CISSP Access Control Models

Access Control Models are frameworks that explain how subjects access objects.

Every OS has a security kernel/reference monitor that enforces the access control model.

Access Control Models are:

1. DAC (Discretionary access control)  Model
2. MAC (Mandatory Access Control) Model
3. RBAC (Role Based Access Control)  Model
4. ABAC (Attribute Based Access Controls) Model

DAC (Discretionary access control)  Model

• -Most common used and user Friendly , enforced by ACL
• -User can be data owner and decide how can access it such as putting permissions to files you created or you had the ownership of it
• -it is based on Identity

-examples:

• File Permissions in Linux & Windows OS
• ACL and ACE in Windows & Cisco Routers

Each permission that exists can be assigned one of two ways:

?Explicitly means Rights & Permissions assigned directly to User.

?Implicitly means Rights & Permissions assigned to Group , and User just inherits it.

DAC permissions (Linux or Microsoft etc.)

• ?Read
• ?Write
• ?Execute
• ?Delete
• ?Change        -can do all permissions but can not take ownership or change owner
• ?Full Control -can do all and everything

Linux Permissions

Microsoft Share Permissions

Microsoft NTFS permissions

MAC (Mandatory Access Control) Model

• -Most secure , based in Bila Model , enforced by Labels
• -Access based on Clearance of Subject & classification of object
• Subject has Profile include Clearance
• Object has Label contain Classification

-example 1 : SELinux

-example 2:

Clearance like “after deep investigation about Yasser , he can access TOP SECRET files”

Label like “files X,Y,Z these files are classified TOP SECRET”

If Yasser had the following clearance:

“TOP SECRET access Allowed + Need To Know “ Then Yasser can access files X,Y,Z since they are labeled as “TOP SECRET”

Need To Know here mean even if you are allowed to access TOP SECRET files , but that doesn’t mean you can access all files with this label and you should have Reason to access specific file to know something you approved to know .

RBAC (Role Based Access Control)  Model

• -Non-discretionary access control
• -allow enforce enterprise security policy
• -in RBAC higher roles inherit permissions and rights of the lower roles
• -used to implement Separation of Duties

-example:

?Accounts we create in IPS ,ISE such as administrator , Operator , Viewer , service ….etc.

?Groups we create in Microsoft exchange

Note: you may hear about RBAC (Rule Based Access Control) this NOT a Model but Technique

-example:

Firewall Rules to allow or disallow inbound / outbound different types of traffic

ABAC  (Attribute Based Access Controls) Model

• defines an access control paradigm whereby access rights are granted to users through the use of policies which combine attributes together.
• The policies can use any type of attributes (user attributes, resource attributes, object, environment attributes etc.).
• This model supports Boolean logic, in which rules contain "IF, THEN" statements about who is making the request, the resource, and the action.
• For example: IF the requester is a manager, THEN allow read/write access to sensitive data.
• one of the best standards that implement ABAC is XACML "eXtensible Access Control Markup Language"
• Rule Based access control can be consider special case of ABAC

So ABAC is authorization decision based on:

attributes assigned to subjects and objects , Environmental conditions

a set of Policies linked to these attributes & conditions

Subject attributes ex: name , nationality , role , security clearances

Object attributes ex: name , owner , data creation

Environmental conditions ex: location of access , time of access

Every Object should be associated with at least one policy which regulates which operations a subject with certain attributes and Environmental conditions can preform on the object.

Example [Source: Cisco Press]:

all "Engineers" who work in the "Security Business Unit" and are assigned to the "NGFW Project" are allowed to "R&W" all the "Design Documents" in "NGFW Project" folder when connecting from "Building A"

Subject attributes:

"Engineers" , "Security Business Unit" and assigned to the "NGFW Project"

Object attributes :

"Design Documents" in "NGFW Project" folder

Operations allowed:

"R&W"

Environmental conditions:

"Building A"

Yasser Ramzy Auda 07-01-18