Home

Federica EU

1/27

Valentina Casola » 2.Access Control models: Authentication and authorization mechanisms

Identification, Authentication, Authorization

For a user to be able to access a resource, he must first prove that he is who he claims to be, has the necessary credentials, and has been given the necessary rights or privileges to perform the actions he is requesting.

Identification describes a method of ensuring that a subject (user, program, or process) is the entity it claims to be. Identification can be provided with the use of a username or account number.

To be properly authenticated, the subject is usually required to provide a second piece to the credential set (a password, a cryptographic key, personal identification number (PIN), ….).

Identification, Authentication, Authorization (cont’d)

If identification and authentication credentials match the stored information, the subject is authenticated.

Once the subject is authenticated, the system it is trying to access needs to determine if this subject has been given the necessary rights and privileges to carry out the requested actions.

If the system determines that the subject may access the resource, it authorizes the subject. These mechanisms are enforced through AAA (Authentication, Authorization and Auditing) tools.

AAA tools

Access controls tools are used for identification, authentication, authorization, and auditability. They are software components that enforce access control measures for systems, programs, processes, and information.

They can be embedded within operating systems, applications, add-on security packages, or database and telecommunication management systems.

They can be offered as outsourced services by trusted third parties.

It can be challenging to synchronize all access controls and ensure that all vulnerabilities are covered without producing overlaps of functionality.

Identification and Authentication

Once a person has been identified, through the user ID, he must be authenticated;
He must prove he is who he says he is.

There are three general factors that can be used for authentication:

something a person knows (a password, PIN, …);

something a person has (a key, an access card, a badge);

something a person is (physical attributes).

Identification and Authentication (cont’d)

Authenticating a person by something that he knows is usually the least expensive to implement, but it is less secure, too. Another person may easily acquire this knowledge and gain unauthorized access to a system.

Something a person has is a very common mechanism but the token’s life-cycle needs to be managed, they can be lost or stolen, which could result in unauthorized access.

Authenticating a person’s identity based on a unique physical attribute is referred to as biometrics.

Strong authentication contains two out of these three methods: something a person knows, has, or is (two-factors authentication).

Identification Component Requirements

When issuing identification values to users, the following should be in place:

Each value should be unique, for user accountability.

A standard naming scheme should be followed.

The value should be non-descriptive of the user’s position or tasks.

The value should not be shared between users.

Identity management

Identity management is a broad term that encompasses the use of different products to identify, authenticate, and authorize users through automated means.

The continual increase in complexity and diversity of networked environments only increases the complexity of keeping track of who can access what and when.

Users usually access several different types of systems throughout their daily tasks, which makes controlling access and providing the necessary level of protection on different data types difficult and full of obstacles.

This complexity usually results in unforeseen and unidentified holes in asset protection, overlapping and contradictory controls, and policy and regulation noncompliance.

It is the goal of identity management technologies to simplify the administration of these tasks and bring sanity to chaos.

Identity management (cont’d)

The following are many of the common problems that enterprises deal with today in controlling access to assets:

Various types of users need different levels of access: internal users, contractors, outsiders, partners, etc.

Resources have different classification levels: confidential, internal use only, private, public, etc.

Diverse identity data must be kept on different types of users: credentials, personal data, contact information, work-related data, digital certificates, cognitive passwords, etc.

The corporate environment is continually changing: business environment needs, resource access needs, employee roles, current employees, etc.

Identity management (cont’d)

The traditional identity management process has been manual, using directory services with permissions and profiles.

This approach has proven incapable of keeping up with complex demands and thus has been replaced with the use of newly arrived automated applications that are rich in functionality, including enterprise-wide products and single sign-on solutions.

Identity management (cont’d)

The following are some of the services that these types of products supply:

User provisioning

Password synchronization and resetting

Self service for users on specific types of activities

Delegation of administrative tasks

Centralized auditing and reporting

Integrated workflow and increase in business productivity

Decrease in network access points

Regulatory compliance

Authentication mechanisms

Biometrics:

Fingerprint

Palm Scan

Hand Geometry

Retina Scan

Iris Scan

Signature Dynamics

Keyboard Dynamics

Voice Print

Facial Scan

Hand Topography

Authentication mechanisms (cont’d)

Passwords….. weakness:

If an attacker is after a password, he can try different techniques:

Electronic monitoring Listening to network traffic to capture information, especially when a user is sending her password to an authentication server. The password can be copied and reused by the attacker at another time, which is called a replay attack.

Access the password file Usually done on the authentication server. The password file contains many users’ passwords and, if compromised, can be the source of a lot of damage. This file should be protected with access control mechanisms and encryption.

Brute force attacks Performed with tools that cycle through many possible character, number, and symbol combinations to uncover a password.

Dictionary attacks Files of thousands of words are used to compare to the user’s password until a match is found.

Social engineering An attacker falsely convinces an individual that she has the necessary authorization to access specific resources.

Authentication mechanisms (cont’d)

Password Checkers;
Password Hashing and Encryption;
Password Aging;
Limit Logon Attempts;
Cognitive Passwords;
One-Time Passwords:

Synchronous token device,

Asynchronous token device;

Cryptographic keys;
Smart Cards.

Authorization mechanisms (cont’d)

After successful authentication, the system must establish whether the user is authorized to access the particular resource and what actions he is permitted to perform on that resource.

Authorization is a core component of every operating system, but applications, security add-on packages, and resources themselves can also provide this functionality.

The decision of whether or not to allow users to access some resource was based on access criteria.

Access criteria is the crux of authentication.

Authorization: Access Criteria

This subject can get very granular in its level of detail when it comes to dictating what a subject can or cannot do to an object or resource.

This is a good thing for network administrators and security professionals, because they want to have as much control as possible over the resources they have been put in charge of protecting, and a fine level of detail enables them to give individuals just the precise level of access that they need.

It would be frustrating if access control permissions were based only on full control or no access. These choices are very limiting, and an administrator would end up giving everyone full control, which would provide no protection.

There are different ways of limiting access to resources and, if they are understood and used properly, they can give just the right level of access desired.

Authorization: Access Criteria (cont’d)

Granting access rights to subjects should be based on the level of trust a company has in a subject and the subject’s need to know. Just because a company completely trusts Alice with its files and resources does not mean she fulfills the need-to-know criteria to access the company’s tax returns and profit margins.

These issues need to be identified and integrated into the access criteria.

The different access criteria can be broken up into different types:

roles,

groups,

location,

time,

transaction types.

Access Criteria

Using roles is an efficient way to assign rights to a type of user who performs a certain task. The role is based on a job assignment or function.
Using groups is another effective way of assigning access control rights. If several users require the same type of access to information and resources, putting them into a group and then assigning rights and permissions to that group is easier to manage than assigning rights and permissions to each and every individual separately.

Access Criteria (cont’d)

Physical or logical location can also be used to restrict access to resources. Some files may be available only to users who can log on interactively to a computer. Logical location restrictions are usually done through network address restrictions.

Time of day, or temporal isolation, is another access control mechanism that can be used.

Transaction-type restrictions can be used to control what data is accessed during certain types of functions and what commands can be carried out on the data. An online banking program may allow a customer to view his account balance, but may not allow the customer to transfer money until he has a certain security level or access right. (A database administrator may be able to build a database for the human resources department, but may not be able to read certain confidential files within that database).

Authorization Creep

As employees work at a company over time and move from one department to another, they often are assigned more and more access rights and permissions.

This is commonly referred to as authorization creep. It can be a large risk for a company, because too many users have too much privileged access to company assets.

Users’ access needs and rights should be periodically reviewed to ensure that the principle of least privilege is being properly enforced.

Notes on Authorization

It is important to understand that it is management’s job to determine the security requirements of individuals and how access is authorized.

The security administrator configures the security mechanisms to fulfill these requirements, but it is not her job to determine security requirements of users.

Access Control Models

An access control model is a framework that dictates how subjects access objects. It uses access control technologies and security mechanisms to enforce the rules and objectives of the model.

There are three main types of access control models:

Discretionary (DAC),

Mandatory (MAC),

Nondiscretionary (also called role-based RBAC).

Each model type uses different methods to control how subjects access objects.

For every access attempt, before a subject can communicate with an object, the security monitor reviews the rules of the access control model to determine whether the request is allowed.

Discretionary Access Control

If a user creates a file, he is the owner of that file. An identifier for this user is placed in the file header.

A system that uses discretionary access control (DAC) enables the owner of the resource to specify which subjects can access specific resources.

This model is called discretionary because the control of access is based on the discretion of the owner.

The most common implementation of DAC is through ACLs, which are dictated and set by the owners and enforced by the operating system.

Discretionary Access Control (cont’d)

Most of the operating systems are based on DAC models, such as all Windows, Linux, and Macintosh systems and most flavors of Unix.

When you look at the properties of a file or directory and you see the choices that allow you to control which users can have access to this resource and to what degree, you are witnessing an instance of ACLs enforcing a DAC model.

DACs can be applied to both the directory tree structure and the files it contains.

The PC world has access permissions of No Access, Read (r), Write (w), Execute (x), Delete (d), Change (c), and Full Control.

Notes on DAC

Identity-Based Access Control

DAC systems grant or deny access based on the identity of the subject. The identity can be a user identity or group membership. So, for example, a data owner can choose to allow Bob (user identity) and the Accounting group (group membership identity) to access his file.

Mandatory Access Control

In a mandatory access control (MAC) model, users and data owners cannot determine who can access files.

This model is much more structured and strict and is based on a security label system. Users are given a security clearance (secret, top secret, confidential, and so on), and data is classified in the same way. The clearance and classification data is stored in the security labels, which are bound to the specific subjects and objects.

When the system makes a decision about fulfilling a request to access an object, it is based on the clearance of the subject, the classification of the object, and the security policy of the system.

The rules for how subjects access objects are made by the security officer, configured by the administrator, enforced by the operating system, and supported by security technologies.

DAC and MAC limitations

Each organization has unique security requirements, many of which are difficult to meet using traditional DAC and MAC controls.

DAC is an access control mechanisms that permits system users to allow or disallow other users access to objects under their control without the intercession of a system administrator.

In many organizations, the end users do not “own” the information for which they are allowed access; the actual “owner” is the corporation -> control has to be based on employee functions rather than data ownership.