Access Control Principles - International Institute of
Download
Report
Transcript Access Control Principles - International Institute of
Information Classification &
Access Control
Background
All information is not equal
Context decides the sensitivity
Even then, all information in the same sensitivity should not be
revealed to the same set of people
The more the sensitivity, the tighter the sharing becomes
Information sharing needs to be accountable
A person knowing some information should not be able to share it
with someone else without certain controls
Thus, information access should be controlled based on the type of
information and the type of people
What we will cover
Information Classification
Types of controls
Principles and Case Studies
Classic Models of Access Control
Access controls in practice
Case Studies Windows and Linux Access
Controls
Introduction
Aspects of information Classification
Classification from a Legal Standpoint
Responsibility for care and control of information
Integrity of Information
Criticality of information and systems processing
the information
Simple to use and administer (ISO)
Effective to determine the level of protection
required (ISO)
Applied uniformly (ISO)
Initialization
To start information classification, need to
understand the following
What are the mission-critical or sensitive activities or
operations?
Where is mission-critical or sensitive information stored?
Where is this information processed?
Who requires access to this information?
Based on the above a classification can be
determined. Remember,
Only governments have standard classification.
Corporations require classifications based on need
Reduce the number of classes as much as possible
ISO 27002 Suggested Classification
Top Secret
Impending mergers or acquisitions, investment strategies, plans
or designs
Highly Confidential
Accounting information, business plans, sensitive information of
customers of banks (etc), patients' medical records
Proprietary
Procedures, project plans, operational work routines, designs and
specifications that define the way in which the organization
operates
Internal Use Only
Internal memos, internal project reports, minutes of meetings,
policy documents etc
Public Documents
Press statements, annual reports, etc.
Case Study 1
Highly Confidential
Confidential
disclosing this data can cause severe financial, legal or
reputation damage
E.g., Acquisitions data, tender details, negotiation
strategies (especially, buying strategies)
disclosing may cause financial, legal or reputation
damage
E.g., employee information, salaries etc
General
Internal information which is restricted for use within the
company
Case Study 2
Top Secret
Confidential
information that can be given to only a subset of employees. E.g., Employee
appraisals etc
Internal Use
disclosing this information can violate privacy of individuals, reduce
competitive advantage etc
Restricted
disclosing this information can cause severe impact to the company’s
competitive advantage or business strategies. E.g., IP, Mergers etc
information that is available for all company employees for usage in
company’s business e.g., codes for identifying themselves to customer care
etc
Public
Information that can be made available to public through website, new
releases etc
Case Study 3
Confidential Red
Disclosing causes severe damage to operations, result in
contractual or legal liability, loss of business partners, and/or
cause severe drop in stock value.
Confidential Yellow
Disclosing causes, moderate damage to the company, reveals
modus operandi of company at least sufficiently, reveals
important technical or financial aspects, causes temporary drop in
stock value etc.
Confidential Green
disclosing might given some one business advantage, cannot be
associated with a particular product easily and has little
competitive value. Mostly internal information.
Public
Information such as audited results, changes in directorate etc,
information that is probably of interest to vendors, stockholders.
Case Study 4
Confidential
Internal
Likely to adversely affect the company, embarrass an
individual etc. E.g., Customer health records
All forms of proprietary information originated or owned by
the company or entrusted to it. E.g., policies, procedures,
phone directories etc
Public
Information officially released for widespread disclosure
E.g., product brochures, disclaimers annual reports,
employment advertising
Exercise
Consider all the previous classifications and give a
detailed policy of protection for these classifications.
Consider both printed and electronic data. Stored as
well as transmitted data.
For example, the document should address issues
such as, How to store the data, how to use the data
and how to monitor the sharing of data?
This whole exercise is called Records management
Access Control
Purpose: To limit access of data to only those
individuals to whom it is necessary to carry out
necessary tasks
Problems faced in access control
Data falls in different classes and there are various
constraints in using, sharing and destroying the data.
Need to describe appropriate models of access control that
will capture these constraints without violating any security
tenets
How to ensure that the access control mechanisms we
have, can address all conflicts appropriately?
Security Models and Assumptions
Purpose of Security Models
To describe, study or analyze situations or associations
To test a policy for completeness and consistency
Document a policy
Visualize and design of an implementation
Check for consistency of implementation with the policy
requirements
Assumptions
Access control policy is pre-defined for various users and
objects
The policy is defined outside of any model
Classical Access Control Models
Lattice Model
Bell-LaPadula Model
Denning Model
Biba Model
Chinese Wall Model
Lattice Model
A Mathematical structure of elements organized by a
relation among using a relational operator.
A relation is a partial order if it is both transitive and
antisymmetric
Consider a set of elements: a, b, c and some operation <
Transitive: If a < b and b < c then, a < c
antisymmetric: If a<b and b<a, the a=b
Note: in a lattice every pair of elements need not be
comparable. But the following hold in every lattice
Upper bound: An element such that it is > for all other
elements
Lower bound: An element such that it is < for all other
elements
Example
Relation is “is a factor of”
Typical relations: “reports to”, “descendant of”, “is subset
of”, “is lesser than”
Bell- LaPadula Model
Defines formal model for allowable information flows in a secure
system
Identifies allowable communication which maintaining secrecy
Secure information flows describe acceptable connections
between subjects and objects of different levels of sensitivity.
Such analysis the constructing systems that can perform
concurrent computation on data at two different sensitivity levels.
For example, the same machine can process top-secret and
confidential data at the same time.
The programs processing top-secret data would be prevented
from leaking top-secret data to the confidential data, and the
confidential users would be prevented from accessing the topsecret data.
The Bell LaPadula model is useful as the basis for the design of
systems that handle data of multiple sensitivities.
Semantics of Bell LaPadula
Considers: Subject Set: S and Object Set: O
Each subject s in S and o in O has fixed
security class:
C(s) : Clearance level
C(o) : Classification level
Ordered by a relation say “<“
The model can work for a lattice type of
ordering easily, but can also work on
restricted classes (i.e., classes that do not
necessarily have a strict or partial ordering)
Properties
Simple Security Property: A Subject s may have read access to
an object o only if C(o) < C(s)
Meaning?
Security class of the information must be atleast as high as the
classification of the information
Star Property: A Subject s who has read access to an object o
may have write access to an object p only if C(o)<C(p)
Meaning?
Prevents “write-down” which occurs when a subject at a higher
level data access transfers that data to a low-level object
Property requires that a person receiving information at one level
not talk with people cleared at levels lower than the level of the
information
Semantics
Biba Integrity Model
Bell LaPadula model addresses secrecy and
inappropriate flow of information
Integrity of Information is addressed by Biba Model
Properties
Simple Integrity: s can modify object o only if I(s)> I(o)
An untrusted subject who has write access to an object
reduces the integrity of that object
Integrity *: If s has read access to object o with integrity
level I(o), s can have write access to object p only if I(o) >
I(p)
The low integrity of a source object implies low integrity for
any object based on the source object.
Specifying Access Control Policies
Two conditions to be met:
The access control structure should help to
express your desired access control policy
You should be able to check that your policy has
been captured correctly
Some methods:
Access control matrix
Capabilities
Access Control Lists
Access Control Matrix
Conditions:
Bill.doc may be read & written by Bill while Alice has no access
Edit.exe can be executed both by Alice and Bill but otherwise
they have no access
Fun.com can be executed and read by both users, but only Bill
can write to the file
Bill.doc
Alice
--
Bob
-Read,
write
Edit.exe
fun.com
Execute
Execute, read
execute
exe, read, write
Capabilities
Alice’s capability: edit.exe:execute;
fun.com:execute, read
Bill’s capability: bill.doc: read, write;
edit.exe:execute; fun.com:execute, read,
write
Problems?
Difficult to get an overview of who has
permission to access a given object
Difficult to revoke capability
Access Control Lists
ACL stores the access rights to an object with
the object itself
ACL for the previous example:
ACL for bill.doc: Bill: read, write
ACL for edit.exe: Alice: execute; Bill: execute
ACL for fun.com: Alice: execute; Bill:execute, read, write
Problem?
Finding and revoking a particular users access
permissions
Intermediate Controls
Access controls based on objects or subjects alone
are prone to the problem of scalability and
revocation
Introduce intermediate layers between users and objects to
represent policies in a more manageable fashion
Types of layers:
Groups and negative permissions
Privileges
Role-based Access Control
Protection Rings
Groups and Negative Permissions
Users with similar access rights are collected
in groups and groups are given permission to
access objects
Negative permissions: an entry in the access
control structure to prevent a user from
accessing an object he would normally get by
being part of a group
Privileges
Collect the right to execute certain operations
in privileges, for example, operating system
level operations
E.g., system administration, backup, mail access
Popular Access Control Mechanisms
Role-based Access Control : Roles are
created, access control is through high level
data types and procedures
Discretionary Access Control : An owner is
defined for each resource and the owner can
decide who can be granted access to the
resource
Mandatory Access Control : A system-wide
policy decides who gets access to which
resources
Role-Based Access Control
Roles: a role is a collection of procedures. Roles are
assigned to users. A user can have more than one
role and more than one user can have the same role
Procedures: procedures are ‘high-level’ access
control methods with a more complex semantic than
read or write. Procedures can only be applied to
objects of certain datatypes.
Datatypes: each object is of a certain datatype and
can be accessed only through the procedures
defined for this datatype
E.g., A lecturer can create a role Student, for students in
the course and assign the privilege to read course material
to this role
Protection Rings
Each subject and each object is assigned a number depending
on its importance
E.g., 0-operating system kernel
1-operating system
2-utilities
3-user processes
Access control decision is made by comparing the subject’s and
object’s numbers
If a process is assigned the number i, then we say that the
process ‘runs in ring i’
Sample security policy:
a) Processes can only access objects in their own ring or in outer
rings.
b) Processes can invoke subroutines only within their own ring