Access Controls
Students, please view the “Submit a Clickable Rubric Assignment” in the Student Center.
Instructors, training on how to grade is within the Instructor Center.
Assignment 3: Evaluating Access Control Methods
Due Week 6 and worth 50 points
Imagine that you are the Information Systems Security Specialist for a medium-sized federal government contractor. The Chief Security Officer (CSO) is worried that the organization’s current methods of access control are no longer sufficient. In order to evaluate the different methods of access control, the CSO requested that you research: mandatory access control (MAC), discretionary access control (DAC), and role-based access control (RBAC). Then, prepare a report addressing positive and negative aspects of each access control method. This information will be presented to the Board of Directors at their next meeting. Further, the CSO would like your help in determining the best access control method for the organization.
Write a three to five page paper in which you:
Explain in your own words the elements of the following methods of access control:
Mandatory access control (MAC)
Discretionary access control (DAC)
Role-based access control (RBAC)
Compare and contrast the positive and negative aspects of employing a MAC, DAC, and RBAC.
Suggest methods to mitigate the negative aspects for MAC, DAC, and RBAC.
Evaluate the use of MAC, DAC, and RBAC methods in the organization and recommend the best method for the organization. Provide a rationale for your response.
Speculate on the foreseen challenge(s) when the organization applies the method you chose. Suggest a strategy to address such challenge(s).
Use at least three quality resources in this assignment. Note: Wikipedia and similar Websites do not qualify as quality resources
Access Controls
The choice of access control in an organization is determined by the effectiveness to enhance the security of the computer and network system. The access control in a system limits access to a system, virtual and physical resources by way of giving access and specified privileges to information, resources and systems. Different access controls have their strengths and weaknesses based on their effectiveness regulate the access of an organization system. The effectiveness of securing a system is considered to be a strength and advantage while the inability to protect the system is a disadvantage and weakness. In this regard, organizations settle for different types of access control based on their ability to regulate the system and securing it. Different access controls include Mandatory access control, discretionary access control (DAC) and Role-based access control (RBAC) all with different elements, positive and negatives that determine their effectiveness in securing the system, resources, and information.
Different types of access control (Elements comparison of posivies and negatives)
Mandatory access control (MAC)
The mandatory access control prevents the ability of an initiator or a subject from accessing or operating a subject or a target. The administrator is tasked with managing the access control by way of defining the access and usage policy that cannot be changed by the users (Henricksen et al., 2007). The access policy determines the employees or individual to have access to files and programs. These facts indicate that MAC is adopted and used in organizations that have a priority on confidentiality. The administrator can regulate access by way of classifying object and users. On the other hand, the MAC has its shares of positives and negatives that influence its choice in organizations. The positive impacts of the MAC include that it provides tight security since only a system administrator have the access controls, the mac policies reduce security errors, and the MAC enforced operating system delineate and label incoming application data that is vital in the development of an external application access control policy. On the other hand, the disadvantages of MAC include that it makes the systems cumbersome to manage since the administrator have to assign all permissions, and the access control is expensive to run. The negatives and challenges can be addressed by increasing the number of administrators to handle increased roles and tasks.
Discretionary access control (DAC)
The Discretionary access control that gives the user complete control over all the programs it owns and executes. The access control further determines the permission of other users to different programs and files (Sandhu and Park, 2003). The DAC requires permission to be assigned to those who require the access thus dubbed need to know access model. Consequently, DAC has its shares of positives and negatives that determine the capability of access control. The positive aspects of DAC include that it is flexible more than the MAC as the users can access their files and programs, unlike the MAC where all operations are regulated by the administrator. DAC enables users to create customized access policies for every user. DAC enables the user to transfer files and programs to other users and it has various authorization levels that enhance security and control. On the other hand, the disadvantages inherent vulnerabilities such as Trojan Horse, ACL maintenance or capacity, limited negative authorization and existence of grant and revoke permissions maintenance. The weaknesses and negatives can be improved by way of making the DAC flexible such that it can accommodate changes and modification to address the arising challenges.
Role-based access control (RBAC)
The Role-based access control is a strategy adopted to regulate the network access to users based on their roles in an organization. The control ensures that employees and individuals are only able to take and implement tasks that are attached to them (Kuhn, Coyne and Weil, 2010). The employees, in this case, will have access rights only to the information they require to perform tasks and prevent them from accessing information that does not pertain to them. Equally important RBAC has several positives and negatives attached to it thus regulating the extent of control. The RBAC is based on various factors that include job competency, authority, and responsibility that ensure access control achieve its goals and objectives. Additionally, the RBAC can be limited to specific tasks such as the capability to modify, create and view a file. On the other hand, the negatives include the role explosion that confusion of roles and individuals. The challenge can be addressed by increasing the number of roles to encapsulate permission.
Conclusion
The medium-sized federal government contractor needs to adopt and use the Role-based access control to achieve its goals and objectives as well as meet customer expectations. RBAC will ensure that all tasks available in the firm are tasked to their respective professionals and individuals. This fact ensures that employees are in a position to handle and complete their respective tasks. Upon the completion of different tasks, an organization is in a position to complete tasks with the expedition. Additionally, the roles of different employees can be supervised and improved with time. Equally important, RBA is likely to experience challenges in the course of operations. In this regard, the challenges can be addressed by making access control to be flexible to accommodate changes and modifications in the form of solutions to handle the challenges.
References
Kuhn, D. R., Coyne, E. J., & Weil, T. R. (2010). Adding attributes to role-based access control. Computer, 43(6), 79-81.
Sandhu, R., & Park, J. (2003, September). Usage control: A vision for next-generation access control. In International Workshop on Mathematical Methods, Models, and Architectures for Computer Network Security (pp. 17-31). Springer, Berlin, Heidelberg.
Henricksen, M., Caelli, W., & Croll, P. (2007, January). Securing grid data using mandatory access controls. In Proceedings of the fifth Australasian Symposium on ACSW frontiers-Volume 68 (pp. 25-32). Australian Computer Society, Inc.