I have been doing access control now for the better part of 15 years, longer if you go back to my internships at the Mayo Clinic and IBM when I was just a wee lad. Throughout my adult career access management has been in the mix somewhere whether it was at a singular application level or enterprise wide across hundreds and thousands of systems. Access control not matter the scope comes down to one simple concept, granting access based on a criteria. That criteria can vary in complexity but you are granting someone to see or do something for a reason based on the individual.
In an auditing and compliance world, access is what gets people in trouble. The wrong person had access to something they were not supposed to. So, where’s the breakdown? In my experience the common thread of access control issues is the design or lack thereof of the access matrix. The wrong people are designing access models and eventually the business gets to a point where the access is granted by copying other user’s access. ‘It’s like him’ so give person X what person Y has. What ends up happening is you give more access than you should and problems start. When the auditors come around you cannot answer definitively who has access to what, you have an idea, but no concrete answer. You only know what you know.
I wanted to take a few steps back and layout some very basic principles of access control and how to get started. A new application, database, system, or a building it doesn’t matter what you are granting the access to the concepts are the same whether the access is digital or physical.
Best practices for access control:
1. Know that you will need access control/authorization.
Access control is oversimplified far too often. Generalizing the access grants too much un-regulated access. Architects, not the developers, should be creating detailed access models that grow and expand as new functionality is created. The right blueprints will tell you always what you need to control access to.
2. Externalize the access control policy processing
Access control processing should not be within the application. From a business standpoint you are heading for disaster by keeping the access control embedded in an application. This is because the access control requirements are never completed phase I, in fact they are continually adjusted as the business changes. Centralized processing allows the business to create singular rules and processes that are applied to many application consistently. When changes are met, they are changed in one location that is the central hub for access control processing and compliance.
3. Understand the difference between coarse-grained and fine-grained authorization
The discussion of coarse-grained vs. fine-grained authorization is a pet peeve of mine because most of the time people get it wrong. Fine grained authorization is a ‘brochure buzzword’ most of the time, meaning it’s heard at a conference and thrown around as an initiative without truly understanding what it means. Let me give the 50,000 ft. definition. Coarse Grained: Employees can print. Fine Grained: Employees can only print to the printers in the offices where they are located.
Coarse is generalized, fine is getting down into complex attribute relationships to determine access. As you can see there is a blur of when coarse becomes fine. I say if you are using more than two attributes or variables to determine access then you have crossed into fine grained.
4. Design for coarse-grained authorization but keep the design flexible for fine-grained authorization
Start with coarse-grained and work your way down. Layer it, if you try to boil the ocean on the first run you will fail. You will either lock the system down so tight no one will be able to access anything they need and you will have to peel back the access model anyway or you will leave a gaping hole in the model because your design planning wasn’t thorough enough.
5. Know the difference between Access Control Lists and Access Control standards
Access Control Lists (ACL) are your proprietary access models. The Access Control standards, SAML, XACML, OAuth, etc… are used by those ACLs.
6. Adopt Rule Based Access Control : view Access Control as Rules and Attributes
Access control is really a set of rules. You business rules on how authorized people get access. Take that mentality down to your technical access control models.
7. Understand the difference between Enforcement versus Entitlement model
Prominent access control strategies and standards involve the Enforcement model. The access control system is trying to enforce access to a resource. This leads to a Yes/No type question. The enforcement model does not scale in a cloud or a resource constrained environment.
Entitlement model is where in the access control system does not perform enforcement or access checks. Rather it answers questions such as “What permissions does this user have?”. The question seeker will then use the returned answer to perform local enforcement.
There you go. Those are simple concepts that cover most areas of access control that should always be considered when designing systems.
End of line.
Binary Blogger has spent 20 years in the Information Security space currently providing security solutions and evangelism to clients. From early web application programming, system administration, senior management to enterprise consulting I provide practical security analysis and solutions to help companies and individuals figure out HOW to be secure every day.