This article focuses on the authorization aspects of access controls as they are reflected in software designs, implementations and the management of software development lifecycles. Some sources include both authentication and authorization as aspects of access control. These are closely related but separate concepts and are managed through different processes. The granting of authorization is an administrative control. The enforcement of authorization through software mechanisms is referred to as access control.
ISO 27000:2014 defines access control as meaning to ensure that access to assets is authorized and restricted based on business and security requirements.
The definitions of access control provided in U.S. National Institute of Standards and Technology (NIST) Special Publication 800-53 (SP800-53) are context specific and not given a general definition. We do find, however, that the Access Control family of controls focuses on both authentication and authorization.
The Information Security Forum Standard of Good Practice (2014) includes Access Control and User Authorization as separate controls within the Access Management control group. Authorization privileges are discussed there in Access Control (CF6.1.6), among others.
All of these standards are frequently referenced sources of good guidance on access controls.
Based on the guidance of such standards and common usage in the field, the following definitions are proposed:
Authorization controls govern decisions and processes of determining, documenting and managing the subjects (users, devices or processes) that should be granted access and the objects to which they should be granted access; essentially, what is allowed.
Access controls govern the methods and conditions of enforcement by which subjects (users, devices or processes) are allowed to or restricted from connecting with, viewing, consuming, entering into or making use of identified information resources (objects).
Some Generic Types of Access Controls:
When thinking of access control, you might first think of the ability to login to a system or access files or a database. Access can be controlled, however, at various levels and with respect to a wide range of subjects and objects. Some examples include:
- Network access - the ability to connect to a system or service;
- At the host - access to operating system functionality;
- Physical access - at locations housing information assets or physical access to the assets themselves;
- Restricted functions - operations evaluated as having an elevated risk, such as financial transactions, changes to system configuration, or security administration.
Resource access may refer not only to files and database functionality, but to:
- applications or APIs;
- specific application screens or functions;
- specific data fields;
- private or protected variables;
- storage media;
- transmission media;
- In short, any object used in processing, storage or transmission of information.
Access Control Models:
Discretionary access controls are based on the identity and need-to-know of subjects and/or the groups to which they belong. They are discretionary in the sense that a subject with certain access permissions is capable of passing on that access, directly or indirectly, to other subjects.
Mandatory access controls are based on the sensitivity of the information contained in the objects / resources and a formal authorization. They are mandatory in the sense that they restrain subjects from setting security attributes on an object and from passing on their access.
Role-based access controls (RBAC) are based on the roles played by users and groups in organizational functions. Roles, alternatively referred to as security groups, include collections of subjects that all share common needs for access. Authorization for access is then provided to the role or group and inherited by members.
Attribute-based access control (ABAC) is a newer paradigm based on properties of an information exchange that may include identified attributes of the requesting entity, the resource requested, or the context of the exchange or the requested action. Some examples of contextual attributes are things such as:
- time of day;
- currently evaluated threat level;
- required hygiene measures implemented on the respective hosts.
In general, in ABAC, a rules engine evaluates the identified attributes to issue an authorization decision.
Examples of Access Controls in Software:
- Account management;
- Mapping of user rights to business and process requirements;
- Mechanisms that enforce policies over information flow;
- Limits on the number of concurrent sessions;
- Session lock after a period of inactivity;
- Session termination after a period of inactivity, total time of use or time of day;
- Limitations on the number of records returned from a query (data mining);
- Features enforcing policies over segregation of duties;
- Segregation and management of privileged user accounts;
- Implementation of the principle of least privilege for granting access;
- Requiring VPN (virtual private network) for access;
- Dynamic reconfiguration of user interfaces based on authorization;
- Restriction of access after a certain time of day.
- Joint Task Force Transformation Initiative. Security and Privacy Controls for Federal Information Systems and Organizations. Special Publication 800-53 revision 4. (2013) U.S. National Institute of Standards and Technology. http://dx.doi.org/10.6028/NIST.SP.800-53r4
- Joint Technical Committee 1, Information Technology, Subcommittee 27, IT Security Techniques. Information Technology - Security Techniques - Information Security Management Systems - Overview and Vocabulary. ISO/IEC. (2014). http://standards.iso.org/ittf/PubliclyAvailableStandards/c063411_ISO_IEC_27000_2014.zip
- The Standard of Good Practice for Information Security. Information Security Forum. (2014). https://www.securityforum.org/shop/p-71-173
- DSS05 within Cobit 5: Enabling Processes. ISACA. (2012). http://www.isaca.org/COBIT/Pages/COBIT-5-Enabling-Processes-product-page.aspx
- OWASP Access Control Cheat Sheet
- OWASP Guide to Authorization