Category: Architecture

Posted on

Introduction to Access Control

Identity and Access Management is divided into two main functions: managing the identity information and performing the access control. It is argued that if access control was not required, identity management would be unnecessary. IAM professionals should therefore focus on this. Access control is fundamentally about ensuring that users are authenticated before they can access protected resources. It is achieved by managing the user entitlements, and meeting the requirements of the relying applications. This ensures that only the users can access systems and information which they have the right to.

The concept of access control has a rich history. To understand the current challenges, we will first examine an old and traditional model for classified government documents.

The first, documents stored in files are not usually accessible to all. Information may be classified and only those with the required clearance should be allowed to access classified documents. This control can be implemented in a simple way: A folder containing highly classified information will have a stamp that says ‘Top Secret,’ or a stamp saying ‘For Your Eyes Only.’

The information itself is the first thing to consider. Information can be classified Top Secret but only by those with the appropriate authority. This could be the owner, document, or folder. It is important to understand the implications of the classification. The classification is used to distinguish different levels of usage and access to the information. Owners of folders will have some insight into what classification levels can be applied and which users can access the information.

The second is the level of clearance of the actor or user of information. In this instance, the secret services agent has been identified and trusted to the point that different levels of security information can be accessed.

The third step is to map the classification and clearance levels to ensure only those with the appropriate clearance can access classified information. The owner will classify the document and accept that only agents with a certain trust level will be allowed to access a particular security level.

Fourth: Before giving the folder to a secret service agent (the file manager, or access controller), the person responsible for storing the file and retrieving it from an archive must confirm that the agent requesting the file is the correct user. The access controller, then, will try to identify the user; the agent must prove that he has the right to access. The secret service badge or a letter signed by the agent can be used to verify that the agent is authorized to access the folder. Of course, the file manager must also verify that the letter’s signature is correct.

The folder will only be given to the agent of the secret service after all these responsibilities are completed. The transfer is recorded in a journal.

Checking the stamp on a folder makes it easy to ensure that the access controller is always in charge. In this case, the theft of information (e.g., data leakage) is also very physical: The folder is removed. It is also important to keep an eye out for a folder that has the stamp ‘Top Secret’.

Access control in this situation is simple. You can see the access violations. The folder is handed over to the person who has the appropriate clearance level. This can be determined by the badge. Access may also be restricted to certain locations.

The following topics are involved.

  • Risk management includes classification of information
  • Identity management includes classification of users.
  • Authorization mapping is part of authorization management
  • This verification is part both of identity management and access control
  • Access Control: This is what we call access granted

Since the invention of the computer there has been an increasing need to control the access to protected documents, systems, and other resources. Access control mechanisms were modelled after the spy movies of the early days of computers. The concepts of ‘owner of the resource’ and a ‘reader’ of the resource were used. The Windows NTFS File System still has a feature called Discretionary Access Control, which states that you may not bypass the controller. Access control was a necessity due to the rapid growth of technology. The exponential growth in information, users and systems in the digital age makes it clear that the analogy of the paper world is no longer valid.

The concept of trust levels, e.g., managing the clearance level for an individual document reader, is difficult to implement. There are so many players involved and no physical security controls in place. (You cannot see the red dust). There can be more than one copy of a file or folder in different locations. The data may not be lost, but it will likely be copied. In the digital age, what was once easy to implement physically is now difficult. The lessons learned about identification, authentication and authorization, access control, auditing, logging, and logging have been retained.

Security policies govern access to data, information, services, and systems as well as physical locations. The owner of the resource must formalize and enforce these security policies. The owner will then try to manage any risk associated with access such as abuse of data, theft, fraud, and other security risks. To be in control, an owner must have assurance that the security controls in place can achieve the desired level of security.

Ownership is a complex subject, even without the concept of access control. When examining the concept of ownership for data, there are many criteria that can be used to determine ownership. Information can be owned by someone because:

  • The data was created by them.
  • The data processing facility was funded by the company.
  • The data pertains to this person.

Terms

  • Identification – Uniquely identify a user or system.
  • Authentication is the ability to verify that an application or user has the right to access a resource protected by a password. This can be done by validating credentials from the access requester.
  • Multi-factor authentication (MFA) is an approach that validates a user’s identity to the level of trust required by a security policy. This can be done using multiple factors (something you know, such as a password, something you own, such as a smartphone, or something you are, like a fingerprint).
  • Authorization is the process of determining a user’s right to access computer applications and the level that this access should be granted. In many cases, an “authority” defines and grants access. However, in other cases, the access is granted due to inherent rights.
  • Accountability is the obligation to accept one’s own actions, whether they are positive or negative. This person is also likely to be a kind of owner.
  • Protected Resource (PR) – A system or process, information object or physical location, which is controlled by its owner and other stakeholders such as the business process owner, risk manager, etc.
  • Access Control: Controlling access to information, systems, services, and resources. The ‘Who” can be an individual, a thing or device, or even a service.
  • Access Governance – The assurance that access is granted based on correct criteria and parameters.
  • Access Policy Definition – Rules that govern whether objects are accessible.
  • Access Requester (also called a requester) – A person, process, computer system or other thing that tries to gain access to a resource protected by governmental regulations.
  • Access Supplier: The component that grants access to data systems and services, after the Access Requester has met the requirements of the access policy (set at the Policy Administration Point).
  • It is a component of security that determines whether a user is permitted to access a resource protected by a policy. A Policy Engine is a combination of both a PDP (Product Development Plan) and a PAP (Product Access Policy).
  • Policy Decision Point (PDP) – The authority which will only allow an access requester to connect with the access provider if it is allowed by the Policy Decision Point.
  • Policy Decision Point (PDP), – the policy engine checks access requests against the policy and assigns attributes (as defined by the Policy Administration Point).
  • Policy Administration Point (PAP), the location where different types of owners define their access policies.
  • Policy Information Point (PIP) – This is the authority that refers the trusted external providers of attributes to be used for the Access Decision. Credly.com, for example, administers Open Badges such as CIDPRO ™ and Certified Information Systems Security Professionals (CISSP).

Acronyms

  • ABAC – Attribute Based Access Control
  • ACL – Access Control List
  • AIAC – Artificial Intelligence-Supported Access Control
  • CBAC (Context-Based access Control) or claims-based access
  • CIAM – Consumer Identity and Access Management
  • CRM – Customer Relationship Management
  • DAC – Discretionary access control
  • MAC – Mandatory Access Control
  • PBAC – Policy-Based Access Control
  • PAP – Policy Administration Point
  • PDP – Policy Decision Point
  • PEP – Policy Enforcement Point
  • RBAC is Role-Based access Control (or, less commonly) Rule-Based access control
  • ReBAC – Relation-Based Access Control
  • SCIM – System for Cross-domain Identity Management
  • SOD – Separation of Duties

AAA: Authentication Authorization Accountability

Validating your identity is essential to gain access. AAA is a way to summarize the ideas that underlie this paradigm.

Authentication

The process of authentication is to prove that the person requesting access with a digital ID is the owner of the identity. Authentication can be as simple or complex as using a password. Both the Access Provider and the Access Requester need to be able manage and consume results from the authentication process.

Challenge – Response

A secret code or password that is known only by the user and the provider of access could be used to prove the rightful use. The mechanism behind this is called Challenge-Response. The Access Supplier will ask the Access Requester for proof of identity and the subject must respond as the Access Supplier wants. A challenge-response can be done by simply asking for a pin code or password. The CAPTCHA on many websites also acts as a challenge-response. It asks you to prove that you are a real person.

Knowledge – Possession – Being

A secret that is known can also be shared, but not a CAPTCHA. This may not be enough to ensure the rightful access, because others can pretend to be the owner of the password by sharing it or finding it lying around. The weakness of the model of a known secret means that an access requester using only a password might not be able to gain the trust of some applications.

There is still a certain amount of uncertainty about the owner after identification and authentication. This should lead to a further evaluation of the access level. It may be sufficient to grant access to public information but not classified information.

To add more proof of identification, you can demand more specific and unique IDs. These trusted authentication methods cannot be easily stolen, shared, or copied (it is not impossible but the cost to copy a physical token is too high). This is achieved by adding additional factors such as biometrics, certificates, and tokens. These additional proofs can be requested at the beginning of a session, during the first authentication, or after the previous low-trust authentication was found to not be sufficient for accessing a protected resource. In this situation, low-trust access could be improved by performing a “step-up” authentication that requires additional factors. The first step of login could be a password and the second step higher could require a biometric or token proof.

Authorization

After authentication, authorization is the next phase in gaining access. The act of granting a resource access, like a computer program or a particular function within a program. The concept of authorization is closely linked to that of authority. A person, like an owner, has accountability and is required to give others access to the protected resource. This accountability does NOT mean that the other person is the owner. It does, however, allow for several permissions to be granted, including ‘read’ and ‘delete’. The data owner is responsible for the entire life cycle of the data. The owner can delegate some of their tasks to others. For example, a manager could grant an employee read access to the resource within the limits set by the owner.

Mainstream access control methods

Many organizations currently have embedded security policies in their applications, operating system, and networking components. These controls are implemented as Access Control Lists, Roles, and DAC Business Rules. These controls must be implemented and designed in all relevant components. These controls must be designed consistently. For example, if a Segregation of Duties restriction (SoD), is defined for a particular process, then every system, application platform, app and network component should support the SoD rule. The organization will not be in control if one component is missing SoD controls.

It is difficult to centrally manage controls across an organization when security policies are implemented decentralized. There is a good chance that all security policies and controls will be different and that each system or platform must be checked for conformity and security.

Modern Access Control

Modern implementations of access controls use a central policy engine to evaluate policies, and the policy should include an evaluation of ‘risk levels’. Business process owners, or data owners, who are responsible for managing access risks, will define policies that they are accountable for. There may be multiple “business owners” who are each responsible for a part of the corporate policy. The assignment of business owners may result in constantly changing access control policy.

Applications no longer maintain the ACLs for users. They rely instead on identity management authorization system that, based upon one or more policies of access, will decide about a user’s request for access. Different policies are handled by different stakeholders within a company. Before access can be granted, all policies that apply must be assessed. This type of MAC is a method for fine-grained control of access.

Accountability

Accountability is an important responsibility for access governance. To ensure that each access decision is made by a person who has been authorized, it is important to address ownership. To be held accountable, the owner must be made aware of all activities that are under their control.

A quality requirement is to record all access control activities. The complexity of this record can range from recording every authorization request, such as granting or revoking roles or authorizations to people or revocations thereof, to logging authorization changes within roles. This register is necessary to control access. It is the same for the authentication and identification process. The login mechanisms, operating systems and IAM solutions must all provide assurance that each access request will be validated.

Considerations for Access Control

Access control is more than a simple business decision. This activity is influenced by other factors, such as how users interact with control mechanisms and the legal implications of what is required.

Human Factor

Users who are required to deal with security controls may be themselves a roadblock in the way of effective “control.” User experience is an important success factor for every information security project. Users may become discouraged or try to avoid the controls if the security controls are overly strict. Consumer access is a good example of this avoidance by the user: If a customer portal was not designed with the user in mind, consumers will tend to look elsewhere. This is a missed chance, which results in low conversion rates. Consumer Identity and Access Management solutions (CIAM) are designed to prevent such behaviour.

UX has started to have an impact on workforce IAM. If a user regularly accesses the company intranet portal at their home in a prescribed manner, such as using a VPN to connect, the access control system can validate that behaviour and use it in the authentication process. It may decide to not require multi-factor authentication because it is a trusted user using a known and trusted connection.

Legal Implications

Access control is a part of an overall information security policy and is used to support business processes. Legal implications of access control practices vary from one business to another, sector to sector and jurisdiction to jurisdiction. It is difficult to determine the legal requirements for access control policies, as they are usually part of a larger program, which is influenced by a variety of laws, standards, and regulations. Access control programs and systems have a role to play in supporting the risk management program of the organization or business. This allows questions regarding legal requirements and compliance to be answered organically. The organization can then move forward with confidence.

Current status of Access Control

Mainstream access control mechanisms

Access control can be implemented using a variety of mechanisms. This section covers three of the most common: Role-based access controls (RBACs), Attribute based access controls (ABACs), Access Control Lists.

Access Control Lists

The classification level of a resource will determine the access control. The owner (or delegated persons) will classify each resource to determine the level of security. Security controls are then implemented based on the level of security to ensure that the right level of access is granted. Access is also known as entitlements, which are fine-grained permissions for accessing resources. ACLs are one of the most common and earliest implementations of entitlements. In ACLs, the owner defines which users have access to what types of resources: read, write update, or delete. This concept is simple to understand and manage for each object. If the number of objects is limited, ACLs can control access. ACLs are a constraint when both the number and type of objects increase.

Each owner of a document will be required to define the ACL. This distributed control method implies that there is no central control over access. From an auditing perspective, it is relatively easy to determine who has access to protected resources since this information is stored in the ACL.

Role-Based Access Control

ACL management can be a difficult task. As populations increase, it becomes more difficult to manage access to resources by individual user or entitlement. The issue of scale eventually led to the need for a new approach to access management. RBAC allows access to resources at a group-level instead of an individual level. To achieve this, a component intermediate to the access controller is required. The role manager or role owner must be able map the user’s role to an entitlement for a protected resource. In theory, the mapping is simple, but it requires that this person work with other people in the organization who are responsible for ensuring that authorizations do not conflict with business processes or organizational structures. 

A line manager can make a new employee a part of the role account manager. The access permissions associated with the role account manager are now available to the new employee. A line manager can also make a new hire a member of the role Account Manager. The new hire will then have access to all the permissions associated with the role Account Manager. This way of managing access is much easier because it is not based on individual users.

The owner of an information system can create roles to avoid the need to manage individual entitlements. The owner of the Customer Relationship Management system (CRM) can create a ‘customer manager role’, and assign system authorizations to this role (such as filling out a form or reading customer records from a database).

RBAC allows us to identify a role model with multiple levels. We can define organizational or business role groups by grouping identities hierarchically or organizationally. A grouping of permissions or authorizations at the application level or platform is called system or application role. By connecting organizational roles with application roles, it is possible to grant and revoke authorizations in a highly efficient manner. It is easy to complicate the authorization management process by nesting groups. For example, employees who work on the service desk could be members of the group “ServiceDesk”. The group could then be added to the Windows Administrators group. This will make it difficult to identify who has Windows Administrator authorizations. This would include not only the group of users who have the Windows Administrator role, but also the employees who are in the ServiceDesk Employee role. The nesting of people can be a major obstacle to insight. Many IAM projects have failed because there are no un-nesting options. Nesting limits auditability in RBAC environments. Groups must be de-nested to evaluate authorizations, including conflicting ones.

Attribute Based Access Control

ABAC is a model that builds on RBAC by adding additional controls based upon business logic. The static nature of the RBAC model makes it a major flaw. A user’s entitlement is generally available until manually revoked. If proper cleanup is not done, users may end up carrying their access from one role to another. ABAC extends the model to consider different attributes and characteristics of users when determining whether access should be granted. An access management system will decide based on the rights of a user as well as other metadata such as time, location (e.g., on a network, remote, geolocation using IP address), type of device, (e.g., personal, owned by the organization, desktop, tablet) and other user attributes. ABAC can control access in real-time now of the transaction or passively based on metadata. Both approaches require the input and support of resource owners, role managers, people, or organization manager to understand the needs and requirements of the users, as well as the additional support provided by analysts to define the business logic.

As an example, the Customer Relations Management owner could specify that anyone with the attribute “Business Role = account manager” can only access the resource if the attribute “Allowed Time = defined hours”.

Future Directions of Access Control

ACLs or RBACs provide access control that is static. The combination of a user with his or her permissions are fixed and cannot be changed easily. Other authorizations, however, require changes. People change jobs, devices, locations, or tasks. A change in the context, or in laws and regulations can also affect the risk level of a resource. Changes that may be relevant include:

  • Extended organizations, internationalization, collaboration and federation, flexible workforce, meaning that in daily operations, people outside the scope of the traditional HR-operations may need to get access.
  • The cloud is a great way to move data processing. It has led to new protocols such as SCIM, (System for Cross-domain Identity Management) (the acronym was first used under the name Simple Cloud Identity Management. I guess this was considered too simple or restrictive).
  • New privacy regulations such as GDPR.
  • Mobile apps that use modern protocols such as OpenID Connect require a flexible topology for access control.
  • User-Managed Access is a development that enforces end-user control and consent.
  • Access micro-services via APIs – resulting in new architectures for access management based on protocols such as OAuth2.

These restrictions and changes indicate that a dynamic approach to managing access is required. This is taken into consideration in the future direction of access controls, and several developments are visible.

Dynamic Authentication

Access control is not a static process. If a user is logging in to a service that requires a low level of risk, a combination of username and password may suffice. Later in the session another level of trust may be required. When performing a transaction for example, an additional form of identification such as a token may be required.

To adapt to the session dynamics, authentication should be a continual process, such as through the new concept behavioural biometrics. Examples of the changing need for trust in identity:

  • User switches contexts (such as location). This switch may place the user into a different trust zone. The session should be reevaluated.
  • An email attachment is opened by the user, and this action requires an increased trust level. This action should enforce an additional authentication such as Multi-Factor Verification.

Adaptive authentication provides a flexible, secure, and dynamic form of authentication. It allows for the validation of multiple factors in order to determine whether a login attempt is authentic before granting access. The factors used to validate a user can be based on risk and the context.

Policy-Based Access Control

In collaboration environments, where there is a flexible workforce and extended organizations, access control must be dynamic and flexible. The paradigm that provides this flexibility is Policy-based Access Control. PBAC (also known as Claims Based Access Control or Content Based Access Control) takes some of ABAC’s business logic and enhances it with context evaluation, dynamic step-up capabilities, and additional context evaluation.

Dynamically, the context of a requester for access can change. Dynamic policy management and enforcement may require a step-up in authentication to meet the required trust level if defined risk controls are needed. The policy engine is responsible for determining if user attributes and context data at the time of access are in compliance with the policies set by the owners. Context information could include the time of day or location. Scalability is enabled by the ability to collect attributes and information from trusted attribute providers.

This architecture has a central component, the Policy Decision Point. It evaluates access policies to determine if they are appropriate and then returns a response. The Policy Enforcement Point enforces the response, either through code embedded within the application, or increasingly via an API Gateway. The Policy Enforcement Engine can be a part of the flow for access requests.

AIAC and ReBAC are a natural progression.

Relational Access Control

ReBAC is a new concept for access control. ReBAC is a new concept in access control that allows access control decisions to be made based on the relationship between an access requester and other identities who may potentially be affected. Access decisions can be derived from social media network connections of the access requester, amongst others. A reputational attribute can be evaluated. ReBAC relies on the availability of large, distinct data sets (incorporating data from HR/Sourcing & Access/entitlement/behaviour) and on AI to conduct the evaluations and recommendations for access decisions.

ReBAC’s direction is still not clear and its development is not mature enough to be implemented in mainstream applications. We see the potential of implementation as part predictive role mining technology for dynamic ABAC.

Artificial Intelligence Supported Access Control

When we introduce the concept of artificial (AI), we can expect to see much more. It is possible to implement a dynamic access control system that uses a risk management strategy. With an environment that is robust and classifies sensitive resources it will be easier to use a solution that alerts on requests for access that are above normal risk levels. AI will monitor access control requests and alert on unusual activity. It can therefore be used as an add-on to existing RBAC and ABAC. The concept is still not mainstream and it is hard to predict where the future will go, but machine learning and AI may be able to add value.

Control by the user and consent

Privacy laws and regulations have created a new awareness about access to personally identifiable data (PID). These laws and regulations are driving the concept of ownership and consent for data by patients, employees, or customers. In many cases, laws or regulations require data owners to have control over their personal information. In order to close this ownership gap, several technological platforms are emerging. Kantara Initiative’s User-Managed Access is one of the solutions that have found their way into new access paradigms. Implementation of concepts is easier thanks to the development of protocols such as OAuth

Conclusion

The mainstream access control mechanisms, such as RBAC and ACLs, have a long tail. They will continue to be used in many organizations. As companies, governments and organizations require communication and collaboration outside their four walls, they need to find other ways to control access.

The mainstream access control methods cannot meet the increasing need for flexibility in an ever-changing world. Modern access governance demands modern access control methods. Dynamic access control is clearly needed. It is interesting to note that the tools are now available and their implementation does not have to interfere with current best practices. Adaptive authentication and PBAC may be added into an existing identity-and-access architecture. Planning is required, using a roadmap. It is also necessary to implement elements of access governance.

How Can ITM Help You?

IT Minister covers all aspects of Cyber Security including but not limited to Home cyber security managed solutions to automated, manage threat intelligence, forensic investigations, Mobile Device Management, Cloud security best practice & architecture and cyber security training. Our objective is to support organisations and consumers at every step of their cyber maturity journey. Contact Us for more information.