Access Control Requirements

So what does an access control look like?  The fact of the matter is that there is no definitive list of Access Controls.  That’s because each situation has its own unique facets and requirements.  Information Security, particularly on a large scale, does not work with a “one-size-fits-all” solution. In this article, we will analyse the different access control requirements.

Given that there is no easy plug and play access control systems us Information Security folk have to think about what we are implementing.  So what does an access control system entail?

List of Access Control Requirements

• Reliability and Consistency
• Transparency and Simplicity
• Scalability
• Integrity (think admin control panels etc)
• Maintainability
• Authentication Data Security and Confidentiality
• Audit-ability

Access Control Requirements Explained

Reliability and Consistency

So in the order above, its use has got to reliably and consistently result in the correct verdict for access requests.  Fairly obvious at first glance; if it doesn’t the organisation can’t trust it.  If it can’t be trusted it will get replaced or worse still bypassed.  This doesn’t just stop at the immediate “does it work” question though, whatever the system is has got to work for its expected lifetime.  Easiest examples are physical – think card swipe system at your gym entrance.  If the card reader were to wear out every 6 weeks it would quickly become beyond economic viability. We will have to keep replacing the device, and like pointed out earlier. If it doesn’t work reliably, The staff propping the gate open will bypass it.

Transparency and Simplicity

Transparency and Simplicity is not quite as obvious as the first one appears.  Essentially, the less the end user has to do the better.  If users don’t feel like they have to fight the system they wont try and subvert it.  This premise also works from a financial point of view too – whilst I don’t necessarily completely agree its often observed that “Security is a Tax on the Honest”, meaning that if you have to implement security it costs money and wastes time.  If the user has to do very little to gain access (or better still doesn’t realise they are doing anything at all) then this argument can be largely dismissed, yes there is a set up cost, but (usually) the larger cost is on peoples time and morale.

Scalability

Scalability is as simple as it sounds.  Does the Access Control have the capability to deal with the quantity of users you are expecting.  Easy way to deal with this is to exaggerate the number of users.  ISC2’s approximation is to double the expected number of users then add enough zeroes to the end to force an extra comma

Integrity

Integrity access control system is an extension of one of the Pillars of Security.  Integrity in this context means that the results can’t be tampered with.  For example, if there is an administrative control panel, no unauthorised user can change access rights.

Maintainability

OK so, maintainability is about how much management the system requires.  Would you for instance by a car that every twenty miles you had to rebuild the engine, change the oil, fill up the water and refuel?  The answer should be that it depends on the circumstances.  Think formula one racing car – if you can justify the cost then it makes perfect sense.

Authentication Data Security and Confidentiality

A while back I read an article about Chip and Pin devices not encrypting the data between the handset and the processing device.  This is exactly what ISC2 say you should prevent when they refer to Authentication Data Security and Confidentiality.  To perform the processing required to grant access (in this case to funds in your bank account) you must deal with sensitive data.  Wherever possible that data should be protected.

Audit-ability Access Control

And finally, audits help with detection of problems and enforcing accountability of the users.  In nearly all cases, audit logs should be for success and fail attempts.