Security Disciplines for Objective 2: Prevention
2-2. Authorization and Access Control
Description
After identification and authentication are properly performed, the system knows who a user is. The next equally important
step is to determine what permissions and access authorizations the user holds. Authorization and access controls are an essential
part of maintaining
Purpose
This authorization and access control section provides an overview of the methods and technologies used to define, enforce, and manage the allocation of resource access permissions to users of justice information systems. A discussion of some of the unique access management issues encountered in sharing information among disparate organizations is also provided.
Principles
- Access privileges should be granted based on a written policy that identifies user roles and the information required by individuals performing in that role.
- Access to multiple information systems should be managed with as much central control as possible. Where diverse organizations are involved, the system software that supports access management must honor the access policies of each organization while automating as much of the administrative process as practical.
- Access management policies and procedures should be defined to permit user privileges to be easily modified, added, or deleted by authorized administrators.
- User privileges should be auditable.
Policies
Well-defined access policies are important to the security of an information system. The policy statement should provide clear guidelines on how to assign, remove, modify, authorize, and audit access privileges. The policy should consider the sensitivity of the information, need-to-know considerations, and privacy restrictions. (For more information and examples of access control policy statements, refer to The Missouri OSCA Data Security Guidelines, Access Controls.)
Best Practices
Managing and controlling access to information resources is a long-standing and well-studied problem. As a result, there is a rich and evolving set of technologies to address the problem. There are two fundamental types of access control: mandatory and discretionary, sometimes referred to as MAC and DAC, respectively. MAC and DAC can be defined as follows:
Mandatory Access Control (MAC)—In most MAC-based systems, both users and information resources are labeled. A familiar MAC implementation is the one used for national security information. In that implementation, the labels may include “Unclassified,” “Confidential,” “Secret,” and “Top Secret.” In order to obtain access to secret information, the user needs at least a “Secret” clearance. In this regard, access controls are mandatory—they cannot be changed at the discretion of the system administrator.
Discretionary Access Control (DAC)—In DAC systems, there are no explicit security-level labels on users and information. The system administrator plays a much more significant role in assigning permissions to users. Access to a resource may be granted to a user based on the discretion of the system administrator. Although there is no formal concept of security level, DAC systems are usually based on some kind of policy that instructs the administrator on how to determine who gets access to what.
This section focuses primarily on DAC, since it is the dominant type of access control in justice applications. While attempts have been made to define security levels and labels for information, there is no well-accepted standard on par with the national security-level MAC system. Lack of standards, however, does not eliminate the need to understand and categorize the access sensitivity of information. This topic is addressed further under Section 2-4, Data Classification.
DAC is typically implemented through some form of an access control list (ACL). A sample ACL appears in Table 2-2: Sample Access Control List. The ACL is a table that allocates the right to access an “object” to “subjects.” An access right traditionally includes permissions such as create, delete, read, write, and modify. A subject might be a specific user, such as “Officer Jones,” or a group of users, such as “police officers.” ACLs are typically implemented in vendors’ system software products. An operating system (such as Windows 2000) will have an ACL, as will a database management system (such as Oracle).
| Subject | Access | Object |
|---|---|---|
| Officer Jones | Create, read, modify, delete | Criminal history database |
| Officer Jones | Read | Arrest record database |
| Officer Smith | Create, read, modify, delete | Criminal history database |
Other commonly used access control mechanisms include Role-Based Access Control (RBAC), Lightweight Directory Access Protocol (LDAP), and Security Assertion Markup Language (SAML).
Role-Based Access Control (RBAC)—RBAC builds on the model for an ACL subject. In RBAC, permissions are associated with roles, and users are made members of appropriate roles. This model simplifies access administration, management, and audit procedures. The role-permission relationship changes much less frequently than the role-user relationship. RBAC allows these two relationships to be managed separately and gives much clearer guidance to system administrators on how to properly add new users and their associated permissions. RBAC is particularly appropriate in justice information sharing systems where there are typically several organizationally diverse user groups that need access, in varying degrees, to enterprise-wide data. For example, when Officer Jones joins the police, he/she will be given the information access privileges that are due the “police officer role.” Some of these privileges may be associated with information maintained by other organizations, such as the sheriff's office or the courts.
Environments in which users must gain access to multiple information systems create additional administration and management challenges. Each information system will maintain its own ACL. The administrators for each system will be required to maintain current and accurate ACLs that may include users from other organizations. There will need to be policies and procedures used to validate the credentials of users from external organizations. Ideally, the ACLs should be integrated so that, within a single organization, access to multiple information systems can be managed in a centralized manner, and across multiple organizations, additions and changes to access privileges can be coordinated and supported. Products and technologies that address this problem are named Extranet Access Management (EAM).
The problem of managing access to multiple applications is not a new one, and several solutions exist. For example, the well-known mainframe utility, Resource Access Control Facility (RACF), allows the system administrator to manage user access permissions to multiple databases and software applications. There are mechanisms within the mainstream server operating systems (e.g., Netware, Windows 2000, and UNIX) to establish privileges for registered users on different systems. EAM tools extend the ability to centrally manage access to a wide variety of information systems, including Web services. The problem becomes more complex as the information systems become more diverse and spread over multiple agencies. In some cases, for example, the administrators from “Agency A” may not want users from “Agency B” to be automatically added to their system by “Agency B” administrators without their explicit knowledge and approval. The ideal access management solution will honor the user permission policies of each agency it serves while making administration as easy and automated as possible. The following technologies support this type of solution.
Lightweight Directory Access Protocol (LDAP)—Lists of users and their privileges (ACLs) are typically stored in data structures called directories. The standard for accessing directories is the LDAP. While LDAP is only an access method and does not define the content or format of the ACL information, it is a broadly implemented standard and provides an important tool to enterprise-wide access management.
Security Assertion Markup Language (SAML)—SAML is an emerging standard and does not yet have broad industry support. SAML is Extensible Markup Language (XML)-based and provides a standardized way to exchange information about authentication and access privileges. Industry watchers predict that it will improve the integration of access control and management among multiple, diverse information systems.
References
For applicable standards, see:
-
Lightweight Directory Access Protocol (LDAP): http://www.ietf.org/rfc/rfc1777.txt.
- Security Assertion Markup Language (SAML):
http://www.oasis-open.org/specs/index.php.