Month: October 2016
Managing access to information resources
Organizations employ several information security tools to protect the confidentiality, integrity, and availability (CIA) of information systems and assets (Goodrich & Tamassia, 2011). The universe of tools known as access controls assist organizations in controlling which individuals have access to information system resources and the level of respective access such as read-only access or read-write access. The best system of access controls is consistent with the defense-in-depth concept of layered security. Access controls must also achieve a balance of protection, legal compliance, and productivity.
Defining the appropriate organization of information resources creates the foundation for applying access controls. Several considerations are involved in architecting information resources that provide availability to authorized individuals.
- Legal requirements may outline criteria concerning the protection of information assets such as protected health information (PHI). In the case of PHI, the Health Insurance Portability and Accountability Act of 1996 (HIPAA) outlines security and privacy requirements for electronic health records systems (Swire & Ahmad, 2012; Hash, Bowen, Johnson, Smith, & Sternberg, 2005). Organizations that fall under HIPAA’s jurisdiction must use information systems that can demonstrate compliance with HIPAA.
- Identify the specific user groups and their requirements for interacting with information resources (Kobay & Kelley, 2014). Organizations should conduct evaluations the physical requirements and the security policies that will be used to protect information resources. This should include distinct audiences such as customers, employees, and external vendors.
- Customers. The information systems associated customers would be identified and an inventory of customer information data elements should be included in an inventory of customer information. Part of inventory management should include methods of interaction and identification of authorized access.
- Employees. Employees may have broad access to an organization’s information assets. This may include access to customer data and company files and the ability for secure remote connections to these resources. Remote employees may have access through virtual private network (VPN) technology to connect directly to systems hosting user information. Certain employees may have higher-level permissions to perform systems administration duties such as reviewing system logs. Employee access, use, storage, processing, and deletion of user information should be documented. There should also be periodic auditing and monitoring to ensure that daily activities are commensurate with defined policies.
- Vendors. Organizations may employ external vendors that need specific access to user information in order to provide services. Vendors roles, access, privileges, and lifecycle of user data activity should be documented. At the termination of a relationship, an organization should have provisions for return and deletion of user information. In the case where there are direct information systems connections such as an extranet server that is shared between an organization and a vendor, there should be specifically defined access controls for vendors.
- Classify employees and information system and information system resources using an access control system. Acess controls will vary according to the needs of specific individuals and the types of information resources (UMUC, 2013).
- Access control organization. Access controls are derived using various classification methods such as matrices, hierarchies, and groups. The purpose of organization is to define the relationship between a subject such an individual, permitted information system resources, and permitted activities such as read-write (Goodrich & Tamassia, 2011).
- Mandatory Access Control (MAC). MAC is a highly structured form of access control that is intended to minimize compromise to the confidentiality of information (Vacca, 2013; Goodrich & Tamassia, 2011). MAC was originally defined for government entities where strict control was a pre-eminent requirement for securing information. In MAC, objects such as files and subjects such as individuals are assigned access levels based on the type of information that can be observed. Classifications include top secret, secret, classified, and unclassified. The Bell-La Padula model, which is a framework for defining MAC systems, incorporated concepts such as “write-down” to limit confidential information from being saved to documents with lower privilege classifications (Bell, 2005).
- Discretionary Access Control (DAC). In DAC environments, users have control over access. For example, a user can define whether a file is limited to a few people or available for all. It is not uncommon to observe DAC practiced as part of hybrid access control where users can save files locally on a computer or a USB device (Goodrich & Tamassia, 2011).
- Role-based Access Control (RBAC). RBAC is broadly practiced in private industry due to its flexibility and scalability for managing expansive and complex information system resources (Malik, Hussain, & Kazmi, 2016). RBAC enables organizations to assign access control to groups of employees based on their roles and access rights. RBAC also exists in variations such as encrypted RBAC (Shah, 2015). In cloud-based systems, access control becomes more complex and requires additional steps such as single sign-on (SSO) authorization and session management resources (Malik, Hussain, & Kazmi, 2016).
- Evaluate all forms of access control to achieve broader unified control over traditional information systems (e.g, LAN network) and distributed information assets such as published documents. Cloud-based architecture has pushed organizational information assets into systems that are typically outside of organizational control. One such example is hosting email with Google. In this distributed environment, traditional access control should be combined other other mechanisms to define a broader framework of access and usage control (Park & Sandhu, 2002). Access control should include the environments that host data, and data itself may have specific “baked-in” controls to extend access control when data moves to another environment.
- Collect and audit access to understand security risks and identify potential security violations. The purpose of auditing access controls is to provide assurance of appropriate access and to identify suspicious activity associated with access (Sandhu & Samarati, 1996). Auditing may be required by law or other regulatory bodies such as the Payment Card Industry (PCI) council to monitor access (PCI, 2009). Monitoring access logs is important to investigating unauthorized access to system resources and demonstrating lack of suspicious activity.
- Access controls systems require management support of process and procedure. Access control systems rely on human and technology capabilities for design, and implementation asa well consistent enforcement and practices. Management plays a significant role in defining the importance of access controls and the need for adherence to such controls. Without management support, access control systems have a higher probability of failure.
Effective Access Controls are Balanced
In an article on perfect access control, security experts Schneier and Ranum (2009) discuss the complexity of achieving balanced access control. Schneier highlighted the abuses of access control by employees for personal gain and the difficulty that systems administrators face in managing the stream of constant changes that are required to maintain active access control. Schneier’s perspective was that perfect access control was not achievable. Interestingly, Ranum addressed the failures of access control as a failure to define systems that incorporate concrete control. Ranum’s alluded that access control was conflicted with the distribution of information resources to places of weak control. Schneier and Ranum defined relevant issues related to defining and using access controls. Securing information systems and assets begins with a commitment to limit access by design. This includes designating where information assets may live and regular monitoring of information systems and assets. Finally, management must support and enforce access control policies.
References
Bell, D. E. (2005, December). Looking Back at the Bell-La Padula Model. In ACSAC (Vol. 5, pp. 337-351).
Cleghorn, L. (2013). Network defense methodology: A comparison of defense in depth and defense in breadth. Journal of Information Security, 4(3), 144.
Goodrich, M. T., & Tamassia, R. (2011). Introduction to computer security. Boston: Pearson.
Kobay, M. E., & Kelley, S. (2014). Developing security policies. In S. Bosworth (Ed.), Computer Security Handbook (6th ed., Vol. 2, pp. 66-1-66-16). Hoboken, NJ: Wiley.
Malik, Hussain, & Kazmi. (2016, January). Access control model for data stored on cloud computing. International Journal of Innovation and Scientific Research (Vol. 20 No. 1 Jan. 2016, pp. 233-241).
Hash, J., Bowen, P., Johnson, A., Smith, C. D., & Steinberg, D. I. (2005). An introductory resource guide for implementing the health insurance portability and accountability act (HIPAA) security rule. US Department of Commerce, Technology Administration, National Institute of Standards and Technology.
Park, J., & Sandhu, R. (2002, June). Towards usage control models: beyond traditional access control. In Proceedings of the seventh ACM symposium on Access control models and technologies (pp. 57-64). ACM. Retrieved from http://www.drjae.com/Publications_files/SACMAT02-UCON%20model.pdf
Payment Card Industry Council. (2009). Payment Card Industry Data Security Standard. Card Technology Today, 21(4), 9. doi:10.1016/s0965-2590(09)70094-5
Sandhu, R., & Samarati, P. (1996). Authentication, access control, and audit. ACM Computing Surveys (CSUR), 28(1), 241-243.
Shah, P. (2015). Data security for cloud storage system using role based access control. International Journal of Science and Research (IJSR), 4(1). doi:10.5220/0004508600620073
Schneier, B., & and Ranum, M. (2009). Schneier-Ranum face-off: Is perfect access control possible. Information Security, Retrieved from http://searchsecurity.techtarget.com/magazineFeature/0, 296894,sid14 gci1365957 mem1,00.html
Swire, P. P., & Ahmad, K. (2011). U.S. private-sector privacy: Law and practice for information privacy professionals. NH: International Association of Privacy Professionals.
Vacca, J. R. (2013). Computer and information security handbook (Second ed.). Amsterdam: Elsevier.

