Logical controls, also called technical controls, are used to provide access to your organization’s data in a manner that conforms to management policies. This includes the enforcement of the principles of least privilege and separation of duties. In this article, I examine preventive controls. In Part 2, we look at wireless access controls with remote access security the topic of Part 3.
Logical Preventive Controls
Preventive logical controls include the following:
- Access control software
- Malware solutions
- Security tokens
Access control software
Access control software, including operating systems (OS), control the sharing of data and programs through the enforcement of one of three access control methods: discretionary access control (DAC), non-discretionary or role-based access control (RBAC), and mandatory access control (MAC).
DAC relies on the owner or creator of the data to apply security. An example of DAC is the use of folder and file permissions in Microsoft Windows. The owner/creator of a Windows folder or file can grant write, read, and execute permissions to the appropriate users. This might provide a quick and easy means of managing security, but this decentralized approach has disadvantages.
The major disadvantage is the lack of consistency in how access is granted to various classifications of information. Your organization must rely on each user’s voluntary compliance with security policies to ensure assignment of the right levels of access.
Access control based on role definitions is a much better approach when managing user accounts for a company with more than a handful of users. Roles, or jobs, within your organization are defined. Data owners then determine what access each of the roles should have based on data classification and security policies. There are two approaches to implementing roles.
The high-end (translated expensive and resource intensive) solution involves the purchase and implementation of an identity management or account provisioning system. Such systems allow you to centrally manage user accounts and roles, including job transfers, hiring, password resets, and termination. Once the system is set up, simply add a user account to a role, and all necessary permissions are granted automatically. When a user transfers to another job within your organization, the system automatically removes permissions associated with the old position and adds those required for the new position. Finally, stale accounts are prevented due to the automatic removal of all rights when an employee is terminated. Although the TCO for an account provisioning system is high, organizations that have to manage a large number of accounts might quickly experience a ROSI (Return on Security Investiment).
Another approach is the use of groups within your application or OS. In Windows, for example, the accepted practice for managing permissions with a RBAC approach is to create a group for each defined role. The group is then assigned permissions to network resources. When a user is manually added to the group by your system administrator, he is automatically assigned all permissions assigned to the group. This function comes with operating systems and with many applications. However, all hiring, transfer, and termination related activities must be managed manually.
MAC is the use of labels to determine the level of access required to use a resource and the potential permission level granted to each user. This is an access control approach that requires significant effort to implement and manage. The United States Government often uses MAC to secure highly sensitive information.
In Figure 1, the data both users want to access are labeled Top Secret. Based on organizational policies, User A has a classification of Secret and User B has a classification of Top Secret. The MAC software compares the user classification, or label, to the data’s label. If the user’s classification is the same or higher than that of the data, and the user meets other requirements related to access, then the user is granted permission to use the data. In our example, User B is granted access because her classification is the same as the data. User A is denied access because he has a lower classification.
Malware is a huge threat, with the spread of spyware posing the largest risk to organizations and individuals today. The selection of an effective anti-malware solution is a critical logical control. Just as important is the need for larger organizations to implement a centrally managed solution. This helps ensure all your systems run the most current version of installed anti-malware software.
The use of passwords is the most common preventive logical control. It’s also the least effective. Using strong passwords to strengthen this control usually results in the opposite effect. Users post the password on their monitors, under their keyboards, or in other areas within their work area, because strong passwords are easy to forget. If you rely on passwords, consider supplementing the password control with a second authtication factor, such as tokens or biometrics.
Used to authenticate a user to a system, tokens are hardware devices that can take the form of key fobs or credit cards. They are often used together with another logical access control, such as a password or pin, to implement strong multi-factor authentication.
Used in conjunction with a token, password, or pin, a biometric system can be a very strong logical access control. See Physical Security Controls - Part 1 for more information about biometrics.