Paper on Exploring Access Control Methods: MAC, DAC, and RBAC in Information Security

Introduction

According to Michael (2013), for an efficient and effective organization, reliable methods of access control must be used. The access controls' key main roles include recognizing the people coming in or going out to prevent strangers from tripping in undetected and keeping track of employees by showing the present and absent employees, and employees turn schedules (Michael, 2013). Securing sensitive documents and data by limiting access to specific areas that hold hardware or software where this information is saved is another essential role. The reason is that it also reduces theft and accidents by approving, specially trained employees to access areas holding valuable data or dangerous equipment (Michael, 2013). The access control methods include Mandatory Access Control (MAC), Discretionary Access Control (DAC), and Role-Based Access Control (RBAC).

Is your time best spent reading someone else’s essay? Get a 100% original essay FROM A CERTIFIED WRITER!

Order now

Methods of Access Control

As Ausanka (2001) observed, there are three main access control methods: MAC, DAC, and RBAC. Mandatory Access Control is commonly used in firms that need higher emphasis on confidentiality and classification of information (Ausanka, 2001). Its main objective is enforcing information flow policies to ensure integrity and confidentiality. Also, its policies are defined to prevent the Trojan Horse problem. On the other hand, Discretionary Access Control is a method of access control that holds the organization owner answerable for deciding which persons to access specific locations, physically or digitally (Ausanka, 2001). Lastly, RBAC is a form of a control system in which access is dispensed by the system manager and is rigidly grounded on the subject’s role within the organization. According to Michael (2013), access can be centered on other dynamics, such as job competency, authority, and responsibility. Employees are only certified to access the data relevant to their job duties. Only specific people are allowed to create, view, or modify computer files (Michael, 2013).

To acquire access in the DAC, the model works in a way that user one generates a file, becomes its owner, access privileges to an existing file, and user two requests access to this file (Michael, 2013). User one grants access at their option. Nonetheless, user cannot grant access rights that surpass their own. For example, if the first user can only read a document, the second user cannot be allowed to edit it (Michael, 2013). If there is no inconsistency between the access control list created by an administrator and the conclusion made by user one, access is granted. DAC is quite a prevalent model because it allows a lot of sovereignty for users and does not cause managerial overhead (Michael, 2013).

According to Ausanka (2013), a MAC administrator configures access policies and defines security attributes, confidentiality levels, and clearances for accessing different projects and types of resources. The administrator can also assign each subject (user or resource that accesses data) and object (database, file, or port) a set of attributes (Ausanka, 2001). Whenever the subject tries to access an object, the operating system examines the subject’s security attributes and decides whether access can be granted (Ferraiolo & Kuhn, 1992). For instance, for secretive information, privacy level, and “business project” security label, it is accessible to a set of users with "topmost secret" clearance and permission to access business papers. Such users can also access data that involves a subordinate level of clearance. However, staff with lower levels of clearance will not have access to data that needs an upper level of clearance (Ferraiolo & Kuhn, 1992).

The Positive and Negative Aspects of Employing a MAC, DAC, And RBAC and Methods to Mitigation of the Negative Aspects

MAC is never liable for Trojan Horse-enforced security defilements because operators are unable to declassify information (Ausanka, 2001). It is also relatively candid and is reflected in a good model for profitmaking systems that work in hostile atmospheres where the risk of attack is very high (Ausanka, 2001). DAC enables fine-grained control over system objects. Through fine-grained controls, it can also be used easily in the implementation of least-privilege access. DAC is similarly intuitive in the application and is mostly undetectable to users, therefore, viewed as the most cost-beneficial for small businesses and home users (Ausanka, 2001).

RBAC manages the resources to be accessed, by whom, and how to be accessed, which assists in ensuring integrity via its transaction-based rights (Ausanka, 2001). It enables more effective verification of security policies and overall system easier management due to the consolidation of access for several users into a single role in big organizations. Its other advantage is combined support for the code of least privilege, separation of duties, access controls, and central administration of role memberships (James, 2015). Segregation of tasks and least privilege are never a part of MAC, while central administration is lightly reinforced in MAC with reliable constituents and impossible in DAC because of violation of the security principle (Ausanka, 2001).

According to Ausanka (2001), the manual confirmation of security levels and clearances needs continuous attention from managers, together with manual scalability. Again, users have to request access to each new piece of data; they cannot configure access parameters for their data making MAC user-unfriendly (Ausanka, 2001). To uphold security policies and avert unlawful or unsuitable access, the code behind these constituents is assumed to be right and compatible with the fundamental security guidelines of the system (Ausanka, 2001). Supplementary access control approaches must be used to control access to these trusted components. MAC can also be combined with access controls, including combining it with the role-based model to speed up user profiles' configuration. Conversely, DAC has a lower level of data protection. Thus, it cannot ensure reliable security since users can share their information anyhow (James, 2015).

Obscuring is another weakness. There is no centralized access management, thereby finding out access parameters since someone has to check each access control list (Ausanka, 2001). Nevertheless, RBAC leads to a ‘role explosion’ due to an increasing number of different roles, which will dictate an increased number of role-based access controls to encapsulate the permissions to relevant employees. Managing all these roles can turn out to be a complex affair (Ferraiolo & Kuhn, 1992). Similarly, it can be combined with a DAC model to allow coworkers to share information within a corporate file system (James, 2015). Furthermore, verification and maintenance of the security principles system are tremendously problematic for DAC systems because operators control access privileges to owned objects. There is a need to control info flows within the network and impose the principles of least privilege, need to know, and segregation of tasks (Ausanka, 2001). Avoiding access rights amongst employees should be ensured by the adoption of RBAC.

Recommended Access Control Method and Rationale

As Ferraiolo and Kuhn (1992) observed, DAC cannot be utilized by organizations that work with enormously sensitive information like financial, medical, or military. Instead, it is a decent option for small businesses with small information technology staff and cybersecurity financial plans. MAC supports strategies and applications. It is recommended to be used by government organizations that value data security more than operational flexibility and costs like militaries and law enforcement institutions (Ferraiolo & Kuhn, 1992). A pure MAC model provides a high and granular level of security. On the other hand, it is difficult to set up and maintain, and that is the reason commonly combined with other access control models (Ausanka, 2001). Apart from these, RBAC has several advantages over MAC and DAC, and it is also considered to strike a good balance between security and manageability (Ausanka, 2001).

Role-Based Foreseen Challenge(s) and Mitigation Strategies

As Coyne and Weil (2013) observed, the main foreseen RBAC is 'role explosion' due to the increasing number of different roles (including minor roles), which will call for an increasing number of its roles to properly encapsulate the permissions. Managing all the roles can become cumbersome. Thus, I propose the adoption of attribute-based access control, which can handle the role explosion challenge. Also, attribute-based access control has no roles, hence no role explosion (Coyne & Weil, 2013). Unfortunately, RBAC cannot use contextual information, such as time user location or device type (Coyne & Weil, 2013). According to Coyne and Weil (2013), attribute-based access control is context-based, taking time, location, and other contextual attributes into account when reaching decisions. RBAC may not cater to dynamic segregation of duty. Therefore, the adoption of attribute-based access control will solve this challenge since its accesses decisions are made dynamically at runtime (Coyne & Weil, 2013).

Conclusion

In summary, MAC and DAC are two opposite models of access control. MAC is controlled by administrators and requires lots of time and effort to maintain, but it provides a high level of security. However, DAC is not good enough for protecting sensitive data. As an Information Systems Security Specialist, I advise my medium-sized federal government contractor organization to adopt RBAC. This model is considered to strike a good balance between security and manageability.

References

Ausanka-Crues, R. (2001). Methods for access control: advances and limitations. Harvey Mudd College, 301, 20. https://pdfs.semanticscholar.org/6192/f0308dc8d7782b55a0557dfb66f323638853.pdf

Coyne, E., & Weil, T. R. (2013). ABAC and RBAC: scalable, flexible, and auditable access management. IT Professional, (3), 14-16. https://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.359.6533&rep=rep1&type=pdf

Ferraiolo, D. & Kuhn, D. (1992). Role-based access control. Artech House. https://www.researchgate.net/publication/24164143_Role-Based_Access_Controls

James J. (2015). Overview of Access Control Models http://sis.pitt.edu/jjoshi/courses/DocSem/Fall2015/OverviewAC.pdf

Michael H. (2013). Best Practices, Procedures, and Methods for Access Control Management. http://www.infosecwriters.com/Papers/MHaythorn_Access_Control.pdf