Introduction
Access control is an aspect of information technology which allows to regulate users viewing and utilizing resources in a computer system. This helps to protect the security of the system and authenticate its users, which has become a critical aspect in the modern age of cybersecurity. This report will evaluate and compare various methods of access control.
Methods of Access Control
Mandatory Access Control (MAC) provides management of access control only to a central authority figure. The end user does not have the ability to control settings or provide access privileges. Two security models are associated with this method, Bell-Lapadula and Biba. The Bell-LaPadula model assigns security labels which focus on information confidentiality. Meanwhile, Biba allows for users with high-level clearance to determine which information can be read by those with lower levels. MAC is common in military security since the owner lacks any ability to decide clearance of users or classification of objects (Hu, Kuhn, & Yaga, 2017).
Discretionary Access Control (DAC) is the model with least restrictions, allowing the user to control any objects and programs that they own. Owners are able to manage user privileges and have access to any objects. This system is most common in commercial and government sectors due to its flexibility. Meanwhile, Rule Based Access Control (RBAC) is a generalized model, encompassing elements from both MAC and DAC.
RBAC grants privileges and access to specific roles assigned by the administrator rather than individuals. This is done dynamically based on criteria defined by the security administrator, who consolidates all policy enforcement. Once selected, users cannot transfer permissions or assign roles to another user. RBAC is effective for civilian and commercial security uses. It approaches to access control from the position of focusing on integrity first, and then confidentiality (Ausanka-Crues, n.d.).
Comparison
MAC is one of the most secure systems available due to its classification policy access restrictions. The Bell-LaPadula model and the trusted component assurance protect such systems from Trojan Horse attacks since the malware cannot grant entry into a system where users have no authorization to manipulate permissions. MAC is efficient in environments with high risk of attack and where confidentiality is a critical concern for sensitive or valuable information (Ausanka-Crues, n.d.).
However, this model is limited since restrictions do not allow for dynamic alterations and require operating systems and utilities to be placed outside the control framework. It requires significant planning for implementation and complex system management and upkeep afterward (Jayant, Swapnaja, Sulabha, & Dattatray, 2014). The negative aspects of MAC are mitigated by using it alongside other security access frameworks.
The critical advantage of DAC is that it enhances dedicated control over system objects. This allows to easily implement least-privilege access and individual control restrictions for various system objects or users. It is incredibly intuitive and cost-effective, remaining invisible and unburdening to system users (Ausanka-Crues, n.d.). Disadvantages of DAC include allowing users to make decisions on access control policies, and since these are global, there is a lack of consistency.
Furthermore, DAC is exceptionally vulnerable to malware which can exploit user authorizations and restrict information flow, allowing the copying of data to another object (Jayant et al., 2014). Weaknesses of DAC can be mitigated by utilizing a reactive access control method.
RBAC has transaction-based rights which protect system integrity. It is able to manage not only system resources but methods of access as well. Disadvantages of RBAC include the difficulty of defining roles in various contexts, especially if there are more roles than users. Furthermore, the static assignment of roles to users presents challenges in dynamic and distributed environments since access rights cannot be modified without changing the role and permissions of the user (Jayant et al., 2014). RBAC can be improved by allowing the system user to actively participate in the selection of their roles.
Implementation
For a medium-sized government contractor that requires some level of security and confidentiality without placing overwhelming restrictions, role-based access control (RBAC) would be the most efficient access control system to implement. It allows for efficient management in organizations of this size by consolidating numerous users into a single entry role, thus completing the matrix transformation into a domain definition table.
This helps to maintain confidentiality under the Bell-LaPadula model while providing robust integrity and flexibility of DAC (Ausanka-Crues, n.d.). RBAC effectively addresses the need of the commercial and government sector since it helps to protect the privacy of personal information, prevent the distribution of financial data, and enforce professional standards. It also fits with the governance structures of many organizations which prefer to maintain central control but distribute access rights based on the role that an individual has in the company which most likely correlates with their management rankings.
One of the primary challenges to RBAC implementation is the lengthy process of establishing roles and distribution of permissions. Static templates may be unfitting for a variety of business models and organizations. Furthermore, RBAC may present barriers at first in reacting to any real-world scenarios causing what is known as ‘role explosion.’ The real-world roles may be incompatible with the available RBAC roles to competently encapsulate permissions (SANS Technology Institute, n.d.). This can be mitigated through competent planning strategies by predefining roles and policy definitions with all permissions and exceptions pre-approved. Fortunately, most of the challenges surrounding RBAC can be resolved over time as the organization adapts to the new system.
References
Ausanka-Crues, R. (n.d.). Methods for access control: Advances and limitations. Web.
Hu, V., Kuhn, R., & Yaga, D. (2017). Verification and test methods for access control policies/models. Web.
Jayant, D, B., Swapnaja, U. A., Sulabha, A. S., & Dattatray, M. G. (2014). Analysis of DAC, MAC, RBAC access control-based models for security. International Journal of Computer Applications, 104(5), 6-13. Web.
SANS Technology Institute. (n.d.). Role based access control to achieve defense in depth. Web.