Handbook of Information Security Management:Access Control

Previous Table of Contents Next


Rules

To ensure that integrity is attained and preserved, Clark and Wilson assert, certain integrity-monitoring and integrity-preserving rules are needed. Integrity-monitoring rules are called certification rules, and integrity-preserving rules are called enforcement rules.

These certification rules address the following notions:

  Constrained data items are consistent.
  Transformational procedures act validly.
  Duties are separated.
  Accesses are logged.
  Unconstrained data items are validated.

The enforcement rules specify how the integrity of constrained data items and triples must be maintained and require that subjects’ identities be authenticated, that triples be carefully managed, and that transformational procedures be executed serially and not in parallel.

Of all the models discussed, only Clark-Wilson contains elements that relate to the functions that characterize leading access control products. Unified access control generalizes notions of access rules and access types to permit description of a wide variety of access control policies.

UNATTENDED SESSIONS

Another type of access control deals with unattended sessions. Users cannot spend many hours continuously interacting with computers from the same port; everyone needs a break every so often. If resource-oriented passwords are not used, systems must associate all the acts of a session with the person who initiated it. If the session persists while its inhibitor takes a break, another person could come along and do something in that session with its initiator’s authority. This would constitute a violation of security. Therefore, users must be discouraged from leaving their computers logged on when they are away from their workstations.

If administrators want users to attend their sessions, it is necessary to:

  Make it easy for people to interrupt and resume their work.
  Have the system try to detect absences and protect the session.
  Facilitate physical protection of the medium while it is unattended.
  Implement strictly human controls (e.g., training and surveillance of personnel to identify offenders).

There would be no unattended sessions if users logged off every time they left their ports. Most users do not do this because then they must log back on, and the log-on process of a typical system is neither simple nor fast. To compensate for this deficiency, some organizations use expedited log-on/log-off programs, also called suspend programs. Suspend programs do not sever any part of the physical or logical connection between a port and a host; rather, they sever the connection-maintaining resources of the host so that the port is put in a suspended state. The port can be released from suspended state only by the provision of a password or other identity-validation mechanism. Because this is more convenient for users, organizations hope that it will encourage employees to use it rather than leave their sessions unattended.

The lock function of UNIX is an example of a suspend program. Users can enter a password when suspending a session and resume it by simply reentering the same password. The password should not be the user’s log-on password because an intruder could start a new session during the user’s absence and run a program that would simulate the lock function, then read the user’s resume password and store it in one of the intruder’s own files before simulating a session-terminating failure.

Another way to prevent unattended sessions is to chain users to their sessions. For example, if a port is in an office that has a door that locks whenever it is released and only one person has a key to each door, it may not be necessary to have a system mechanism. If artifacts are used for verifying identities and the artifacts must be worn by their owners (e.g., similar to the identification badges in sensitive government buildings), extraction of the artifact can trigger automatic termination of a session. In more common environments, the best solution may be some variation of the following:

  If five minutes elapse with no signal from the port, a bell or other device sounds.
  If another half-minute elapses with no signal, automatic termination of the session, called time-out, occurs.

A system might automatically terminate a session if a user takes no action for a time interval specified by the administrator (e.g., five minutes). Such a measure is fraught with hazards, however. For example, users locked out (i.e., prevented from acting in any way the system can sense) by long-running processes will find their sessions needlessly terminated. In addition, users may circumvent the control by simulating an action, under program control, frequently enough to avoid session termination. If the system issues no audible alarm a few seconds before termination, sessions may be terminated while users remain present. On the other hand, such an alarm may be annoying to some users. In any case, the control may greatly annoy users, doing more harm to the organization than good.

Physical protection is easier if users can simply turn a key, which they then carry with them on a break, to render an input medium and the user’s session invulnerable. If that is impossible, an office’s lockable door can serve the same purpose. Perhaps best for any situation is a door that always swings shut and locks when it is not being held open.

ADMINISTRATION OF CONTROLS

Administration of access controls involves the creation and maintenance of access control rules. It is a vital concern because if this type of administration is difficult, it is certain to be done poorly. The keys to effective administration are:

  Expressing rules as economically and as naturally as possible.
  Remaining ignorant of as many irrelevant distinctions as possible.
  Reducing the administrative scope to manageable jurisdictions (i.e., decentralization).

Rules can be economically expressed through use of grouping mechanisms. Administrator interfaces ensure that administrators do not have to deal with irrelevant distinctions and help reduce the administrative scope. The following sections discuss grouping and administrator interfaces.


Previous Table of Contents Next



The CISSP Open Study Guide Web Site

We are proud to bring to all of our members a legal copy of this outstanding book. Of course this version is getting a bit old and may not contain all of the info that the latest version are covering, however it is one of the best tool you have to review the basics of security. Investing in the latest version would help you out in your studies and also show your appreciation to Auerbach for letting me use their book on the site.