Limited points of administration — Therefore, prefera limited number of points of administration that operate acrossa number of points of control. These may be relatively centralizedto respond to a requirement for a great deal of special knowledgeabout the control mechanism. Alternatively it can be relativelydecentralized to meet a requirement for special knowledge about theusers, their duties, and responsibilities.

Single resource name space for enterprise data —Prefer a single name space for all enterprise data. Limit this naming scheme to enterprise data; i.e., data that are used andmeaningful across business functions or that are related to thebusiness strategy. It is not necessary to include all businessfunctional data, project data, departmental data, or personal data.

Object, table, or view as unit of control — Prefercapabilities, objects, tables, views, rows, columns, and files, inthat order as objects of control. This is the order in which thedata are most obvious as to meaning and intended use.

Arbitrary group names with group-name service — Itis useful to be able to organize people into affinity groups. Thesemay include functions, departments, projects, and other units oforganization. They may also include such arbitrary groups asemployees, nonemployees, vendors, consultants, contractors, etc.The architecture should deal only with enterprise-wide groups. Itshould permit the creation of groups which are strictly local toa single organizational unit or system. Enterprise group namesshould be assigned and group affinities should be managed by asingle service across the enterprise and across all applicationsand systems. This service may run as part of the user name service.Within reasonable bounds any user should be able to define a groupfor which he is prepared to assume ownership and responsibility.Group owners should be able to manage group membership or delegateit. For example, the human resources manager might wish to restrictthe ability to add members to the group payroll departmentwhile permitting any manager to add users to the groupemployee or the group nonemployee.

Rules-based (as opposed to list-based) access control— Prefer rules-based to list-based access control. Forexample, prefer “access to data labelled confidential islimited to employees” should be preferred to “user A canaccess dataset 1.” While the latter is more granular andspecific, the former covers more data in a single rule. The latterwill require much more administrative activity to accomplish thesame result as the former. Similarly, it can be expressed in farless data. While the latter may permit only a few good things tohappen, the former forbids a large number of bad things. Thisrecommendation is counterintuitive to those of us who are part ofthe tradition of “least possible privilege.” This ruleimplies that a user should be given access to only those resourcesrequired to do their job and that all access should be explicit.The rule of least privilege worked well in a world in which thenumber of users, data objects, and relations between them wassmall. It begins to break down rapidly in the modern world of tensof millions of users and billions of resources.

Data-based rules — Access control rules should beexpressed in terms of the name and other labels of the data ratherthan in terms of the procedure to be performed. They should beindependent of the procedures used to access the data or theenvironment in which they are stored. That is, it is better to saythat a user has read access to filename than to saythat he has execute access to word.exe . It makeslittle sense to say that a user is restricted to a procedure thatcan perform arbitrary operations on an unbounded set of objects.This is an accommodation to the increase in the number of data objects and the decreasing granularity of the procedures.

Prefer single authentication service — Evidence ofuser identity should be authenticated by a single central processfor the entire enterprise and across all systems and applications.These systems and applications can be clients of the authenticationserver or the server can issue trusted credentials to the user thatcan be recognized and honored by the using systems andapplications.

Prefer a single standard interface for invoking securityservices — All applications, services, and systems shouldinvoke authentication, access control, monitoring, and loggingservices via the same programming interface. The generalized systemsecurity application programming interface (GSSAPI) is preferredin the absence of any other overriding considerations. Using asingle interface permits the replacement or enhancement of thesecurity services with a minimum of disruption.

Encryption services — Standard encryption servicesshould be available on every platform. These will includeencryption, decryption, key management, and certificate managementservices. The Data Encryption Standard algorithm should bepreferred for all applications save key management, where RSA ispreferred. A public key server should be available in the network.This service will permit a user or an application to find thepublic key of any other.

Automate and hide all key management functions — Allkey management should be automated and hidden from users. No keysshould ever appear in the clear or be transcribed by a user. Usersshould reference keys only by name. Prefer dedicated hardware forthe storage of keys. Prefer smart cards, tokens, PCMCIA cards,other removable media, laptops, or access-controlled single userdesktops in that order. Only keys belonging to the system managershould be stored on a multi-user system.

Use firewalls to localize and raise the cost of attacks— The network should be compartmented with firewalls. Thesewill localize attacks, prevent them from spreading, increase theircost, and reduce the value of success. Firewalls should resist attack traffic in both directions. That is, each subnetwork should use a firewall to connect to any other. A subnet manager should be responsible for protecting both his own net and connecting nets from any attack traffic. A conservative firewall policy is indicated. That is, firewalls should permit only that traffic which is necessary for the intended applications and should hide all information about one net from the other.

Access control begins on the desktop — Access control should begin on the desktop and be composed up rather than begin on the mainframe and spread down. The issue here is to prevent the insertion of malicious programs more than to prevent the leakage of sensitive data.