Authentication and authorization combine to provide the service provider (and the end user) with identity assurance, end-to-end security and integrity. When a client sends a request to a server, it needs to authenticate on its side by checking whether the contents of the request are valid or not. Once it checks the user’s credentials against the ones stored in the database, it sends a response to the user, highlighting the result of the authentication request (failure or success). If the user successfully gets authenticated, they then send an authorization request to the server where they ask for something specific. Once again, the server finds out whether the authenticated user is authorized to access the requested service/information or not and sends a response (Again, a success or a failure). Normally, this process occurs every time a user tries to do something on a website that requires them to register, login and then take actions; however, this whole process is not apparent to the end user.
In today’sworld, the sophistication of hackers and their tools is increasing and with it, the need to achieve rigorous infrastructural security. Access control is a mechanism via which we can guard our precious resources and only let authorized people through. Identity verification, authentication, authorization and accountability are the 4 functions that combine to figure out whether access has to be given to a user or not.
The first step of the access control process is authentication. During this phase, the system verifies the identity of the request-sending subject by seeing if there is a record against the subject in the identity reservoir or not.
Once authenticated (verification of the identity of a subject), we have to find out the objects/services/information/resources that the pertinent subject can get access to. We can divide authorization into two dimensions:
The coarse authorization takes place at a higher level than its counterpart. Via it, we can only determine whether a subject has privileges to access or use an object; the actions that the subject is permitted to do upon grant of access can’t be found out via coarse authorization.
Via fine authorization, we refine the access privileges of the subject a lot more deeply. We can find out the exact actions that a subject is privileged to do upon the grant of access. This process can help us enforce need-to-know, separation of duties and least privilege.
All the steps (starting from the identity presentation and till authorization) are logged in the system. Additionally, all the activities performed on the object by the subject are also logged. These logs are then scrutinized to find out how the whole access control process is performing. Any discrepancies and/or any unwarranted access provisions can hence be found out. This process is known as accountability.
There are many accepted mechanisms that can be used to authorize users connecting to a system. These methodologies need to be understood by the most sophisticated online security experts of today. The CISSP exam aspirants also have to grasp an understanding of the authorization models and techniques. Detailed information on the matter can be found here.
ROLE BASED ACCESS CONTROL
In RBAC or role based access control, the decisions regarding granting access depend on the roles and responsibilities of the individual within the administration or the clientele base. These roles are defined by the administration and are normally linked to the security policy of the organization. For example, in a firm, the different roles can be: accountant, developer, receptionist, manager and sweeper etc. Certainly, all these different entities have different responsibilities and hence will require different levels of access to perform their duties.
Via a role based access control framework, security administrators obtain the power to determine who can be granted access to perform what actions, where, in what order, when (and sometimes, pertaining to what relational situations). This link provides excellent information regarding implementation of RBAC systems. The following points are the most rudimentary characteristics of a role based access control system:
Roles gets allotted depending on the structure of the organization. Great stress is laid on the security policy of the organization.
Roles get assigned by security administrators, depending on the relationship of the entity with the clientele base or the organization.
All authorized transactions, commands and privileges are stored within the subject’s profile.
Roles get granted their permissions depending on the least privilege
Roles get managed centrally by the lead administrator.
CISSP Instant Pricing- Resources
DISCRETIONARY ACCESS CONTROL
DAC or discretionary access control provides a mechanism to restrict access to data depending on the users’ identity and/or certain groups’ memberships. The decisions pertaining to access are predominantly made based on the granted authorizations (depending on the credentials presented at authentication time; can include hardware token, software token, password, username etc.).
In most of the DAC implements, the information owner has the ability to change the permission at their own discretion (hence the name). The biggest drawback to DAC is the administrative inability to manage the file/information permissions centrally. Most of the operating systems like Windows, Linux and Macintosh are based on DAC models. Following characteristics are mostly present in DAC systems:
Ownership of information can be transferred to other users by the owners of the data.
If authorization of the same resource fails repetitively, an alarm is generated along with the restriction of the access privileges of the user.
Plug-in or add-on software has to be applied to an HTTP client in order to avoid haphazard copying of data by users.
Information access gets determined depending on the control lists that are based on the group membership and the user identifiers.
MANDATORY ACCESS CONTROL
MAC or mandatory access control allows the organization to enforce its security policy without relying on the user compliance of the voluntary web application. Via MAC, data is secured by the assignment of sensitivity labels on information and by making the comparison with the sensitivity levels at which the user normally operates. MACs are normally more secure than DACs, but there are convenience and performance related trade-offs. The following characteristics of a MAC are worth knowing:
Alterations to security label of a resource can only be made by administrators.
The security levels assigned to data are reflective of its confidentiality, protection and relative sensitivity values.
All the users are automatically granted access to read from classifications that are lower than the ones that they are granted by the system.
All the users have the ability to write to a higher classification.
Access gets given or revoked from users depending on the time (of day), based on the resource labeling and the credentials of the user.
Access is restricted or authorized to objects depending on the HTTP client’s security characteristics. For example, SSL bit length, originating domain, originating IP address or version information etc.
RULE-BASED ACCESS CONTROL
In a rules-based access control model, the user access privileges to a system are managed by rules; the application of these rules get triggered by business changes. Rule based access control models are very feasible for implementation purposes if the number of possible actions and the number of triggering business events are both low. The RBAC model normally has the following advantages:
The user will only be granted access if the rule gets matched.
Anybody with the permission can change the rules that are used by an application, without the need to recompile the application.
If a rule gets modified, all the application suites that use the rule will now be using the revised rule; hence, no changes to the code will be required.
Same rules can be used by more than one application.
The most suitable example of rule based access control is the use of access control lists by routers. The router ACLs can determine which IPs and/or port numbers are allowed via the router and this has been achieved via the usage of rules. There are no security labels, group memberships or user accounts.
In today’sworld, it’s the need of the hour to understand the importance of sophisticated authentication, authorization and accountability mechanisms. The CISSP exam aspirants need to be aware of the various authorization mechanisms that have been standardized over the years. We recommend checking out our special CISSP resources