Access control mechanisms are a key means by which we maintain a complex IT environment that reliably supports separation and integrity of different levels or categories of information belonging to multiple parties. But access controls do not stand on their own; they are supported by many other security capabilities. In addition, as we will discuss in Chapter 7 (Security Criteria: Building an Internal Cloud), access control is dependent on an identity management capability that meets the needs for the implementation.
When we discuss access controls, we refer to:
- Subjects which are people or processes acting on their behalf
- Objects such as files or other resources (a directory, device, or service of some sort)
Access controls are generally described as either discretionary or non-discretionary, and the most common access control models are:
- Discretionary Access Control (DAC) In a system, every object has an owner. With DAC, access control is determined by the owner of the object who decides who will have access and what privileges they will have. Permission management in DAC can be very difficult to maintain; furthermore, DAC does not scale well beyond small sets of users.
- Role Based Access Control (RBAC) Access policy is determined by the system. Where with MAC access is based on subject trust or clearance, with RBAC access is based on the role of the subject. A subject can access an object or execute a function only if their set of permissions—or role—allows it.
- Mandatory Access Control (MAC) Access policy is determined by the system and is implemented by sensitivity labels, which are assigned to each subject and object. A subject's label specifies its level of trust, and an object's label specifies the level of trust that is required to access it. If a subject is to gain access to an object, the subject label must dominate—be at least as high as—the object label.
Finally, although these three access models vary in fundamental ways, they are not inherently incompatible and can be combined in different ways. As implemented, DAC generally includes a set of ownership representations (in UNIX: User, Group and Other), a set of permissions (again, in UNIX: Read, Write, Execute), and an access control list (ACL), which would list individuals and their access modes to the object, groups, and others.
Although this use of DAC may be easy to setup for a resource, as soon as there is any turnover in personnel or when the list of individuals grows, the scheme becomes unwieldy. By contrast, MAC-based enforcement scales to global user populations. Figure 5.5 depicts this point by contrasting MAC with discretionary access controls (DAC) and role-based access controls (RBAC).
FIGURE 5.5 MAC scales better for data security than other schemes do.