Computer Security: Principles and

Practice
Fourth Edition

Chapter 2
Access Control – part 1

Copyright © 2018, 2015, 2012 Pearson Education, Inc. All Rights Reserved
Access Control Definitions (1 of 2)
NISTIR 7298 defines access control as:
“the process of granting or denying specific requests to:
(1) obtain and use information and related information
processing services; and (2) enter specific physical
facilities”

Copyright © 2018, 2015, 2012 Pearson Education, Inc. All Rights Reserved
Access Control Definitions (2 of 2)
RFC 4949 defines access control as:
“a process by which use of system resources is regulated
according to a security policy and is permitted only by
authorized entities (users, programs, processes, or other
systems) according to that policy”

Copyright © 2018, 2015, 2012 Pearson Education, Inc. All Rights Reserved
Table 4.1 Access Control Security
Requirements (SP 800-171) (1 of 4)
Basic Security Requirements
1. Limit information system access to authorized users, processes
acting on behalf of authorized users, or devices (including other
information systems).
2. Limit information system access to the types of transactions and
functions that authorized users are permitted to execute.

Derived Security Requirements

3. Control the flow of CUI in accordance with approved authorizations.
4. Separate the duties of individuals to reduce the risk of malevolent
activity without collusion.

Copyright © 2018, 2015, 2012 Pearson Education, Inc. All Rights Reserved
Table 4.1 Access Control Security
Requirements (SP 800-171) (2 of 4)
5. Employ the principle of least privilege, including for specific
security functions and privileged accounts.
6. Use non-privileged accounts or roles when accessing nonsecurity
functions.
7. Prevent non-privileged users from executing privileged functions
and audit the execution of such functions.
8. Limit unsuccessful logon attempts.
9. Provide privacy and security notices consistent with applicable C
UI rules.

Copyright © 2018, 2015, 2012 Pearson Education, Inc. All Rights Reserved
Table 4.1 Access Control Security
Requirements (SP 800-171) (3 of 4)
10. Use session lock with pattern-hiding displays to prevent access and
viewing of data after period of inactivity.
11. Terminate (automatically) a user session after a defined condition.
12. Monitor and control remote access sessions.
13. Employ cryptographic mechanisms to protect the confidentiality of
remote access sessions.
14. Route remote access via managed access control points.
15. Authorize remote execution of privileged commands and remote
access to security-relevant information.
16. Authorize wireless access prior to allowing such connections.

Copyright © 2018, 2015, 2012 Pearson Education, Inc. All Rights Reserved
Table 4.1 Access Control Security
Requirements (SP 800-171) (4 of 4)
17. Protect wireless access using authentication and encryption.
18. Control connection of mobile devices.
19. Encrypt CUI on mobile devices.
20. Verify and control/limit connections to and use of external
information systems.
21. Limit use of organizational portable storage devices on external
information systems.
22. Control CUI posted or processed on publicly accessible information
systems.

CUI = controlled unclassified information

Copyright © 2018, 2015, 2012 Pearson Education, Inc. All Rights Reserved
Access Control Principles
• In a broad sense, all of computer security is concerned
with access control
• RFC 4949 defines computer security as:

“measures that implement and assure security services in a

computer system, particularly those that assure access
control service”

Copyright © 2018, 2015, 2012 Pearson Education, Inc. All Rights Reserved
Figure 4.1 Relationship Among Access
Control and Other Security Functions

Source: Based on [SAND94].

Copyright © 2018, 2015, 2012 Pearson Education, Inc. All Rights Reserved
 Access Control Policies
• Discretionary access control (DAC) • Role-based access control (RBAC)
– Controls access based on the – Controls access based on the
identity of the requestor and roles that users have within the
on access rules system and on rules stating what
(authorizations) stating what accesses are allowed to users in
requestors are (or are not) given roles
allowed to do
• Attribute-based access control (ABAC)
• Mandatory access control (MAC) – Controls access based on
– Controls access based on attributes of the user, the
comparing security labels with resource to be accessed, and
security clearances current environmental conditions

Copyright © 2018, 2015, 2012 Pearson Education, Inc. All Rights Reserved
Figure 4.6 Users, Roles, and Resources

Copyright © 2018, 2015, 2012 Pearson Education, Inc. All Rights Reserved
Figure 4.7 Access Control Matrix
Representation of RBAC

Copyright © 2018, 2015, 2012 Pearson Education, Inc. All Rights Reserved
Figure 4.8 A Family of Role-Based
Access Control Models

Copyright © 2018, 2015, 2012 Pearson Education, Inc. All Rights Reserved
Table 4.4 Scope RBAC Models
Models Hierarchies Constraints
R B A C sub 0

RBAC0 No No
R B A C sub 1

RBAC1 Yes No
R B A C sub 2

RBAC2 No Yes
R B A C sub 3

RBAC3 Yes Yes

Copyright © 2018, 2015, 2012 Pearson Education, Inc. All Rights Reserved
Figure 4.9 Example of Role Hierarchy

Copyright © 2018, 2015, 2012 Pearson Education, Inc. All Rights Reserved
Constraints - RBAC
• Provide a means of adapting RBAC to the specifics of administrative and
security policies of an organization

• A defined relationship among roles or a condition related to roles

• Types:
– Mutually exclusive roles
▪ A user can only be assigned to one role in the set (either during a
session or statically)
▪ Any permission (access right) can be granted to only one role in the set
– Cardinality
▪ Setting a maximum number with respect to roles
– Prerequisite roles
▪ Dictates that a user can only be assigned to a particular role if it is
already assigned to some other specified role

Copyright © 2018, 2015, 2012 Pearson Education, Inc. All Rights Reserved
Attribute-Based Access Control (ABAC)
• Can define authorizations that express conditions on properties
of both the resource and the subject
• Strength is its flexibility and expressive power
• Main obstacle to its adoption in real systems has been concern
about the performance impact of evaluating predicates on both
resource and user properties for each access
• Web services have been pioneering technologies through the
introduction of the eXtensible Access Control Markup Language
(XAMCL)
• There is considerable interest in applying the model to cloud
services
Copyright © 2018, 2015, 2012 Pearson Education, Inc. All Rights Reserved
ABAC Model: Attributes
• Subject attributes
– A subject is an active entity that causes information to flow among objects
or changes the system state
– Attributes define the identity and characteristics of the subject

• Object attributes
– An object (or resource) is a passive information system-related entity
containing or receiving information
– Objects have attributes that can be leverages to make access control
decisions

• Environment attributes
– Describe the operational, technical, and even situational environment or
context in which the information access occurs
– These attributes have so far been largely ignored in most access control
policies
Copyright © 2018, 2015, 2012 Pearson Education, Inc. All Rights Reserved
ABAC
• Distinguishable because it controls access to objects by
evaluating rules against the attributes of entities, operations,
and the environment relevant to a request
• Relies upon the evaluation of attributes of the subject,
attributes of the object, and a formal relationship or access
control rule defining the allowable operations for subject-object
attribute combinations in a given environment
• Systems are capable of enforcing DAC, RBAC, and MAC
concepts
• Allows an unlimited number of attributes to be combined to
satisfy any access control rule

Copyright © 2018, 2015, 2012 Pearson Education, Inc. All Rights Reserved
Figure 4.10 ABAC Scenario

Copyright © 2018, 2015, 2012 Pearson Education, Inc. All Rights Reserved
Figure 4.11 ACL and ABAC Trust
Relationships

Copyright © 2018, 2015, 2012 Pearson Education, Inc. All Rights Reserved
 End of part 1

Copyright © 2018, 2015, 2012 Pearson Education, Inc. All Rights Reserved