Access Control
for Information Systems: Discretionary Access control (DAC)
and mandatory access control (MAC) by Kenneth Fung
Introduction:
There are three
basic process in an information security infrastructure, authentication, access
control, and audit. Once an entity is authenticated, the access control process
will restrict the activities of the entity at the appropiate level. The audit
process monitors the information security and detects possible security
breaches (Joshi, Ghafoor, Aref,
& Spafford, 2001).
There are many
ways (approaches, models) to implement access control. The two traditional
access models are: Discretionary Access Control (DAC) and Manditory Access
Control (MAC) (Joshi et al., 2001). These Access
control policies ensure that accesses
to the system objects are granted according to the privileges and the access
rules. (Baraani-Dastjerdi, Pieprzyk,
& Safavi-Naini, 1996)
In any computer
systems, there are two basic classes of resources: subjects and objects.
Subjects are active. They gain access to the objects to perform functions.
Objects are passive. Some example of objects are files, programs and user
permissions. These functions manuipulate the objects (read, write, excute) or
change the access control informations (transfer of ownership, grant and revoke
privileges, etc). The ways a subject controls an object are called access
privileges. (Baraani-Dastjerdi et
al., 1996).
Discretionary
Access Control (DAC):
DAC policies
allow users to grant their privileges to other users (Joshi et al., 2001). DAC controls access to an object based on user
permissions (acceptances and/or denials). Usually the owner of an object is
another user who establishes the permissions and/or denials of the object.
Being discretionary, the individual users (the object owners) make these
decisions. DAC uses the Access Matrix model with Subject, Object and Privileges. DAC uses an Access Control List
that associates the objects with their privileges (Baraani-Dastjerdi et al., 1996).
Advantage:
Being
discretionary, the access controls are very specific. DAC provides specific
access privileges at the object level. By using Access Control List, DAC allows
quick identifcation of subjects who can access an object (Baraani-Dastjerdi et al., 1996).
Disadvantage:
The high degree
of flexibility in DAC may be so complex that unauthorized users can find ways
to access protected objects (Joshi
et al., 2001). Although the Access Control List is quick, the
creation of the list can be very difficult. As the system adds more subjects
and objects, the storage reuirement increases significantly. The maintenance of
the Access Control Lists is time consuming and computing resources intensive (Baraani-Dastjerdi et al., 1996) Because DAC restricts access to objects based solely
on the identity of subjects who are trying to access them. This basic principle
makes it vulnerable to Trojan horses invasion. A Trojan horse is a computer
program with an apparent or actual
useful function
that contains some hidden functions. It can be programmed to exploit the DAC to
authorize access of the hacker.(Jordan
& Downs, 1987).
Manditory
Access Control (MAC):
MAC models
classify subjects and objects. They classify users (subjects) into user
classes. Each class has different clearance levels for access control. They
classify objects (files, programs, etc.) according to their sensitivity. In
access control, MAC prevents
unauthorized access of sensitive information according to the clearance
level and sensitivity level. It is referred to as the multilevel model. With
MAC a user at a given user classification, can enforce no read-up and no
write-down rules. (Joshi et al.,
2001).
It specifies the
rules whereby subjects can obtain direct or indirect access to classified data.
These rules can also be used to cleanup and reclassify data (Baraani-Dastjerdi et al., 1996).
MAC is often
applied to databases. A database often has sensitive or classified data. A
record may have elements of different security level. The security of entity
can be classified on many levels. They can be subdivided into categories. MAC enforces
that users with their clearance can only access entities at the appropriate
security levels (Baraani-Dastjerdi
et al., 1996). One MAC, the Bell-LaPadula model, uses an extension
of the access matrix model. It is based on two properties, the simple security
property and the *-property. The simple security property allows a subject to
read information from an object whose security level is lower than that of the
subject. The *-property requires that a subject has write access to an object
if the subject clearance level is lower than that of the object. The
combination of the properties, the security level of the subject and objects
determine the Access control in this MAC model. They can be Neither obeserve
nor alter, Observe only (Read-only), Alter only (Append), Observe and alter
(Write) and Execute a program (Execute). Information flow (directly or
indirectly) only to high security levels .
Advantage:
MAC controls
access with security level associated with subjects and objects. Security
administrator assigns the security level of the users (Sandhu, Coyne, Feinstein, & Youman, 1996). The control is centralized and administered. It is
often used in database security.
Disadvantage:
As business
changes, users access permissions can be very dynamic. The administrator may
not be able to cover all bases. MAC models lack flexibility to support the
dynamic and arbitrary security requirements from the business (Joshi et al., 2001).
New approaches:
Security researchers
have proposed several new approaches and models to address these issues. They
include role-based access control (RBAC) models, task-based access control
(TBAC) models, and ticket-based approaches. (Joshi
et al., 2001).
Reference:
Joshi, J., Ghafoor, A., Aref, W. G., & Spafford,
E. H. (2001). Digital Government Security Infrastructure Design Challenges. COMPUTER IEEE, 34(2), 66 - 72.
Baraani-Dastjerdi, A., Pieprzyk, J., &
Safavi-Naini, R. (1996). Security in
Databases: A Survey Study., University of Wollongong, Wollongong.
Jordan, C. S., & Downs, D. (1987). A guide to
understanding Discretionary Access Control in Trusted systems. NATIONAL COMPUTER SECURITY CENTER.
Sandhu, R. S., Coyne, E. J., Feinstein, H. L., &
Youman, C. E. (1996). Role-Based Access Control Models. COMPUTER IEEE, 29(2), pp. 38-47.