Authorization Mechanisms

CISSP

Authorization mechanisms are crucial for controlling how subjects (active entities like users, programs, or processes) access objects (passive entities like files, databases, or systems). The method of authorization depends on the access control model employed by the IT system. Below are the key access control techniques mentioned in the CISSP Common Body of Knowledge (CIB):

1. Discretionary Access Control (DAC)

  • Overview: DAC is a type of access control where the owner of the resource (subject) has the discretion to grant or restrict access to that resource. The owner can create, modify, or delete access controls.
  • Characteristics:
    • Ownership: The owner of the object decides who can access it.
    • Flexibility: Users can control access to their own resources.
    • Common Uses: Typically found in environments where users need flexibility, such as Windows and UNIX systems.
    • Example: A file owner in a Windows environment can decide which users or groups have read, write, or execute permissions.

2. Mandatory Access Control (MAC)

  • Overview: MAC is a strict access control model where access to resources is determined by the operating system based on the security classification of the information and the clearance level of the user. Users cannot change access permissions.
  • Characteristics:
    • Centralized Control: Access decisions are made by a central authority based on predefined policies.
    • High Security: Often used in environments that require high levels of security, such as government or military systems.
    • Common Uses: Classified information environments where access is based on security labels.
    • Example: A government system where users with “Top Secret” clearance can access data classified as “Top Secret.”

3. Role-Based Access Control (Role-BAC)

  • Overview: In Role-BAC, access rights are assigned based on the roles within an organization. Users are granted permissions to access resources based on their role, rather than their identity.
  • Characteristics:
    • Role-Centric: Access is controlled by assigning permissions to roles, and users inherit permissions based on their role.
    • Scalability: Easier to manage as users are added or moved within an organization.
    • Common Uses: Commonly used in organizations where users’ roles determine their access, such as in corporate or enterprise environments.
    • Example: An employee in the “HR Manager” role may have access to all HR-related documents, whereas a “HR Assistant” may only have access to non-sensitive HR files.

4. Rule-Based Access Control (Rule-BAC)

  • Overview: Rule-BAC allows access based on a set of rules defined by the system administrator. Access rights are granted or denied based on rules that evaluate conditions such as time of day, user location, or specific actions.
  • Characteristics:
    • Condition-Based: Access is determined by specific rules that apply to all users.
    • Dynamic: Rules can be adjusted as needed to meet specific security needs.
    • Common Uses: Often used in environments where access needs to be tightly controlled based on specific conditions.
    • Example: A firewall rule might block all access to a network outside of business hours.

Common Authentication Protocols in Use:

  • Kerberos: Used in Windows environments for authentication. It employs symmetric key cryptography and requires time synchronization for secure operation.
  • RADIUS (Remote Authentication Dial-In User Service): Typically used for authentication of users in wireless networks, modems, and network devices. RADIUS supports two-factor authentication and encrypts passwords.
  • OAuth: Primarily used for web applications to provide token-based authorization, allowing users to grant third-party applications limited access to their resources without sharing credentials.
  • TACACS+ (Terminal Access Controller Access-Control System Plus): Used primarily for network devices, TACACS+ separates authentication, authorization, and accounting processes, providing enhanced security through the use of tokens.

These access control models and protocols provide the framework for securing access to resources and ensuring that only authorized subjects can interact with sensitive objects within an IT system.

Understanding Authorization Mechanisms

Authorization mechanisms are essential components of access control models. They determine how access to specific objects or resources is controlled, ensuring that only authorized users can perform certain actions. Here are the key authorization mechanisms:

1. Constrained Interface Applications (Restricted Interfaces)

  • Definition: Constrained interfaces limit what users can see or do based on their privileges.
  • Functionality:
    • Hidden Capabilities: If a user lacks the necessary permissions, certain features or functionalities are hidden from their view.
    • Disabled Options: Alternatively, the application might display menu items or options but in a disabled or dimmed state, indicating that the user does not have the necessary permissions to access them.

2. Content-Dependent Control

  • Definition: Access is restricted based on the actual content within an object, often used in databases.
  • Example:
    • Database Views: A view might restrict access to specific columns in a database table, creating a virtual table that only displays the allowed data. Users can only see or interact with the content that is within their permitted scope.

3. Context-Dependent Control

  • Definition: Access is granted or denied based on the context or conditions surrounding the access attempt.
  • Functionality:
    • Time-Based Access: Users might be restricted to accessing certain resources only during specific times, such as during work hours. If access is attempted outside these conditions, it is denied.

4. Need to Know

  • Definition: Access is granted only if a subject needs the information to perform their job functions or tasks.
  • Implementation:
    • Selective Access: Even if a user has clearance for certain classified information, they will not be granted access unless it is necessary for their role.

5. Least Privilege

  • Definition: Users are granted the minimum level of access—or privileges—necessary to perform their job functions.
  • Application:
    • Action Rights: This includes not only access to data but also the rights to take actions on a system, such as modifying or deleting files.
    • Security: By minimizing privileges, the risk of unauthorized actions or data breaches is reduced.

6. Separation of Duties and Responsibilities

  • Definition: Sensitive tasks are divided among multiple people to prevent fraud, errors, and misuse of information.
  • Example:
    • Checks and Balances: No single person has control over all aspects of a sensitive process. For instance, one person might initiate a transaction, while another person must approve it.

7. Service Provisioning Markup Language (SPML)

  • Definition: SPML is an XML-based language used to automate the provisioning of users, resources, and services.
  • Application:
    • Provisioning Requests: Platforms use SPML to generate and respond to requests related to user accounts and access management.

8. Security Assertion Markup Language (SAML)

  • Definition: SAML is used for exchanging authentication and authorization data between security domains, enabling Single Sign-On (SSO).
  • Roles:
    • Principal (User): The entity seeking to authenticate.
    • Identity Provider (IdP): The entity that authenticates the user.
    • Service Provider (SP): The entity that provides services based on the authenticated user’s credentials.

9. eXtensible Access Control Markup Language (XACML)

  • Definition: XACML is used to describe and enforce access control policies.
  • Application:
    • Policy Definition: XACML defines policies that determine who can access what resources under which conditions.

10. Simple Object Access Protocol (SOAP)

  • Definition: SOAP is a messaging protocol used for exchanging structured information in the implementation of web services.
  • Application:
    • XML Messaging: SOAP is used for transmitting messages in XML format between applications over a network.

These mechanisms and protocols work together to ensure that access is controlled, monitored, and enforced in a manner consistent with the organization’s security policies. By understanding and implementing these authorization mechanisms, organizations can better protect their resources and data from unauthorized access and potential security breaches.

Latest Post:

Pin It on Pinterest

IT Security