Question

DAC, MAC, RBAC, ABAC, are some access controls, discuss each of these policies in great details, by describing what they are, where they are best used for and an example of their usage. Please provide about 3/4 of a page details text for each of the access control. Any drawings and diagrams can be added as well.

Answer 1

DAC:

Discretionary access control (DAC) is a type of security access control that grants or restricts object access via an access policy determined by an object's owner group and/or subjects. DAC mechanism controls are defined by user identification with supplied credentials during authentication, such as username and password. DACs are discretionary because the subject (owner) can transfer authenticated objects or information access to other users. In other words, the owner determines object access privileges.

In DAC, each system object (file or data object) has an owner, and each initial object owner is the subject that causes its creation. Thus, an object's access policy is determined by its owner.

A typical example of DAC is Unix file mode, which defines the read, write and execute permissions in each of the three bits for each user, group and others.

DAC attributes include:

• User may transfer object ownership to another user(s).
• User may determine the access type of other users.
• After several attempts, authorization failures restrict user access.
• Unauthorized users are blind to object characteristics, such as file size, file name and directory path.
• Object access is determined during access control list (ACL) authorization and based on user identification and/or group membership.

DAC is easy to implement and intuitive but has certain disadvantages, including:

• Inherent vulnerabilities (Trojan horse)
• ACL maintenance or capability
• Grant and revoke permissions maintenance
• Limited negative authorization power

MAC :

Mandatory Access Control (MAC) is is a set of security policies constrained according to system classification, configuration and authentication. MAC policy management and settings are established in one secure network and limited to system administrators.

MAC defines and ensures a centralized enforcement of confidential security policy parameters.

For best practices, MAC policy decisions are based on network configuration. In contrast, certain operating systems (OS) enable limited Discretionary Access Control (DAC).

MAC advantages and disadvantages depend on organizational requirements, as follows:

• MAC provides tighter security because only a system administrator may access or alter controls.
• MAC policies reduce security errors.
• MAC enforced operating systems (OS) delineate and label incoming application data, which creates a specialized external application access control policy.

RBAC:

Role-based access control (RBAC) is a method of restricting network access based on the roles of individual users within an enterprise. RBAC lets employees have access rights only to the information they need to do their jobs and prevents them from accessing information that doesn't pertain to them.

In the role-based access control data model, roles are based on several factors, including authorization, responsibility and job competency. As such, companies can designate whether a user is an end user, an administrator or a specialist user. In addition, access to computer resources can be limited to specific tasks, such as the ability to view, create or modify files.

Limiting network access is important for organizations that have many workers, employ contractors or permit access to third parties, like customers and vendors, making it difficult to monitor network access effectively. Companies that depend on RBAC are better able to secure their sensitive data and critical applications.

Benefits of RBAC

There are a number of benefits to using RBAC to restrict unnecessary network access based on people's roles within an organization, including:

Improving operational efficiency. With RBAC, companies can decrease the need for paperwork and password changes when they hire new employees or switch the roles of existing employees.

Enhancing compliance. Every organization must comply with local, state and federal regulations. Companies generally prefer to implement RBAC systems to meet the regulatory and statutory requirements for confidentiality and privacy because executives and IT departments can more effectively manage how the data is accessed and used.

• Reducing costs. By not allowing user access to certain processes and applications, companies may conserve or more cost-effectively use resources, such as network bandwidth, memory and storage.

ABAC:

Attribute based access control (ABAC) is a different approach to access control in which access rights are granted through the use of policies made up of attributes working together. ABAC uses attributes as the building blocks to define feature-rich access control rules and access requests. An example standard to do ABAC is the eXtensible Access Control Markup Language (XACML).

Unlike Role-Based Access Control (RBAC) , which employs pre-defined roles that carry a specific set of privileges associated with them and to which subjects are assigned, the key difference with ABAC is the concept of policies that express a complex Boolean rule set that can evaluate many different attributes. Attribute values can be set-valued or atomic-valued. Set-valued attributes contain more than one atomic value. Examples are role and project. Atomic-valued attributes contain only one atomic value. Examples are clearance and sensitivity. Attributes can be compared to static values or to one another, thus enabling relation-based access control.