Access control is the heart of security and also the first line of defense in asset protection. Arguable so because it has the ability to allow only authorized users, programs or processes system or resource access to a particular object on a network or stand alone system.
In discretionary access control (DAC), the custodial of the data or information determines or specifies which persons or subjects can access the data or information resource. The access control to the information asset is at the discretion of the owner (Harris, 2010).
Most DAC systems grant or deny access based on the identity of the information or data requester. Often DAC uses ACLs (access control lists) to grant or deny access to network resources. However, in mandatory access control (MAC) access to information resource is based solely on security labeling system. In which case users have security clearances and resources themselves have security labels with data classifications. MAC implementation is found in certain environments where information classification and high confidentiality are of paramount important. A good example is in the military. In MAC implementations, the system makes access decisions by comparing the subject’s clearance and need-to-know level to that of the security label (Harris, 2010). An essential feature of MAC is that the underlying operating systems enforce the system’s security policy through the use of security labels on information assets and the level of security clearance a user possesses.
In contrast to the above two models is the role based access control (RBAC) sometimes called non –discretionary model. With RBAC, access to information resources is based on the role users are assigned in the organization and nothing more. Kayem, Akl, & Martin (2010) observed that role-based access control (RBAC) is a combination of mandatory and discretionary access control; and also RBAC models are more flexible than their discretionary and mandatory counterparts because users can be assigned several roles and a role can be associated with several users.
Although the access control implementation will depend on the environment. But in a distributed environment where I have been privilege to implement RBAC, the RBAC model is the best out of the three because users’ role can be mapped to job function and authorization level. By using the authorization level, user privileges can be easily designed without having to resort to ACLs commonly used in DAC. In addition, RSAC according to Kayem et al. (2010) assigns permissions to specific operations with a specific meaning within an organization, rather than to low level files as in other models. The incident of Trojan horse infection on the network can be reduced by implementing RSAC. DAC is silent on the ways files are to be modified in network operations and this open more ground for security vulnerabilities.
I will use a centralized access control administration as a way to increase security because all access requests will go through a central authority. Visibility on access operations will be enhanced as administration is more simplify. As an administrator, I will only have to cope with a single point of failure and access performance bottlenecks on the network will be easily controlled (Smith, J.)
Reference:
Harris, S. (2010, 5th Edition). CISSP all in one exam guide. Columbus, Ohio: McGraw Hill.
Kayem, A., Akl, S., & Martin, P. (2010). Adaptive cryptographic access control. Advances in Information security, DOI 10.1007/978-1-4419-6655-1_2.
Smith, J. Access Control Systems & Methodology. Retrieved April 29, 2012, from
www.purdue.edu/securepurdue/docs/training/AccessControls.ppt
No comments:
Post a Comment