Skip to content

Page244

Access Control Technologies

There are several technologies used for the implementation of access controls. As each technology is presented, it is important to identify what is unique about each technical solution.

Centralized Access Control

Centralized access control concentrates access control in one logical point for a system or organization. Instead of using local access control databases, systems authenticate via third-party authentication servers. Centralized access control can be used to provide Single Sign-On (SSO), where a subject may authenticate once, and then access multiple systems. Centralized access control can centrally provide the three “A’s” of access control: Authentication, Authorization, and Accountability.

  • Authentication: proving an identity claim
  • Authorization: actions authenticated subjects are allowed to perform on a system
  • Accountability: the ability to audit a system and demonstrate the actions of subjects

Decentralized Access Control

Decentralized access control allows IT administration to occur closer to the mission and operations of the organization. In decentralized access control, an organization spans multiple locations, and the local sites support and maintain independent systems, access control databases, and data. Decentralized access control is also called distributed access control.

This model provides more local power: each site has control over its data. This is empowering, but carries risks. Different sites may employ different access control models, different policies, and have different levels of security, leading to an inconsistent view. Even organizations with a uniform policy may find that adherence varies per site. An attacker is likely to attack the weakest link in the chain: a small office with less trained staff makes a more tempting target than a central data center with experienced staff.

The US military uses decentralized access control in battlefield situations. A soldier who needs access to IT equipment cannot call a help desk in the middle of a battle.

Exam Warning
Do not get confused on the CISSP® exam if asked about DAC compared to decentralized access control. DAC stands for discretionary access control. Decentralized access control will always be spelled out on the exam.

Single Sign-On (SSO)

Single Sign-On (SSO) allows multiple systems to use a central authentication server (AS). This allows users to authenticate once, and then access multiple, different systems. It also allows security administrators to add, change, or revoke user privileges on one central system.

The advantages of SSO are listed below. As outlined in the IBM article, “Build and Implement a Single Sign-On Solution” by Chris Dunne, SSO is an important access control and can offer the following benefits:

  • “Improved user productivity. Users are no longer bogged down by multiple logins and they are not required to remember multiple IDs and passwords. Also, support personnel answer fewer requests to reset forgotten passwords.”
  • “Improved developer productivity. SSO provides developers with a common authentication framework. In fact, if the SSO mechanism is independent, then developers do not have to worry about authentication at all. They can assume that once a request for an application is accompanied by a username, then authentication has already taken place.”
  • “Simplified administration. When applications participate in a single sign-on protocol, the administration burden of managing user accounts is simplified. The degree of simplification depends on the applications since SSO only deals with authentication. So, applications may still require user-specific attributes (such as access privileges) to be set up.”

The disadvantages of SSO are listed below and must be considered before implementing SSO on a system:

  • “Difficult to retrofit. An SSO solution can be difficult, time consuming, and expensive to retrofit to existing applications.”
  • “Unattended desktop. Implementing SSO reduces some security risks, but increases others. For example, a malicious user could gain access to a user’s resources if the user walks away from his machine and leaves it logged in. Although this is a problem with security in general, it is worse with SSO because all authorized resources are compromised. At least with multiple logons, the user may only be logged into one system at the time and so only one resource is compromised.”
  • “Single point of attack. With single sign-on, a single, central authentication service is used by all applications. This is an attractive target for hackers who may decide to carry out a denial of service attack” [9].