces us to the next series of access control models, to discretionary and mandatory access controls.

TCSEC had four objectives: to look at the policy, to enforce accountability, to provide assurance, and also to ensure the appropriate documentation of systems. So let’s take a look then at mandatory access control. Mandatory access control is the strictest of all of our models. Typically, for that reason, we see it used in government or in military environments. Mandatory access control is hierarchical in nature and tries to control access by providing access to resource objects by providing privileges through a central administrator. So all access to resource objects is strictly controlled by the operating system based on the settings that have been defined administratively. So here, users can’t change the access permissions, it has to go through that centralised body, the administration team.

This is a very, very stringent model. It is also very difficult to maintain in complex environments because that administrative function will need to make constant changes to permissions, constantly updating permissions, and so it can be administratively burdensome. Here, with mandatory access control, each user account, each subject, has a classification or a clearance, and each object has a classification. And what happens is when access is required the subject, its clearance level is compared with the object’s classification level. And if the privilege levels match or are exceeded, typically access is granted.

Mandatory access control, therefore, is very secure as an access control environment, but it requires lots of planning – we need to understand all the different types of clearances and classifications we have and how each individual subject and object to fit into that scheme. We also then have to maintain it. So it has a very, very high cost of management overhead because of this. We tend to see it restricted to, as we said, military and government environments for these reasons. When the system makes an access control decision, it tries to match that clearance with the classification. And we see a mandatory access control implemented in operating system environments in SELinux. SELinux is Security-Enhanced Linux, a very secure implementation of Linux.

Typically, we do not see this implemented day to day in ordinary operating systems. So the SELinux was created by National Security Agency, the US organisation, and it uses a set of software patches to update the actual kernel to provide that stronger mandatory access control architecture. Otherwise, we don’t tend to see mandatory access control out of those military and government environments. Discretionary access control is much more flexible, much more popular, but does not offer the same level of security. So again, when we’re choosing one of these access control models we need to have a good understanding of our requirements because this informs which system we would wish to adopt within our identity and access management system.

In discretionary access control, here, the object owner specifies which subjects can have access to it. So here the classification is set by the information asset owner, and also the ongoing access by subjects is controlled by the asset owner. So this is discretionary because the control of access is defined by the owner; it’s at the owner’s discretion. This allows for self-management. And we see this within NTFS-type permissions, where a file owner or an object owner can define who has access to that resource through the use of an access control list that defines the privileges. So it defines who has access and also what type of access is provided.

This is a less strong model, partly because the devolved nature of the management of security may fall to people who are not always well suited to managing it, who may not understand some of the complexities around the management. But it is much more flexible, allowing people to change permissions day to day. So most operating systems, Windows, Linux, Macintosh, and Unix, are based on this discretionary access model. So we see the operating system, when you create a file, assigning the creator of that file as the owner and being allowed to define the privileges to that file or folder or share or resource.

So this easily leads to a loss of the least privilege model because it is very difficult centrally to enforce least privilege. How do you manage that enforcement of least privilege unless you have that central administrative body? So this becomes much more user-led.