Access Control Methods
Page content

Using Access Control Methods

In order to protect assets in a company or corporation, security analysts and programmers can set access control to individual components on a computer. These components can be the operating system, programs or even hardware settings. It is a necessary function that many end users often see as a burden.

Access control can be used with the following items when implementing security:

  • Objects - Files or hardware settings (restriction of network settings, usb ports or individual files and folders)
  • Subject - a process function (such as opening a file or folder or program) a subject can be an end user
  • Operation - is the process of an end user trying to modify or delete an object

Access Control Models

There are four major access control models that should be embedded within applications for access control to prevent malicious users from accessing key functions within an application. These access control models are:

  • Manadatory Access Control known as (MAC)
  • Discretionary Access Control (DAC)
  • Role Based Access Control (RBAC)
  • Rule Based Access Control (RBAC)

Because individuals are assigned roles in a relationship with access control objects and / or resources, these users are defined as Owners, custodians, and end users.

The owners are ultimately assigned the responsibility for a file (data integrity) and may delegate how other users use a file. The custodian reports to the owner and can review the security of the individual object. The end user uses and opens the file(s) or objects and ‘uses’ it.

Mandatory Access Control

The process is when the owner (above) defines a policy or policies that can strictly define the end user and their use of programs or files. Because MAC is typically used in the defense industry, this ensures that documents or files are secured.

Note: CompTIA along with other vendors teach these levels of access controls methods. Certifications offered by these vendors are 8570.1 compliant to meet DoD (Department of Defense requirements).

Discretionary Access Control

This access control is the least restrictive and allows total control of objects. This allows users to change permissions and have control over objects as defined above. This can pose security risks and threats if used improperly. This control allows the end user to set the proper protection and settings. Programs such as Microsoft’s Windows Vista and other operating systems now prompt users before actions are taken on programs. Most individuals overlook the fact that the UAC (user account control) is color coded and can give prompts with a color indicating the risk level involved.

Role Based Access Control

Role Based Access Control is an approach that is more realistic and aligned with most business models. Analyst and administrators look at the actual role that the end user will be taking. This approach to security ’looks’ at the end user and defines what they can or cannot do.

Rule Based Access Control

Rule Based Access Control allows for the dynamic assignment of an end user’s processes. If an end user tries to access a program or object, the system checks the individual’s role and the rules assigned for that individual and object.

So what does all of this mean?

Administrators, programmers and analysts must look at a set of best practices in security for their organization. These ’leaders’ in information technology must look at the separation of individual job duties, a minimum set of privileges and make sure that end users are trained and educated in security. With assets going online with e-commerce, small businesses as well as enterprise level businesses must implement extreme means of security to ensure their information and data are protected.