Access Control Principles and Policies

Questions and Answers

According to RFC 4949, what is the primary function of access control?

• To monitor network traffic for malicious activity.
• To regulate the use of system resources based on a security policy. (correct)
• To encrypt all data stored on a system.
• To provide user authentication and authorization.

In the context of access control, what is considered a 'subject'?

• An entity capable of accessing objects. (correct)
• A security policy document.
• A resource to which access is controlled.
• A specific access right, such as 'read' or 'write'.

Which access control policy controls access based on the identity of the requestor and access rules?

• Role-Based Access Control (RBAC).
• Mandatory Access Control (MAC).
• Attribute-Based Access Control (ABAC).
• Discretionary Access Control (DAC). (correct)

What is the primary factor in determining access rights under Mandatory Access Control (MAC)?

Comparing security labels with security clearances. (C)

In Role-Based Access Control (RBAC), what primarily determines a user's access?

The roles the user has within the system and the rules associated with those roles. (A)

Which access control model provides the most granular control by considering various attributes?

Attribute-Based Access Control (ABAC). (C)

What is the main challenge hindering the widespread adoption of Attribute-Based Access Control (ABAC) in real systems?

The performance impact of evaluating predicates on resource and user properties. (D)

What are the three classes of 'Subjects'?

Owner, Group, World. (C)

Which of the following is NOT typically considered an access right?

Calculate. (B)

What is the purpose of 'constraints' in Role-Based Access Control (RBAC)?

To adapt RBAC to the specifics of administrative and security policies. (A)

In the context of ABAC, what does an 'environment attribute' describe?

The operational, technical, and situational context in which access occurs. (A)

Which component is NOT a part of the ABAC model?

System privileges. (D)

What is a key difference between Role-Based Access Control (RBAC) and Attribute-Based Access Control (ABAC)?

RBAC is based on predefined roles, while ABAC evaluates attributes. (B)

Which RBAC model includes support for both role hierarchies and constraints?

RBAC3. (B)

What does Discretionary Access Control (DAC) utilize to enable an entity to grant access rights to another entity?

Access Matrix. (A)

In the context of ABAC policies, what do privileges represent?

The authorized behavior of a subject defined by an authority and embodied in a policy. (C)

What is a 'Mutually Exclusive Role'?

Both C and D. (B)

Which of the following is a function of Access Control?

Auditing. (B)

What is the purpose of the authentication function, as it relates to access control?

Verifying the identity of a user or system. (C)

Which of the following is least likely to be a description of an access control objective?

Ensure resources cannot be accessed. (B)

Consider an RBAC system where a 'Doctor' role has 'read' access to 'Patient Records', but a constraint dictates that a user cannot be both a 'Doctor' and a 'Nurse'. A user attempts to assume both roles simultaneously. What type of RBAC constraint is being enforced?

Mutually exclusive role constraint. (B)

In an access control matrix a particular subject has 'Read' access for a particular object. Under what circumstances might that permission be revoked? (Select all that apply)

All of the above. (E)

Imagine a highly secure system utilizing ABAC where access to a file is governed by the attributes: User Clearance Level, File Classification, and Current Time. To access a 'Top Secret' file, a user must have a clearance level of 'Top Secret' and the access must occur during business hours (9 AM - 5 PM). If a user with 'Top Secret' clearance attempts to access the file at 6 PM, which attribute is causing the access to be denied?

Current Time. (D)

Alice, a software engineer can read, write, and execute file1.txt. This is facilitated by something that contains a list of all files a user can access with associated access rigths, what is that called??

Capability List. (A)

An organization has a strict policy where employees can only access customer data from company-managed devices within the corporate network during business hours. Which access control model would be most suitable for implementing this policy?

Attribute-Based Access Control (ABAC). (D)

A company implements RBAC to manage access to patient records but experiences excessive administrative overhead in assigning and revoking access as employee roles change frequently. Which of the following strategies would best mitigate this issue while maintaining security?

Consolidate roles and implement role hierarchies to inherit permissions. (A)

Which of the following best describes a key advantage of Attribute-Based Access Control (ABAC) over Role-Based Access Control (RBAC)?

More fine-grained control and dynamic access decisions based on real-time context. (D)

A new regulation requires that only employees with specific certifications can access financial transaction data. The existing RBAC system does not account for employee certifications. What is the BEST approach to meet this requirement while minimizing changes to the access control system?

Integrate an attribute provider to feed certification attributes into an ABAC system layered on top of the existing RBAC. (D)

A seasoned network engineer argues that implementing an ABAC system for controlling access to network resources is overkill, as the benefits do not justify the complexity and performance overhead. How would you BEST counter their argument, assuming that regulatory compliance and zero-trust principles are paramount organizational goals, and operational costs are a secondary concern?

Present detailed simulations demonstrating how ABAC can enable dynamic, context-aware access decisions aligned with zero-trust principles and regulatory mandates, providing significantly enhanced security compared to static ACLs. (C)

Flashcards

Access Control

Granting or denying specific requests to obtain/use information or enter physical facilities.

Subject

An entity capable of accessing objects.

Object

A resource to which access is controlled.

Access Right

Specifies how a subject can access an object.

Discretionary Access Control (DAC)

Controls access based on the requestor's identity and access rules.

Mandatory Access Control (MAC)

Controls access by comparing security labels with security clearances.

Role-Based Access Control (RBAC)

Controls access based on user roles within the system.

Attribute-Based Access Control (ABAC)

Controls access based on attributes of the user, resource, and environment.

Access Matrix

A scheme where entities can grant access rights to others.

RBAC Constraints

Adapts RBAC to specific organizational security policies.

Subject Attributes

Active entity that causes information flow or changes system state.

Object Attributes

Passive information system-related entity containing or receiving information.

Environment Attributes

Operational, technical, or situational context of access.

ABAC Policy

A set of rules and relationships governing allowable behavior within an organization.

Privileges

Authorized behavior of a subject defined by an authority and embodied in a policy.

Study Notes

• Access control consists of access control principles and policies.

Access Control

• Process of granting or denying specific requests to obtain and use information, related information processing services, and entering specific physical facilities
• RFC 4949 defines it as regulating the use of system resources according to a security policy, permitted only by authorized entities.
• Key elements include a security administrator, user, authentication function, access control function, authorization database, system resources, and auditing.

Subjects, Objects, and Access Rights

• Subjects are entities capable of accessing objects.
  • Includes owners, groups, and the world.
• Objects are resources to which access is controlled.
  • Used to contain and/or receive information.
• Access rights describe how a subject may access an object.
  • Includes read, write, execute, delete, create, and search.

Access Control Policies

• Discretionary Access Control (DAC): Controls access based on the identity of the requestor and on access rules (authorizations).
• Mandatory Access Control (MAC): Controls access based on comparing security labels with security clearances.
• Role-Based Access Control (RBAC): Controls access based on the roles users have within the system and on rules stating accesses allowed to users in given roles.
• Attribute-Based Access Control (ABAC): Controls access based on attributes of the user, the resource, and current environmental conditions.

Discretionary Access Control (DAC)

• A scheme where an entity may be granted access rights to enable another entity to access a resource by its own volition.
• Often implemented using an access matrix, two dimensions of this matrix being users and files.
  • One dimension has identified subjects that may attempt data access.
  • The other dimension lists the objects that may be accessed.
• Each entry in the matrix indicates access rights of a subject for a specified object.

Role-Based Access Control (RBAC)

• Controls access based on roles that users have in a system and the rules defining which access is allowed for each role.

Constraints in RBAC

• Provides a means of adapting RBAC to the specifics of administrative and security policies of an organization.
• A defined relationship among roles or a condition related to roles.
• Mutually exclusive roles: A user can only be assigned to one role in the set, and any permission can be granted to only one role.
• Cardinality: Set a maximum number with respect to roles.
• Prerequisite roles: A user can only be assigned to a particular role if already assigned to some other role.

Attribute-Based Access Control (ABAC)

• Can define authorization to express conditions on properties of both the resource and the subject.
• Strength is its flexibility and expressive power.
• Main obstacle to adoption is concern about the performance impact of evaluating predicates.
• Web services have pioneered technologies through the introduction of eXtensible Access Control Markup Language (XAML).

ABAC attributes

• Subject attributes: Define the identity and characteristics of the subject.
  • A subject is an active entity that causes information to flow among objects or changes the system state.
• Object attributes: Objects have attributes that can be leverages to make access control decisions.
  • An object (or resource) is a passive information system-related entity containing or receiving information.
• Environment attributes: Describe the operational, technical, and even situational environment or context in which information access happens.
  • Largely overlooked in access control policies.

ABAC Concepts

• Controls access to objects by evaluating rules against attributes of entities, operations, and the environment relevant to a request.
• Systems can enforce DAC, RBAC, and MAC concepts.
• Allows an unlimited number of attributes to be combined to satisfy any access control rule.
• Relies on the evaluation of attributes of the subject, object, and a formal relationship defining allowable operations.

ABAC Policies

• A set of rules and relationships governing allowable behavior based on privileges of subjects and how resources are protected.
• Typically written from the perspective of the object that needs protecting and the available privileges to subjects.
• Privileges represent the authorized behavior of a subject, defined by an authority and embodied in a policy.
  • Also referred to as rights, authorizations, and entitlements.