There are several areas within access control which are covered on the CISSP exam.  Those areas include IAAA (Identification, Authentication, Authorization and Accountability), access control techniques & technologies, administration, control methods, control types, accountability, control practices, monitoring and threats to access control.  This article deals specifically with the role based access control model (RBAC). RBAC’s usage is widespread across all industries; allows organizations to address securing access control; and RBAC is receiving an increased interest from (ISC)² in terms of questioning the knowledge the CISSP candidate has relative to RBAC.

Role based access control presents a unique opportunity for organizations to address the principle of Least Privilege, which is giving an individual only the access they need to do their job since the access is tied to their job.  In a Windows or UNIX/Linux environment this is typically done by developing Groups.  The Group has individual file permissions and each individual is then assigned as a member of that Group.  At the same time however, organizations need to periodically review the role definitions and have a formal process in place to modify roles and to test for segregation of duties. Otherwise without monitoring and review there is a possibility that Role Creep will develop where an individual, say as an Accounts Payable clerk who had membership in the group which could add vendors is transferred to another job within AP and now is responsible for entering invoices.  Without review, that individual could now have both roles and could add vendors as well as enter invoices for the same vendors.  Not a good segregation of duties.

David Ferraiolo and Rick Kuhn in their book Role Based Access Control proposed the RBAC model based on the premise that it reduces the overall cost of maintaining secure access control.  That model has since been adopted as an ANSI/INCITS standard. ANSI/INCITS 359-2004 standard .

Role based access control is not a mandatory access control (MAC) nor is it a discretionary access control (DAC).  (MAC) refers to a type of access control by which the operating system controls access to the information.  This is typically done by the OS system administrator when the OS is configured, for example, which programs need to have administrative privileges to run.  DAC is an access control similar to the traditional Unix system of users, groups, and read-write-execute permissions where the owner controls who has access to the information.  With RBAC, access is  assigned to users based on the job they have, or the role they play in the organization. For example, when a person working as an Accounts Payable Clerk is promoted to an Accounts Receivable Clerk their access to the Accounts Payable system is changed.  It is not done screen by screen, file by file or drive by drive, but as a group based on their new job, or role. Some accesses may be eliminated but others are likely granted.

When that individual is terminated or transferred, the security administrator simply removes the assigned role, thus removing all of that individual’s access for the previous role.  This also answers the question of least privilege, since the assignment is role-based and not individual based. This might appear to be more work rather than less work. This is true for the initial setup.  However, once the system/data owners have identified the different roles then it is a matter of assigning different roles rather than individual file or data access.

Want to learn more?? The InfoSec Institute CISSP Training course trains and prepares you to pass the premier security certification, the CISSP. Professionals that hold the CISSP have demonstrated that they have deep knowledge of all 10 Common Body of Knowledge Domains, and have the necessary skills to provide leadership in the creation and operational duties of enterprise wide information security programs.

InfoSec Institute's proprietary CISSP certification courseware materials are always up to date and synchronized with the latest ISC2 exam objectives. Our industry leading course curriculum combined with our award-winning CISSP training provided by expert instructors delivers the platform you need in order to pass the CISSP exam with flying colors. You will leave the InfoSec Institute CISSP Boot Camp with the knowledge and domain expertise to successfully pass the CISSP exam the first time you take it. Some benefits of the CISSP Boot Camp are:

  • Dual Certification - CISSP and ISSEP/ISSMP/ISSAP
  • We have cultivated a strong reputation for getting at the secrets of the CISSP certification exam
  • Our materials are always updated with the latest information on the exam objectives: This is NOT a Common Body of Knowledge review-it is intense, successful preparation for CISSP certification.
  • We focus on preparing you for the CISSP certification exam through drill sessions, review of the entire Common Body of Knowledge, and practical question and answer scenarios, all following a high-energy seminar approach.

The National Institute of Standards and Testing (NIST) administers RBAC. If you are interested in reading further about RBAC, there is news, case studies, and help in implementing the standard on their site at:

http://csrc.nist.gov/groups/SNS/rbac/

NIST is currently investigating revising the RBAC standard. To become involved in developing this important standard, check out:

http://csrc.nist.gov/groups/SNS/rbac/rbac-standard-revision.html

Fill out the short form below for pricing information and details regarding our various training options (self paced, online mentored & instructor lead) for the CISSP.