Evaluating Access Control Methods Report

Exclusively available on Available only on IvyPanda® Made by Human No AI

Access control (AC) is crucial for establishing ways of communication between users and systems. AC restricts access to data and other resources and defends it from illegal use. There are three major methods of AC: mandatory access control (MAC), discretionary access control (DAC), and role-based access control (RBAC).

Elements of Access Control Methods

The MAC model is static, and it employs a predetermined range of access possibilities for system files (Dulaney, 2011). The parameters are settled by system administrators and further linked to files, resources, or an account. MAC is known for its restrictiveness because it does not enable users to share any data in a dynamic way. Another peculiarity of MAC is its use of labels to classify the sensitivity levels of objects (Dulaney, 2011).

Thus, when a subject tries to get access to an object, the label is scrutinized to establish whether access should be granted or denied. A crucial thing to keep in mind about MAC is that once it is employed, labels are necessitated, and their existence for all objects is obligatory.

The policy of DAC presupposes giving access rights to users by the owner (Gordon & Hernandez, 2016). The rights are granted on the basis of rules established by users. DAC incorporates the “file permissions” model employed by almost all operating systems (Gordon & Hernandez, 2016, p. 11). Users have a possibility to alter file permissions and thus create new discretionary policies. The main principle of DAC is that subjects are the ones choosing who can access their objects (Gordon & Hernandez, 2016). The owner of AC objects establishes the rights of AC subjects, such as the right to read or write. The DAC methodology is grounded in the judgment of AC owners regarding subjects’ AC possibilities.

RBAC is based on the premise that users may act in a specific way in accordance with their roles within a company (Dulaney, 2011). In the majority of cases, the functions repeat the organizational structure. Users may be given roles throughout a system and then carry out the responsibilities based on these roles. RBAC is frequently employed in network administration.

Benefits and Limitations of the Three Methods

The employment of MAC, DAC, and RBAC has its positive and negative aspects. The major benefit of DAC is its flexibility in what concerns the AC demands it is capable of supporting. On the condition when the authorization state is appropriately set up, it is possible to construct a large number of confidentiality requirements (Ferrari, 2010). Due to this advantage, the majority of commercial data management systems have accepted DAC.

Still, this method has some limitations, the greatest one being the impossibility to arrange control of the movement of data within the system. As soon as an authorized person accesses some object, he or she can share the data enclosed in it with the unauthorized people without ignoring the checks done by the reference monitor. Because of this peculiarity, DAC is exposed to malevolent attacks installed in application programs. An example of such an attack is a Trojan Horse – the harmful software that pretends to execute some productive activity for the user but, at the same time, performs unauthorized entry to the protected items (Ferrari, 2010). In order to eliminate this negative outcome, companies need to apply better control measures and not disclose significant data to unreliable objects.

The disadvantages of DAC related to the unauthorized flow of data may be overcome by MAC. The initial applications of this method concentrated on providing security of military-oriented settings (Ferrari, 2010). Under the conditions of MAC, authorizations are not categorically established. Instead, authorized means of entry are obtained through the security classification granted to objects and subjects.

This classification is grounded in a collection of rules that designate the relations between subjects and objects due to the fact that the former can obtain access to the latter (Ferrari, 2010). However, while MAC helps to mitigate the limitations of DAC, it also has some drawbacks. One of the side effects of the most frequently applied MAC, Bell─LaPadula (BLP) model, is that unclassified users may add data into a secret file, which may lead to serious integrity troubles (Contesti, Andre, Waxvik, Henry, & Goins, 2007). In order to avert such problems, it is necessary to restrain write up operations when applying BLP principles to data management systems (Ferrari, 2010).

With the help of such a measure, subjects will only be able to alter objects, the access classes of which coincide with the subjects’ access classes. Another limitation of the BLP model is that once a subject obtains the first access, everyone becomes able to access everything (Ferrari, 2010). The explanation of this phenomenon is that the BLP approach suggests powerful protection guarantees only in cases when access classes of subjects and objects do not alter in the process of system operations. To eliminate this risk and provide more flexibility to MAC, the concept of “trusted subject” is applied as an option in which the limitations of MAC do not impact (Ferrari, 2010, p. 54).

The advantages of RBAC are associated with its capability of making the authorization administration easier (Ferrari, 2010). The core idea of RBAC is that users’ permissions on the information they can access are closely connected with their roles within a company. The use of roles has a number of benefits. The first one is that since roles reflect organizational duties, RBAC simplifies the mapping of companies’ AC regulations.

The second advantage is that roles have higher stability than users, which leads to a lower number of altered functions. Also, RBAC is “policy-neutral” due to the possibility of supporting diverse policies enabled by the relevant configuration of roles (Ferrari, 2010). However, along with these benefits, RBAC also has one serious limitation. In a large organization with many roles, it may be complicated to arrange the RBAC roles efficiently and change them at the speed at which real-world roles alter.

Based on the evaluation of access control methods, it seems that the most relevant one for our organization is RBAC. The rationale for such a choice is that role-based access control suggests a better approach to AC within the company than MAC and DAC. With the help of RBAC, it will be possible to build coordination between employees’ roles in the organization and their roles within the data flow system. Also, it will be possible to simplify the process of authorization administration. In comparison with MAC’s immobility and DAC’s vulnerability to maleficent attacks, RBAC seems to have the least disadvantages.

A possible challenge in the case of applying RBAC is that since the company is evolving, new roles may appear, which will necessitate the establishment of new AC roles. However, this risk may be eliminated by predicting the new functions and roles and taking into consideration AC peculiarities before implementing any organizational changes.

References

The contest, D.-L., Andre, D., Waxvik, E., Henry, P. A., & Goins, B. A. (2007). Official (ISC)2 Guide to the SSCP CBK. Boca Raton, FL: Auerbach Publications.

Dulaney, E. A. (2011). CompTIA Security+ deluxe study guide. New York, NY: John Wiley & Sons.

Ferrari, E. (2010). Access control in data management systems. San Rafael, CA: Morgan & Claypool.

Gordon, A., & Hernandez, S. (2016). The official (ISC)2 Guide to the SSCP CBK (4th ed.). Indianapolis, IN John Wiley & Sons.

More related papers Related Essay Examples
Cite This paper
You're welcome to use this sample in your assignment. Be sure to cite it correctly

Reference

IvyPanda. (2020, October 26). Evaluating Access Control Methods. https://ivypanda.com/essays/evaluating-access-control-methods/

Work Cited

"Evaluating Access Control Methods." IvyPanda, 26 Oct. 2020, ivypanda.com/essays/evaluating-access-control-methods/.

References

IvyPanda. (2020) 'Evaluating Access Control Methods'. 26 October.

References

IvyPanda. 2020. "Evaluating Access Control Methods." October 26, 2020. https://ivypanda.com/essays/evaluating-access-control-methods/.

1. IvyPanda. "Evaluating Access Control Methods." October 26, 2020. https://ivypanda.com/essays/evaluating-access-control-methods/.


Bibliography


IvyPanda. "Evaluating Access Control Methods." October 26, 2020. https://ivypanda.com/essays/evaluating-access-control-methods/.

If, for any reason, you believe that this content should not be published on our website, please request its removal.
Updated:
This academic paper example has been carefully picked, checked and refined by our editorial team.
No AI was involved: only quilified experts contributed.
You are free to use it for the following purposes:
  • To find inspiration for your paper and overcome writer’s block
  • As a source of information (ensure proper referencing)
  • As a template for you assignment
Privacy Settings

IvyPanda uses cookies and similar technologies to enhance your experience, enabling functionalities such as:

  • Basic site functions
  • Ensuring secure, safe transactions
  • Secure account login
  • Remembering account, browser, and regional preferences
  • Remembering privacy and security settings
  • Analyzing site traffic and usage
  • Personalized search, content, and recommendations
  • Displaying relevant, targeted ads on and off IvyPanda

Please refer to IvyPanda's Cookies Policy and Privacy Policy for detailed information.

Required Cookies & Technologies
Always active

Certain technologies we use are essential for critical functions such as security and site integrity, account authentication, security and privacy preferences, internal site usage and maintenance data, and ensuring the site operates correctly for browsing and transactions.

Site Customization

Cookies and similar technologies are used to enhance your experience by:

  • Remembering general and regional preferences
  • Personalizing content, search, recommendations, and offers

Some functions, such as personalized recommendations, account preferences, or localization, may not work correctly without these technologies. For more details, please refer to IvyPanda's Cookies Policy.

Personalized Advertising

To enable personalized advertising (such as interest-based ads), we may share your data with our marketing and advertising partners using cookies and other technologies. These partners may have their own information collected about you. Turning off the personalized advertising setting won't stop you from seeing IvyPanda ads, but it may make the ads you see less relevant or more repetitive.

Personalized advertising may be considered a "sale" or "sharing" of the information under California and other state privacy laws, and you may have the right to opt out. Turning off personalized advertising allows you to exercise your right to opt out. Learn more in IvyPanda's Cookies Policy and Privacy Policy.

1 / 1