ITS 4210 - Access Control, Authentication, and PKI

Chapter 6, Mapping Business Challenges to Access Control Types


This lesson concerns chapter 6. Objectives important to this lesson:

  1. Relating access controls to business needs
  2. Applying access controls to business needs

Chapter 6

The chapter begins with the idea that particular access controls are a good match for particular business needs. The first illustrations are the related concepts of business continuity (staying in business during a disaster) and disaster recovery (getting back to normal after a disaster).

Regarding business continuity, the text recommends using access controls to reduce the risk of loss and the risk of business interruption. It seems to go off the track when it begins a discussion of having redundant data centers, but that is an application of a physical control, one of having multiple sites that can do the same work.

In a more related story, the text discusses the dismissal of an employee who is given an hour to clean out her office before being fired for embezzling. She is then left alone in her office for an hour. She copies account information, deletes data, and plants viruses and spam bots on the company network. She later offers her clients a discount if they will come to her new company, which she presumably just created.

The text then explains what should have been done. This is a classic case in which business needs and the usual treatment of an employee collide.

  • The classic approach to removal of personnel includes removing their access rights to the company systems and data at or before the moment they are informed that they are leaving employment.
  • Regardless of removing her rights, such an employee should never be left alone with a computer on the company network, in case they have installed a back door, or another identity that could be used to cause the kind of damage described in the story. She could, of course, already have prepared a copy of the data she wanted to take, but controlling her would have removed her means of deleting data directly.
  • When there is no suspicion that the employee bears any ill will against the company, there can be some variation in this procedure. Congratulations on your retirement, Linda! 
  • When there is such suspicion, it is still prudent to restrict the employee's rights as soon as possible. This is difficult to do when the job they hold gives them access to sensitive information, which is why extreme measures are often taken with departing system administrators. As the story shows, the employee in question did not hold such a job, but she knew how to create problems without elevated rights. Many people are capable of this sort of action, by intention or by accident.

The text tells us another story. It is longer and less detailed than we might like. In the course of a fire at a company's main office, their web server is taken down due the power being out. There is no clear way for the Chief Operating Officer to restore the web site without getting a login ID and other information from a system administrator. A problem with this story is that it would never happen that way. In a well run company, there would be an emergency plan for bringing up an off site server and a backup copy of the web site, and the COO in this story would probably have nothing to do with it except to authorize it to happen as the first person in authority who is aware of the situation. The author suggests that the use of emergency phone numbers (cell phones) for such events would make it more likely that someone receiving such a call would be receiving it from an authorized caller. Nice idea, but costly if those phones were only used in emergencies. Oh, by the way, where is it? My phone. Where is my emergency phone?

Businesses have many reasons to keep their operating procedures and data private and secret. We are aware of the need to protect a customer's personal information, but some businesses have their own secrets that they do not want to share with competitors. The same methods used to protect other sensitive information should be used to protect trade secrets and secret recipes as well.

  • Assign the least necessary privileges to any resource, to the fewest people possible
  • Promote/require strong passwords and use other technical protections
  • Physically secure our locations, using locks, guards, and other measures as needed
  • Deactivate lost devices and ID cards as soon as possible; require employees to report such losses promptly
  • Maintain a program of security awareness for staff

The text moves on to review risk management methods that were discussed in chapter 2. It gives us a few more details and examples of avoidance, acceptance, transference, and mitigation. Remember that there are other strategies than the four the text presents.

  • avoidance - make every effort to avoid your vulnerabilities being exploited; make the attack less possible, make the threat less likely to occur; avoid risk by avoiding the activity associated with the risk, and by providing an active defense against it
  • acceptance - this counterintuitive idea makes sense if the cost of an incident is minimal, and the cost of each of the other methods is too high to accept; the basic idea here is that it costs less just to let it happen in some cases, and to clean up afterward
  • transference - in general, letting someone else worryy about it; engaging a contracted service to protect us against risk would an example of transference
    mitigation - this method seeks to reduce the effects of an attack, to minimize and contain the damage that an attack can do; Incident Response plans, Business Continuity plans, and Disaster Recovery plans are all part of a mitigation plan

The text repeats some material about protecting confidentiality, integrity, and availability from threats by using access controls. On the same theme, it considers vulnerabilities and mentions three areas where vulnerabilities are often found:

  • Operating systems - The text points out that most viruses attack the operating system of a computer. Updated protection software and patches to the OS should be applied regularly.
  • Applications - Applications typically do not receive patches as often as operating systems, but some are famous for patches, such as Adobe Reader and Flash Player. Updates to applications that address known vulnerabilities are required in a well run environment.
  • Users - The text advises us to teach users to resist social engineering, and to create stronger passwords.

The next section of the chapter reminds us about some terms used to describe the need for access rights:

  • subject - an entity that requires access rights to some resource; like the use of the this word in grammar, the subject takes action on something
  • object - a resource that some subject needs to act upon; again, like the grammar use of the word, an object is acted upon by a subject

The text uses these terms to explain that we can make lists of the subjects who need particular kinds of access to particular objects. We can use these lists to make plans for granting access. We can also use this information to make plans about the access controls we need to apply to the sensitive, popular, and necessary objects. The text stresses that we need to make sure we are covering all subjects and objects in our system, but we should remember that no environment is stable for very long. There will be new subjects and objects, and there will be subjects and objects that should be removed from our system on a regular basis. Everything changes.

For some kinds of access, it makes sense to create groups, assign access rights to those groups, and to make users members of those groups for the time they need to access the relevant objects. This allows us to make one rights assignment, which can be modified or removed in one place if a mistake is discovered, affecting the rights of all members of the group at once. In Active Directory, such a group is typically called a security group. When a user no longer needs access rights to an object, that user can be removed from the group in question. When a new user needs those access rights, that user can be made a member of the right security group to receive the same access as the other members.

That was not really news. The text introduces three kinds of access control methods, and two review methods:

  • Mandatory Access Control (MAC) - the most restrictive model; the owner defines a security policy, a security agent (a central authority) implements it, and the end users cannot change it
  • Role Based Access Control (RBAC) - access is granted to roles (groups) defined on the systems, end users are assigned to roles so they can access assets needed for their jobs
  • Discretionary Access Control (DAC) - least restrictive model; subjects (end users) can own objects, and have total control over them (like a SharePoint web server system); end users must set and maintain security for their assets, which most people will do badly; processes run by end users inherit their permission levels
  • Automated account review - The word "automated" is improperly useed to mean that access controls that have not been used in a specific time period are automatically selected to be reviewed. The review is done by people, not by a computer or a program. The program simply finds the accounts that should be reviewed, and notifies appropriate staff.
  • Automated expiration of temporary access - Accounts in many systems can be createed with expiration dates. This principle uses this feature to make sure that temporary accounts do not continue to be usable without human intervention.

Page 124 reviews two well known principles that address business needs.

  • Separation of responsibilities - make sure that large purchases and othher sensitive activities cannot be accomplished without the approval of at least two areas of responsibility, such as requiring two signatures on large checks; don't give any one person the ability to defraud the system; checks and balances of power are better
  • Least privilege - never assign more access rights than are actually need to perform a task, in order to reduce the exposure of assets that need not be exposed
Another kind of risk is discussed on page 125. We are cautioned not to grant administrative rights (the highest level of rights) to an asset without a good reason. The text warns us that having this level of permission to a computer, for example, allows the operator to do almost anything they want, including choosing to install software. That does not sound so bad, but the main problem is that not only can the operator do anything, so can any process started by the operator, including viruses and malware. There is some level of protection to be had from running a computer as a user who is not allowed to install new software.

Assignments for Chapter 6

  1. Continue the reading assignments for the course.
  2. Complete the assignments and class discussion made in this module.