This blog provides clarifying information related to Security Access Models found on the CompTIA A+ Security+ exams. Allow me to recap my goal with this series:
Although CompTIA exams are heavily based upon the published exam objectives, CompTIA tends to expand target material by exposing candidates to potential content on their certification exams. Although such questions are not supposed to count toward the exam score, they can be particularly disconcerting – and if they occur on one of the more time consuming simulation questions also rather disruptive to the candidate’s focus.
Since the exam objectives may lag technology introduction by three years or more, you may find it beneficial to consider technology extensions to existing exam objectives during your certification preparations. In that light, I will be providing a growing series that introduces new or potentially expanding content.
For instructor-led CompTIA classes, see our CompTIA class schedule.
My goal here is to clarify the perspective you should maintain when taking the Security+ course.
From the Security+ SY0-401 exam objectives, you should review:
5.0 Access Control and Identity Management
5.2 Given a scenario, select the appropriate authentication, authorization or access control.
- Identification vs. authentication vs. authorization
- Least privilege
- Separation of duties
- Mandatory access
- Discretionary access
- Rule-based access control
- Role-based access control
- Time of day restrictions
This article should assist you to distinguish between the four access control models as you will be queried extensively about them on the certification exam.
Mandatory Access Control (MAC) is the most restrictive of the access models in terms of object control. Access is granted to individuals after an extensive background investigation by a centralized authority. There are no group privileges; only a matrix of subject clearances against object sensitivity labels. Some of the key concepts and words that may help you to identify MAC are:
- This model is non-dynamic. In others words controls are absolute relationships.
- Subjects must have a need to know to even read data.
- Restricts access to objects based on security clearance.
- MAC allows access associated with the classification of data. As such Labels and Containers are common terms associated with MAC.
- Determinations must be performed based on the security labels associated with each user and each data item (not item sets).
- MAC may most often be implemented with SQL db where the subject has access to specific data rather than the entire database or dataset.
- A router most likely implements MAC.
- A LATTICE best describes the Mandatory Access Control model.
- With MAC users cannot share resources dynamically with any other user.
- Only owner and custodian have access
Common models associated with MAC, and their unique or distinguishing characteristics include:
Bell-LaPadulla is most often associated as the primary model for MAC. Bell-LaPadulla focuses on both Confidentiality of information, control of access. It is often referred to as “write up, read down”. This is the highest form of data control, including the labels commonly known as Classified, Secret, and Unclassified.
Biba Integrity Model, or just Biba model, developed by Kenneth Biba, focuses on maintaining the Integrity of Information. Biba is often referred to as a “Read up, write down” model. It prevents data modification by unauthorized parties, unauthorized modification by authorized parties, and internal and external consistency of the data.
Clark-Wilson Model is the third model frequently associated with MAC. It focuses on Integrity. Clark-Wilson is based on notion of a transaction, and is more commonly applied in business scenarios. Some of the terms associated with the Clark-Wilson model include the User, UDI, CDI, TP, and IVP.
- User – someone with explicit access to the object.
- CDI – Constrained Data Item
- UDI – Unconstrained Data Item
- IVP – Integrity Verification Procedure
- TP – Transformation Procedures enforce integrity policy.
A TP transforms input (typically UDI) into a CDI, and IVP’s maintain the integrity of the data. A TP along with the IVP determines how and where a User may appropriately access or modify the data while retaining the desired state of the CDI.
Since Mandatory Access Control models are less common within most corporate or small business environments, you might want to take a little more time to research each of the three models provided above so that you are familiar with their differences. Note the key differences between a focus on Integrity and Confidentiality in particular.
Role based access control (typically shown as RBAC) is the second most secure of the models. Data is labeled as accessible only by a user whose role suggests they should have specific and relative access to the data. This model is most frequently associated with access based on authorization. System access that requires separate accounts for standard user and administrative level access would be considered RBAC.
In role based access control (RBAC), users are added to single roles, and permissions are assigned to those roles. Users get no individual permissions. RBAC is based on user tasks or responsibilities. Typical roles would be Finance, Sales, Research and Development, and Production. RBAC would be ideal for a retail establishment with a high turnover.
Unix, Windows Server, and Router access controls are most often implemented as RBAC solutions. This solution is most often implemented with larger corporations, those with 500 or more users since the overhead associated with maintaining multiple accounts and related, independent control sets.
Discretionary access control (DAC) provides the greatest access Flexibility. Rather than single, locked associations between the object and subjects, owners and administrators have the ability to grant additional subjects (users) varied level of access to the data. Granted access may include ownership or complete control.
With DAC access to resources is set and is at the discretion of the owner of the resource. Access levels may be granted to groups, similar to RBAC or individuals, similar to MAC. Microsoft’s NTFS implementation and Active Directory implementations utilize a DAC approach. Permissions are set using Windows Explorer. DAC is provided on Windows systems by default. In DAC all objects have an owner, and this owner has full control over that specific object. The flaw in DAC is that it uses only the identity of the user or specific process to control access to a resource. This creates a security loophole for Trojan horse attacks. DAC uses Access Control Lists to identify the users who have permissions to a resource. In DAC, users get individual and group permissions, oftentimes from multiple groups.
It should be noted that although SQL services often run on Microsoft servers or within a Microsoft Enterprise environment, SQL security should be MAC rather than DAC controlled.
Rule Based Access Control
Although Rule Based Access Control might also be abbreviated RBAC – it is always spelled out, and RBAC always refers to Role Based Access Control.
An example of rule based access control would be controlling access to a training room so that it was only open to attendees during training periods. Rule-based access control is closely aligned with MAC. The primary difference between role-based access control and rule-based access control is that one is based on job function and the other on a set of approved instructions. Firewalls and routers often implement rule based access controls based on the identity of the source and/or destination, whether the identity is that of a system or a specific user.
As you prepare for your Security+ exam, consider both the similarities and the very specific differences between the four access models and their most common examples.
Steve teaches PMP: Project Management Fundamentals and Professional Certification, Windows 10, Windows 7, Windows 8.1 and CompTIA classes in Phoenix, Arizona.