Evaluating Access Control Methods, Research Paper Example

MAC: Mandatory Access Control

Mandatory access controls are persistent and access cannot be delegated to anyone or the access type cannot be modified. Likewise, the control and administration of this type of access is dependent on the system. For instance, network team has access to Internet usage logs of an employee without his/her permission, as per policy (Zhu, Lü, & Jin, 2009).

DAC: Discretionary Access Control

Discretionary Access Control is based on the owner of that object for granting or denying access to anyone. Likewise, if a file is shared on the network from the file owner, he/she can grant or deny access to anyone available on the computer network. The reliability is with the object owner for controlling access. The major advantage for this type of access is flexibility and low cost of ownership for network and security administrators (Benantar, 2006).

Role Based Access Control

Role Based Access Control is based on the job description of an employee. Likewise, the roles are mapped as their job description. This is the most widely adopted access that has ease of use, flexibility, secure, low administrative cost, low cost of ownership, easy to remember passwords etc. for instance, in a traditional scenario, role based access controls are integrated with organizations Intranet and active directory. User has to enter same credentials for logging in the domain environment, email accounts and intranet applications (Galante, 2009).

Advantages and Disadvantages of Access Controls

Advantages and Disadvantages of Mandatory Access Control are as follows (Zhu, Lü, & Jin, 2009):

• Mandatory Access Control provides higher level of security by mitigating the risk of accessing or modifying controls only by a network or system administrator.
• Policies embedded in a mandatory access control mitigate risks of oversight issues and human errors
• Mandatory Access Control enforces operating systems for defining and labeling inbound data associated with applications and establishes an access control policy for outbound applications.

Advantages and Disadvantages of Discretionary Access Control are as follows:

• Due to the incorporated global policy, Discretionary Access Control allows the users for deploying access controls irrespective of incorporation of policies with the global policies.
• Policy applied on discretionary access policies can be modified by the owner. In case of a malicious code, the access privileges can be changed on behalf of the object owner.
• Any vulnerable software can modify discretionary access policies

Advantages and Disadvantages of Role Based Access Control are as follows (Galante, 2009):

• Role based access control is scalable and it provides segregation for separation of duties
• Role based access control supports hierarchical design that facilitates rights to flow down
• If Role based access control is not very well documented along with the poorly defined organization policy, they may become a headache
• By adding unnecessary roles, administrative workload will increase and it will be expensive to maintain this type of control in the organization

Use in Organization

The Policy Enforcement Point (PEP) delineates as the architecture that pushes forward each and every request to the Policy Decision Point (PDP) for access control mechanisms. Furthermore, the PDP then investigates the request that is made within the application (CODASPY ’12: Proceedings of the second ACM conference on data and application security and privacy2012). The contemporary access control system depends upon the PEP and PDP. The PDP is generally implemented as a fanatical server that is authorized in fact; it is located on the different node as compared to the PEP nodes (CODASPY ’12: Proceedings of the second ACM conference on data and application security and privacy2012). In order to implement the reliable policy all over the system the architecture of the PEP must provide enough capability to connect with the PDP to inquiry decisions otherwise it has to suffer from the single point failure. The significant features that can accelerate the performance of PEP are (CODASPY ’12: Proceedings of the second ACM conference on data and application security and privacy2012):

• Latency of the communication with the PDP.
• consistency and survivability of the connection
• Collective cost impacts on communication.

For instance, cost related to the mobile applications is high priced.

The access controls demands knowledge associated with the access control model, as they are most effective and intelligent for hierarchical access models and structured access models (Benantar, 2006). Likewise, the relationship of objects and subjects is located in a typical database. However, there is still a requirement for learning the subject and object space. The utilization of machines for making decisions pertaining to access control is also presented, in which the researchers of the proposed solution make note of the behavior of a classifier that reverts a decision after making a conflict at the centralized PDP (Benantar, 2006).

The implementation of the physical redundancy is conducted by SAAM when the PDP is not available. In addition, the fault is covered by the SDP through the requested access control decision. The basic physical redundancy methods for the distributed systems are away from the small number of systems. Moreover, if the scale reaches to thousand it became technically and economically less feasible Crampton, J., Leung, W. & Beznosov, K. (2006). By utilizing SAAM the authorized responses are cached while the active authorized information is simulated and linear scalability is allowed on the number of PEPs and PDPS. Now the latest concepts, methods and strategy algorithms for the new access control decisions are introduced.

The secondary and approximate authorization model (SAAM) delineates the philosophy of primary vs. secondary and accurate vs. approximate authorizations Crampton, J., Leung, W. & Beznosov, K. (2006). In fact, the approximate authorization responses are concentrated from the cached initial responses and then offer the other source related to the access control decisions for the servers that are unavailable or slow Crampton, J., Leung, W. & Beznosov, K. (2006). However, the efficiency to calculate authorizations enhances the consistency and presentation of the access control sub-systems and the application systems Crampton, J., Leung, W. & Beznosov, K. (2006). System operations incorporating SAAM are dependent on type of access control policy that it deploys. A research was conducted that proposed a solution for calculating secondary authorizations with compliance of policies mentioned in Bell-LaPadula model. Likewise, a dominance graph is defined along with its formation and usability for developing secondary response to authorized request Crampton, J., Leung, W. & Beznosov, K. (2006). Crampton, J., Leung, W. & Beznosov, K. (2006) Initially the calculated results regarding the SAAMBLP algorithms reveals that about 30% of the queries related to the authorization are increased and can be hand out to the access control policies without any consultation.

References

Benantar, M. (2006). Access control systems: Security, identity management and trust models Springer.

Crampton, J., Leung, W. & Beznosov, K. (2006). The secondary and approximate authorization model and its application to Bell-LaPadula policies.. In D. F. Ferraiolo & I. Ray (eds.), SACMAT (p./pp. 111-120), : ACM. ISBN: 1-59593-353-0

CODASPY ’12: Proceedings of the second ACM conference on data and application security and privacy (2012). (San Antonio, Texas, USA ed.). New York, NY, USA: ACM.

Galante, V. (2009). Practical role-based access control. Information Security Journal: A Global Perspective, 18(2), 64-73. doi:10.1080/19393550902791465

Zhu, H., Lü, K., & Jin, R. (2009). A practical mandatory access control model for XML databases. Information Sciences, 179(8), 1116-1133. doi:10.1016/j.ins.2008.12.011