xliv Access Control Models
ity, when Joe takes the data from that machine and copies it to his laptop to
work on when traveling on the airplane, that data has most likely become
compromised unless Joe’s laptop, too, has been reviewed, inspected, and
cleared for processing of that particular level of data sensitivity. If his
machine has not been cleared, there is no assurance that the data has NOT
been compromised. The policies in place at Joe’s organization must be
known to Joe in order to be effective, and they must be enforced in order to
remain effective.
Access Control Criteria
When implementing security access controls, five common criteria are used
to determine whether access is to be granted or denied: location, identity,
time, transaction, and role (LITTR). Location refers to the physical or logi-
cal place where the user attempts access. Identity refers to the process that is
used to uniquely identify an individual or program in a system. Time
parameters can be control factors that are used to control resource use (for
example, contractors are not allowed access to system resources after 8:00
P.M. Monday through Friday, and not at all on weekends). Transaction cri-
teria are program checks that can be performed to protect information from
unauthorized use, such as validating whether or not a database query
against Payroll records that is coming from a user identified as belonging to
the HR department is valid. Finally, a Role defines which computer-related
functions can be performed by a properly identified user with an exclusive
set of privileges specific to that role. All of these criteria are implemented in
varying degrees across the depth and breadth of a security plan. The policies
and procedures used by an organization to make the plan effective deter-
mine the interplay among this criteria.
Access Control Models
When an organization begins to implement access control procedures, there
are three basic models from which an administrator can choose to imple-
ment. These three models are (1) Mandatory, (2) Discretionary, and (3)
Nondiscretionary. Each has its particular strengths and weaknesses, and the
implementer must decide which model is most appropriate for his or her
given environment or situation. It is important to point out that most oper-
ating, network, and application systems security software in use today pro-
vides administrators with the capability to perform data categorization,
discretionary access control, identity-based access control, user-discretion-
ary access control, and non-discretionary access control. This section will
Access Control Models xlv
Introduction
provide an overview of each type of access control model. Armed with this
information, an implementer of access controls will be able to make better
decisions about which model is most appropriate for his or her purposes.
Mandatory Access Control Model
Mandatory access control occurs when both the resource owner and the sys-
tem grant access based on a resource security label. A security label is a des-
ignation assigned to a resource [24] (such as a file). According to The NIST
Handbook:
Security labels are used for various purposes, including
controlling access, specifying protective measures, or
indicating additional handling instructions. In many
implementations, once this designator has been set, it cannot
be changed (except perhaps under carefully controlled
conditions that are subject to auditing).
When used for access control, labels are also assigned to
user sessions. Users are permitted to initiate sessions with
specific labels only. For example, a file bearing the label
”Organization Proprietary Information” would not be
accessible (readable) except during user sessions with the
corresponding label. Moreover, only a restricted set of users
would be able to initiate such sessions. The labels of the
session and those of the files accessed during the session are
used, in turn, to label output from the session. This ensures
that information is uniformly protected throughout its life
on the system.
Security labels are a very strong form of access control. Because they are
costly and difficult to administer, security labels are best suited for informa-
tion systems that have very strict security requirements (such as that used by
government, financial, and R&D organizations that handle classified infor-
mation or information that, if lost, would severely or critically degrade the
financial viability of the organization). Security labels are an excellent
means for consistent enforcement of access restrictions; however, their
administration and highly inflexible characteristics can be a significant
deterrent to their use.
Generally, security labels cannot be changed because they are perma-
nently linked to specific information. For this reason, user-accessible data
cannot be disclosed as a result of a user copying information and changing
the access rights on a file in an attempt to make that information more
accessible than the document owner originally intended. This feature
Get Business Continuity and Disaster Recovery for InfoSec Managers now with the O’Reilly learning platform.
O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.
