Establishing role-based access control in the workplace

The number of security breaches has been steadily increasing year on year. As the number of systems in an organization increases, the number of interfaces to take care of also increases. Each interface increases the available attack surface. Safeguarding against security breaches is a difficult task and establishing access control schemes can help with it. This article explores what access control means, the different kinds of access control schemes, and how to implement the RBAC scheme.

What is access control?

It is the policy of deciding which entity in an organization gets access to which systems, at what times, and under what constraints. The idea behind establishing access control schemes is that a resource is only available when it is necessary. This helps enabling tighter information flow in the organization.

There are two policies that CIOs need to understand before thinking of establishing some form of access control in the workplace:

1. “Default permit” is wrong

As obvious as it sounds, surprisingly, the policy of “default permit” is the number one flaw found in systems. The reason this flaw is so common is that it presents an easy way out. In the very early days of the internet, when network managers set-up firewalls, they used to disable incoming telnet, incoming rlogin, and incoming FTP. This worked fine until a new vulnerability was discovered in another protocol, and then the network managers had to decide whether to deny it or not. Most firewalls today are built on the principle of “default deny”. Default deny is difficult to implement though, because you need to be active in selecting what all kinds of traffic you want to allow. Access control embodies the policy of default denial.

2. “Enumerating Attack Vectors” is wrong

The rate of growth of attack vectors is considerably more than the rate of growth of legitimate users. If you want to secure a system, keeping a track of the entities that should be denied access is the wrong way to do it. The correct way is to keep a track of entities that should be allowed. Access control embodies this policy.

What are the different kind of access control schemes?

The most common type of access control scheme is Role Based Access Control (RBAC). An RBAC role is a designation. On one side, a user is assigned a role, on the other side, a role is assigned a permission. Multiple users can come under a group and that group can be assigned a particular role. RBAC can also involve a role hierarchy, enabling inheritance of roles for different users. This means that if a user has a role “team leader,” they can automatically get all the permissions assigned to the role “team member” along with the admin permissions that come with being a leader. Groups are used to model the organizational structure and roles are used to model a person’s function within an organization. The ANSI INCITS 359-2004 standard describes the RBAC practices (along with a reference model) that have gained acceptance in commercial settings. Another popular access control scheme is Attribute Based Access Control (ABAC) which unlike RBAC that uses predefined roles, uses dynamic policies based on Boolean logic. ABAC can be context and risk aware. Seldom do organizations start with a pure access control scheme implementation. Typically, they use a mix of attributes to determine the roles in an RBAC model.

How to implement RBAC?

It is better to regard RBAC is a general model. How it is implemented depends upon where it is being used, which dictates what form of identity access management is being used. The backend could simply be a database, or it could be in the form of a distributed directory like Active Directory by Microsoft or the open-source OpenLDAP. Lightweight Directory Access Protocol (LDAP) can be used to talk to the directory server. Implementing RBAC over LDAP from scratch is a non-trivial task. It is better to use the open-source Apache Fortress project that can use OpenLDAP or ApacheDS as a backend.

Once an LDAP backend like OpenLDAP has been set up, the admin can add roles, groups and permissions to it using the admin panel. When a user wants access to a software application, the application gets the credentials of that user and tries to authenticate them via LDAP. If the authentication succeeds, the application sets up the user’s permissions as dictated by the LDAP server, or denies access accordingly. In case the organization uses a single sign-on mechanism like Kerberos or Oauth2, the application can request a session token upon successful authentication via LDAP. For limiting access to hardware systems, the organization can use a hardware key like Yubikey that supports LDAP authentication.

How to establish audit trails?

It is necessary to make sure that the entity which authorizes other entities is also tracked. This can be done by ensuring that all such authorization orders carry an e-signature. Several document management systems are available today that support e-signature. Before choosing a provider, make sure that they pass the e-signature security checklist.

Access control is necessary, and every organization must implement it in some form. An important point to note is that once an access control scheme has been established, CIOs must make sure that new third-party services that are purchased by the organization support that access control scheme. Sometimes if this is not possible, a custom proxy can be used between the service and the organization.