General Principals of Access Control
2/06/2012 Article
Principals of access control are fundamentally about the resources and users you are trying to control and their relationship with one another. Don’t oversimplify the situation; some users are also resources in their own right and some resources need access to other resources.
Like most things when considering information security you need to keep your audience in mind. IT network administrators of very small networks won’t necessarily see the point in producing an Access Control Strategy. That said – a little thought and planning usually result in a better end product. What’s more, given that the basic principals of Access Control are fairly straightforward. There is not much to lose and plenty to gain by spending that time.
First up you need to decide what your default policy is going to be. For the vast majority of digital cases you will find that the preferred option is to deny-by-default. This might not apply to some situations, the most obvious allow-by-default situation is a physical example: a supermarket. By default you want to let everyone in so that they can select and purchase products.
List for Principals of access control
Once you have determined your default stance, you will then need to breakdown the strategy by which you intend to protect your resources. Control Principals are purely conceptual, the method to implement them is a whole other story. Some of the control principals you could implement are:
- Defence in Depth
- Separation of Duties
- Least Privilege / Need to Know
- Compartmentalization
- Security Domains
Different Principals of Access Control explained
Defence in Depth
Imagine an onion. At the heart of this imaginary onion is (for reasons best known by someone else) a very valuable pearl. Each layer of that onion represents a single access control method. You have to penetrate each and every one of those layers to get to the imaginary pearl. Should a layer/method fail, it is then possible to target the layer beneath.
Separation of Duties
The purpose of this Control Principal is to prevent fraud, misuse and errors. In very simple terms we achieve this principle by distributing tasks and privileges between two or more systems or people. The most dramatic illustration of this policy is in missile control rooms. In those systems, it needs two keys to turn in two locks on opposite sides of a room at the same time to allow missile launch. Because this physically requires two people to grant access, it prevents misuse.
It works from a fraud prevention point of view because it requires the individuals to collude. Collusion is a difficult thing for humans to achieve due to the inherent risks. Therefore we can employe it as a security control.
This Access Control Principal can get confused with the Access Control Method – Two Factor Authentication. The two have similarities and could potentially be used in conjunction with one another. In addition, either with two individuals each controlling one access method each, or two individuals controlling both access control mechanisms. But where all four authentications are required.
In the supermarket scenario Separation of Duties is categorically not having one person in charge of dealing with the stock and one dealing with the tills. In fact, it is where one person takes the money from the customer and another who has not dealt with customers money is responsible for cashing up and making sure the tills balance at the end of each shift.
It is also easy to assume that only critical duties should be separated, but in actual fact, mundane or secondary items are worth considering too. Take for instance the supervisor that arranges lunch breaks for security guards at a bank. If only one person performs this duty it could be arranged that fewer than required guards are on duty, or that specific guards are on duty at a certain time thus leaving the bank more vulnerable.
Least Privilege/Need to Know
These two Access Control Principals are very similar. They both work on the basis that only those people who need access to the system or information being protected actually get access to it. Least privilege is about enforcing restrictions to the smallest amount of access needed to complete a job. Need to know is subtly different however in that it explicitly says that:
Whilst senior individuals within an organisation may hold a high enough rank overall. They do not necessarily need access to a different department.
Compartmentalisation
This principal of access control is the process by which you define boundaries for groups of people. Also the process for grouping resources such as job roles and financial departments. It is the process of marrying people groups to resource groups that put structure to the Least Privilege and Need to Know principals.
Security Domains
Security domains are in essence very similar to compartmentalisation, except that this is done on groups of groups. The easiest way to describe this would be to look at prisons. Though I am unsure if these are the official prison classifications for the UK. In descending order you have Maximum Security, High Security, Medium Security and Low-Security prisons. All these prisons will have physical compartmentalisation internally. But you won’t get a maximum security prisoner incarcerated in a low-security prison. You could however in theory get a low-security prisoner incarcerated in a maximum security prison. If there are no rooms elsewhere and that is where the subtle difference between Security Domains and Compartmentalisation occurs. Essentially it’s more like a hierarchy than a border.
