ITS 4210 - Access Control, Authentication, and PKI
Chapter 1, Access Control Framework
This lesson presents some background material from chapter 1. Objectives
important to this lesson:
- What is Access Control?
- Components of Access Control
- Three Stages of Access Control
- Logical Access Control
- Authentication Factors
The chapter begins with a discussion of two terms. The first is access
which the authors define formally as "the ability of a subject
and an object to interact". (Chapple,
et al, page 3) This use of those two nouns is like what you may have learned
in an English class about diagramming sentences. The subject,
in this case, is the person or thing in the sentence that is taking
action. The object is the
thing that the subject is acting upon.
Typically, the subject is a user
on a network, and the object is
a file that needs to be edited,
or a printer the user would like
to use, or some other object for which the system controls access.
That takes us to the second term. The point is that there needs to be
an access control that allows
or denies access to resources.
If there is no control, then anything is available to everyone, which
is not desirable on most networks. On a network, access control means
that rights (privileges) with respect to particular objects, are granted
or denied to particular subjects.
That brings us to two sets of bullet point on page 4 which you might
confuse. The first set is the components
of an access control system:
- Policies - rules that determine whether a subject
has access to an object
- Subjects - A subject may be a user, a network itself,
a process running on a computer, or an application that requests access
to a resource.
- Objects - resources that a subject wants to use
The text calls the second set of bullet points elements
of an access control system. That means that these are internal
parts of the system itself:
- this may mean the business requirements
that determine who may access
a resource; this may also mean a mechanism
in a system (like Microsoft Active Directory) that applies
such rules to subjects and objects
- Procedures - methods
used to enforce policies, typically carried out by people
- Tools - methods
used to enforce policies, typically used with or by devices
on the network
The discussion on page makes little sense unless you understand the authors'
use of the word subject. It is
good that they define it again. The text says that there are three types
of subjects. It may be clearer to say that there are three categories
that a subject may fall under with regard to any particular resource (object).
- Authorized - those who are known to the system, and
are permitted access to the resource
- Unauthorized - those who are known to the system, but
are not permitted access to the resource
- Unknown - those who are not known to the system; unknown
users are typically allow to authenticate, but not much else
The text states the definitions differently, but those definitions use
a word that has not been defined yet. A user who has presented
proper credentials to a system and been identified
as a known person is a user who has been authenticated.
Note that authenticated and authorized are two different things. This
leads to the next set of bullet points:
- Authentication - the process
by which users prove their identities
to a system
- Authorization - This one doesn't
feel right in the text. A better definition is the process
of granting or denying
permissions to authenticated
- Accounting - The process by
which a system maintains records of the actions of users.
The text expands its list of entities that could act as subjects by explaining
that some resources can be subjects:
- Networks - The text explains that a network is usually an object,
but a network may be granted permissions, so that those permissions
apply to all users logged in to that network. The example in
the text tells us that a firewall rule may state that all addresses
on a given network may access the Internet. This is done by granting
that permission to the address of the network itself, which makes the
network the subject, and the gateway to the Internet
is the object.
- Systems - The text gives an example of a PC that is
given permission to use a printer. This would be best
done by placing PCs in a group object, and granting permissions to that
group. This would allow any user who happened to be using that computer
the permission to use the associated printer.
- Processes and Applications - A process may need access
to a network drive when it needs to read or write material there. An
application may need the same thing. The process of granting this access
is not specified, so we will ignore it for now.
The text begins a new topic, discussing three types of objects
that may be protected with access controls:
- Information - all types of data
- Technology - applications, systems, networks, and devices attached
to them; the text points out that if a user has access to a file server,
all files on it may be compromised by that user
- Physical locations - buildings, rooms, doorways (entrances
Page 7 shows a classic view of an Access Control process. It has three
steps which are once again confusing.
- Identification - A user identifies him/herself to the
system. This is often done with a User ID and a Password,
but it may be done many other ways.
- Authentication - The access control system confirms
the provided information. The user is now authenticated. The
confusing part is that the step above is often referred to as authentication.
- Authorization - Assuming the User ID that has been authenticated
was previously assigned some right or privileges on the system
in question, those rights are now applied to the user's current
login session. The confusing part here is that the actual assignment
of rights must have been done before this login. That is also
called authorization. The authorization that is taking place in this
step is the application of those rights to the current session
on the network.
security is based on one or more of three types of things: something you
have (like a key or an ID card), something you know
(like a PIN or a password), or something you are (like
When a person logs in from a standard workstation in a normal environment,
one level of protection, like an ID and password pair,
may be secure enough.
For a situation that is more vulnerable, like logging in from a remote
location through a public data network, two levels may
be required, such as a user name-password pair along
with a one-time password from a security device (that
may require a Personal ID Number as well). You see the layers? My password
(something I know) is no good unless I use the one-time key from the device
(something I have), which is no good unless I know the PIN that
proves I am allowed to use the device (something else I have to know).
The one-time password shown in the image on the right, by the way, is
only good for one minute. After that minute, a new six numeral code will
be generated. Sorry guys, the minute for that key passed by long ago.
Any complaints should be addressed to the Paladin
of the Lost Hour. The device in the photo is an example of
a hard token. The functions of such a device can also be implemented
in software as a soft token, but I consider that to be a less secure
idea. Using a soft token lets the hacker strike another object off his
"have to steal all of these" list.
As the text points out, the thing that makes secrets valuable is secrecy.
If everyone can look up a password, as you can do for the default administrator
passwords on most routers, there is not much value in using that password.
Passwords usually expire, and you can usually change one any time you
need to do so. They should all be changed from time to time. Any time
you install something that uses a factory default password, you should
change that password, and make a note of it in a secure place.
page 9, the text discusses logical access controls. This is another
way of looking at the rules you need to implement on your network. You
need to remember these concepts. A good way is to memorize a line from
Kipling about six
honest serving men:
I keep six honest serving-men
(They taught me all I knew);
Their names are What and Why and When
And How and Where and Who.
(The rest of the poem is not important in this context.)
- Who are we granting the permissions to? Have we made
certain of their identity with the level of security required to access
- What kind of access is being granted? Is it the correct
kind of access?
- When is the subject allowed to access this resource?
Is there a reason to restrict access by the hour of the day, day of
the week, or by a term of service? The text cautions against the overuse
of this kind of policy, because it can become an impediment to users
instead of a mere restriction.
- Where is the user, and does that matter? This can be done several
ways. Using a logical location, we might restrict access based
on an IP address (part of a known network), or a MAC address
(from a known device). Using a geographic location may be harder. If
access is granted only from devices known to be in a secure location,
we are still using logical IDs to grant the access, but we are doing
it for a different reason. The main reason to do something like this
is to make sure there is no access across a public gateway. Why not
allow that? If you are using a VPN, that may be fine, but if you are
not, then your transmissions, wireless or not, may be monitored by someone
we don't want seeing them.
- Why is the access being granted? Is this reason compliant
with security policies?
- How will you grant this access? Will we grant access
to the subject, to a group that includes the subject, or to a network
the subject is using? How much permission will you give? The text tells
us that most systems support at least four levels of access to files
- Administrative access - all rights to all files
in the container (read, write, update, delete)
- Author access - read and write access, or
all rights, but only to files you own in either case
- Read only access - read access, but none of the
- No access - just like it sounds, no rights to any
files in the container
On page 11, the text discusses granting access according to group
membership. This is a much easier approach than applying rights
to each individual, especially in an environment in which people frequently
change jobs or duties. Since people can be assigned to multiple groups
in most systems, their cumulative rights are the sum of
those that they receive from each group.
The text also discusses being very granular, and granting rights to specific
resources, such as files, tables, and databases. It tells us that each
of these things, in its own context, may be treated as an object.
The text ends the chapter with another discussion of the three elements
of authentication: something you know, something you have,
and something you are. It expands a bit on each one:
- Something you know - The text recommends selecting passwords
and personal ID numbers that are hard for someone to guess. Never
write them down on a visible note, never use a number that means something
other people know about you or can learn about you, and try the suggestion
about using a pass phrase instead of a single word. Another suggestion
would be to make an acronym from a longer pass phrase, like a
line from a song. You should probably use a song you know well, and
make sure you never tell anyone what song you are using.
- Something you have - The text describes the kind of token I
described above, and another that requires the user to ask for a challenge
code, enter it in the device, read a response code
from the device, then enter the response in the system they are
trying to access. This is obviously a more secure system than the code
that can be read from the token directly.
- Something you are - The text discusses standard biometric
measures, such as fingerprints, retinal scans, and hand
or face geometry. These are all physical characteristics.
The text also discusses the use of behavioral characteristics.
Some smart devices offer this sort of security when they allow you to
unlock the device with a specific sweep of your fingers. This category
also includes a system learning the typing rhythm of a user, the way
a user speaks, or the way the user writes a phrase on a scanning screen.
These behaviors might all be copied, and so they should be considered
less secure than the physical measures.