User access controls - Part 2

Table 1: Access rights

Now, it’s time to continue your exploration of user access controls.

Access Control Matrix

Some access models are based on the concept of an Access Control Matrix. The Access Control List in Microsoft Windows is an implementation of the Access Control Matrix.

The matrix here illustrates example access rights a subject has to an object. In this example:

• Alice can access her own files, having read, write and execute permissions
• Bob is Alice’s colleague and she’s given him permission to read her files
• However, whilst Bob has read, write and execute rights to his own files, he hasn’t reciprocated with Alice, so she has no access to his files

Notice that two of the subjects aren’t users; one is the system and the other is a program. In this example, the system and the accounts program have read, write and execute rights to the accounts program; no other subject has access to this database.

Access permissions

Access control list

An Access Control List is made of Access Control Entries which is a structure specifying permissions for a single user, group, or other entity. The permissions for the group called Users are set to either read, or read and execute.

These permissions are more granular than those of basic Linux/Unix. Most modern versions of Linux support more granular access mechanisms. Windows can also specify a ‘deny’, where a group or individual can be made an exception to the rule. An additional ‘full control’ permission allows subjects to have full control over the setting of permissions to that resource.

User authentication

Authentication factors

There are different types of user authentication, or factors of authentication.

This includes:

• Something a user knows, for example, a password
• Something a user has, for example, a hardware token to access a PC
• Something a user is (or does) which relates to biometric information like a fingerprint or voice recognition

Sometimes, for extra security, more than one factor is used. This is referred to as Multi-Factor Authentication (2FA).

User authorisation

Authorisation

Once the identity of the individual has been established, the system then needs to decide which assets they can access - this is known as authorisation.

For example, in a typical Windows environment, once the user has entered a successful username and password combination, and is authenticated by the Windows Domain Controller, they are issued an access token that stays with them for the duration of the session. If the user tries to access a server where corporate documents are stored, the authorisation service will check the access token to see if it matches the tokens of the users and groups that are allowed to access the resource. This process is known as access control.

If there’s a match, the user can access the resource; no match means access is denied.

Administering user access

Administering user access

Administering user access to a system can be a complex task for the system management team, especially considering the entire life cycle of a single user account, from the day the user joins until the day they leave the organisation. During this time, they might be promoted, change roles, move into other parts of the business, become mobile or remote workers, take extended sick leave, or ultimately, leave the organisation.

The admin team must ensure:

• Users have accounts, can gain access to the right resources and system objects, and have the correct rights on those files and folders so that they can carry out their duties
• Old privileges are revoked, and new ones assigned if the user changes to a different role
• Overrides are used if emergency access is required, for example, a team leader needing access to an individual’s personal file store when they’re off sick
• Reversion to previous access rights is as quick as possible after an issue is resolved to ensure the principle of ‘least privilege’ is maintained

In addition to administering user access controls, network access controls are required for the network and operating system layers. These grant access to a network based on where the user’s coming from, the identity of their machine, and what state the machine is in.

User access controls

One useful security consideration is creating privileged system users, which might be, for example, system administrators. The duties of privileged account holders should be segregated so that no individual can completely undermine an organisation’s security. Just because an administrator needs to reset passwords or unlock accounts, it shouldn’t automatically mean that the same administrator should be granted database administrator rights.

One of the biggest security threats organisations face today is insider attack. The more privileges a user has, the more they could undermine security. Segregation of privileges should be supported by monitoring, and many organisations also conduct extensive background checks, psychometric evaluations and even financial audits to ensure that individuals aren’t open to coercion, bribery or corruption.

Data ownership and access controls

Now, it’s time to take a closer look at data ownership and access controls.

Establishing who owns an information asset within an organisation is essential to controlling and protecting it. This is important when technical measures are being designed to protect sensitive and confidential material. However, ownership controls spanning beyond the reach of the IT system are also important. For example, if there are files on a system that are protected by user groups and only a few users have access, and when a user prints out one of those documents there are other considerations, such as:

• How is it protected?
• How is the location of the printed copy monitored?
• Where is the printed document filed?
• If it’s in a locked cabinet, who knows where the key is?

Access to data can be assigned to a functional group within an organisation, or an individual user. There are security implications when considering which groups can access which areas of the system. For example, Finance might have a group location to store information for members of their team, and the same folder may have access blocked to the HR team. Similarly, where the HR team needs access to confidential employee records, this information should be protected from other staff members.

Non-human actors

Remember, that it’s not only people that access an organisation’s information. There are numerous services, like back-ups, anti-virus software, auditing software, and integrity checkers which run in the background to check files are where they should be and doing what they should do.

However, any one of these ‘services’ can potentially cause a problem and expose a threat vector. If malware infects the back-up system and tampers with the read capability, it could allow an unauthorised source access to that data. All these aspects of the system need to be analysed in terms of the access they provide and the strength of the security controls.

Access points

As mobile working increases, additional security implications arise because of the variety of locations corporate systems can be accessed from. An access point is defined as any location from which the internal IT systems of an organisation can be accessed. There are three primary ways that access can be gained, each with its own set of security concerns:

1. Directly by connecting to the corporate network.
2. Wireless access through a trusted wireless access point run on the premises. E.g., drive-by attack (please make 'drive-by attack' a link to this url: Click here)
3. Remotely through a third-party network, which could be from home or third-party premises, for example a hotel or coffee shop.

What’s next?

One of the key methods of ensuring organisation members are up to date and in line with security features is to implement efficient training, with easy access to FAQ’s and need-to-know information available. Now, you're going to discover some of the recommendations to help you achieve this.