1.

1 Basics of Access Control

1.1.1 Access control overview

Access control can be defined as “A system that allows the right person into the right place at
the right time.” This principle holds true in all industries and applications. From that we can
come with the definition of the access control which is a process by which users are identified
and granted certain privileges to information, systems, or resources and a collection of
methods and components used to protect information assets.

Access control objectives are to preserve and protect confidentiality, integrity and availability
properties of secure information, systems, and resources. Confidentiality refers to ensure that
only authorizes users can view information and protect it from unauthorized disclosure.
Integrity property allows only authorized modification to be done. Availability is certainly
less confusing than confidentiality or integrity. While data and resources need to be secure,
they also need to be accessible and available in a timely manner. Access control gives you the
ability to dictate what information a user can both view and modify. 1,2
Access control is a secure and well controlling access. Firstly, understand how access control
exactly works let’s define what is the subjects and objects access.

Subject is an abstraction of any active entity that performs requests access to the resources
and relations may exist among the various types of subject.
Subjects can be classified into:
– Users -- single individuals connecting to the system
– Groups -- sets of users
– Roles -- named collections of privileges / functional entities within the organization
– Processes -- executing programs on behalf of users * 3

Object: is the resource a subject attempts to access, it could be anything that holds data, such
as relations, directories, inter-process messages, network packets, I/O devices, or physical
media.
The object of an access is the passive part of the access because the subject takes action on
the object. So, the goal of a sound access control policy is to allow only authorized subjects
to access objects they are permitted to access. It is possible to be an authorized subject but not
have access to a specific object.
1.1.2 Least Privilege

Least Privilege is the principle of allowing users or applications the least amount of
permissions necessary to perform their proposed function* 4
This principle requires that each subject in a system be granted the most restrictive set of
privileges (or lowest clearance) needed for the performance of authorized tasks. The
application of this principle limits the damage that can result from accident, error, or
unauthorized use. *5

1.1.3 Controls

After deciding the least privilege that must be given to access the system and resources, you
should choose the best way to allows and disallows subjects to access the objects. This
mechanism called controls. A control is any potential barrier that protects your information
from unauthorized access. Controls maintain your information from threats. There are many
types of controls, often organized into several categories

Table 2.1 lists several common control categories. *1

1.1.4 Accountability

Even if you can control who are allows accessing the system and doing what on a system,
you want to be able to track the information to hold people accountable for their actions.
Also, in some cases the access controls administrator might not have been set up correctly.
The administrator might have given a user too much or too little access. By holding a user
accountable, you can see exactly what s/he did or did not and use this information to
standardize the access controls to the right level. A common way to keep track of
accountability is with login. By recording what people do on a system; you can hold them
accountable for their actions.

Accountability uses the system components as audit trails (records) and logs to associate a
subject with its actions. The information recorded should be sufficient to map the subject to a
controlling user. Audit trails and logs are important for

 Detecting security violations

 Re-creating security incidents

If no one is regularly reviewing your logs and they are not maintained in a secure and
consistent manner, they may not be admissible as evidence. Many systems can generate
automated reports based on certain predefined criteria or thresholds, known as clipping levels.
For example, a clipping level may be set to generate a report for the following:

 More than three failed logon attempts in a given period

 Any attempt to use a disabled user account

These reports help a system administrator or security administrator to more easily identify
possible break-in attempts.

Notice that accountability supports non-repudiation, deterrence, fault isolation, intrusion

detection and prevention, and after-action recovery and legal action.
1.5 File and Data Ownership

In any system there are Files and data may contain important and secure valuable
information, this important information should ne maintain from unauthorized access or
modify. When we determine who is responsible to ensure the security of the system and
resource information we should identifying the layers of responsibility because each layer
represent different requirements and actions for each group of data. The most common layers
are data owner, data custodian, and data user. Each layer has specific expectations to support
the system’s security policy.

1.5.1 Data Owner

The data owner accepts the ultimate responsibility for the protection of the data. s/he is the
person who sets the classification level of the data and determine the day to-day
responsibility of maintenance to the data custodian and determining how much risk to accept.
He or she must make decisions about who will be permitted to access the information and
how they will use it.

What are the responsibilities of the data owner?

The data owner is responsible for setting up a policy and rules to determine the accessing of
the data, how the data should be secured, how long the data should be retained, what the
appropriate disposal methods are, and whether the data should be encrypted. Also the owner
can allow specific individuals to see and update the data. For example, anyone in the
accounting department can view the accounting data, but only lead accounting analysts can
add new accounts.
The data owner may appoint an administrator to do the daily tasks associated with these
responsibilities. For example, the data owner may appoint someone to approve daily requests
to access the data. The appointed person will act under the direct instructions of the data
owner.

1.5.2 Data Custodian

The data owner assigns the data custodian to enforce security policies according to the data
classification set by the data owner. The custodian is often a member of the IT department
and follows specific procedures to secure and protect assigned data; s/he is responsible for
implementing the policies set by the data owner. For example, IT is usually responsible for
ensuring that the database files access controls (such as *PUBLIC authority) are set per the
data owner’s requirements
This includes implementing and maintaining appropriate controls, taking backups, and
validating the integrity of the data.

What are the responsibilities of Data Custodian?

Data Custodians controls system data within IT areas. Their responsibilities include the
following:

1. Controlling data definitions to ensure data conform to consistent definitions over the
life of the data.
2. Approving requests for access to University data submitted by authorized University
personnel.
3. Reviewing accesses and transaction groups ensuring the accesses and groups are
appropriate and valid.
4. Monitoring the data to ensure current data processing procedures are effective.

*9
1.5.3 Data User

Finally, the users of data are the ones who access the data on a day-to-day basis. They are
charged with the responsibility of following the security policy as they access data. You
would expect to see more formal procedures that address important data, and users are held
accountable for their use of data and adherence to these procedures. In addition to a
commitment to follow security procedures, users must be aware of how important security
procedures are to the health of their organization. All too often, users use shortcuts to bypass
weak security controls because they lack an understanding of the importance of the controls.
An organization’s security staff must continually keep data users aware of the need for
security, as well as the specific security policy and procedures.
1 CHAPTER 2 Access Control Methodologies

chapple02 10/12/04 7:59 AM Page 25

6. http://www.jblearning.com/samples/076372677X/chapple02.pdf

2 http://www.intranetjournal.com/articles/200311/ij_11_10_03a.html

3 http://www.cs.unibo.it/ricerca/grad/biss2006/ACS/security-2.pdf

4 www.networkdictionary.com/security/l.php
5 http://www.michigan.gov/cybersecurity/0,1607,7-217-34415---,00.html
6 http://en.wikipedia.org/wiki/Access_control

7-http://books.google.ae/books?
id=UdX_oFSpxN0C&pg=PA13&lpg=PA13&dq=basic+of+access+control+system+and+methodolog
y&source=bl&ots=0WdfSJahEe&sig=uXrQn4HWn84qnn--
r668gv7gBv0&hl=ar&ei=oJuMTc2fIZKZhQfFv6S7Cw&sa=X&oi=book_result&ct=result&resnum=
3&ved=0CCYQ6AEwAjgK#v=onepage&q&f=false

8 http://www.skyviewpartners.com/pdf/Data_Classification_Ownership.pdf

9 http://www.ts.ilstu.edu/mvs-forms/responsibilities.htm

http://www.information-management.com/news/1057220-1.html pic