Embed Size (px)
Citation preview
This article was downloaded by: [University of Auckland Library]On: 26 October 2014, At: 15:09Publisher: Taylor & FrancisInforma Ltd Registered in England and Wales Registered Number: 1072954 Registered office: Mortimer House,37-41 Mortimer Street, London W1T 3JH, UK
EDPACS: The EDP Audit, Control, and SecurityNewsletterPublication details, including instructions for authors and subscription information:http://www.tandfonline.com/loi/uedp20
Access Control Software: What it Will and Will Not DoRobert Parker MBA, FCA, CISAPublished online: 05 Jan 2010.
To cite this article: Robert Parker MBA, FCA, CISA (1991) Access Control Software: What it Will and Will Not Do, EDPACS: TheEDP Audit, Control, and Security Newsletter, 18:8, 1-8, DOI: 10.1080/07366989109450633
To link to this article: http://dx.doi.org/10.1080/07366989109450633
PLEASE SCROLL DOWN FOR ARTICLE
Taylor & Francis makes every effort to ensure the accuracy of all the information (the “Content”) contained in thepublications on our platform. However, Taylor & Francis, our agents, and our licensors make no representationsor warranties whatsoever as to the accuracy, completeness, or suitability for any purpose of the Content. Anyopinions and views expressed in this publication are the opinions and views of the authors, and are not theviews of or endorsed by Taylor & Francis. The accuracy of the Content should not be relied upon and should beindependently verified with primary sources of information. Taylor and Francis shall not be liable for any losses,actions, claims, proceedings, demands, costs, expenses, damages, and other liabilities whatsoever or howsoevercaused arising directly or indirectly in connection with, in relation to or arising out of the use of the Content.
This article may be used for research, teaching, and private study purposes. Any substantial or systematicreproduction, redistribution, reselling, loan, sub-licensing, systematic supply, or distribution in any form to anyoneis expressly forbidden. Terms & Conditions of access and use can be found at http://www.tandfonline.com/page/terms-and-conditions
FEBRUARY 1991 VOL. XVIII, NO. 8
ACCESS CONTROL
ROBERT PARKER
A c c e s s control software products are designed to improve the security associated with the operation of a particular type of computing system. These software packages often are add-on products offered by the computer hardware manufacturer or, more likely, by a third-party vendor. Many of these products, however, do not provide the secure environment that the or- gmization needs and believed it was getting when the access csntrol software package was acquired.
Of course, not all access control software products fail to meet the user's expectations. The organization must know which one is right for its computing environment and how it can benefit the most from the use of such a product.
UNDERSTANDING THE NEED FOR ACCESS CONTROL SOFTWARE Breach of security is often cited as the most common infor- mation processing-related risk faced by an organization. Se- curity breaches connected with computer crime are only one facet of this risk. The others result from the: 0 Organizationwide use of microcomputers. 0 Evolution of operating systems, security software, utilities,
and end-user applications to facilitate access to systems. Expansion of telecommunication capabilities. Use of those capabilities to open electronic gateways into
0 Provision of legitimate third-party access to host systems. 0 Expansion of computer literacy generally. In addition, the organization must address the legal require- ments to safeguard confidentiality and privacy, the legal and
- regulatory implications of the destruction of data files and rec- oi'ds, and the contamination of the entire system by a virus.
As a result of these risks, access control software is a neces- sity. It is required to prevent, detect, and report both authorized accesses and attempted unauthorized accesses to a computer system as well as for management investigation and monitor- ing of such actions.
many mainframe systems.
/
IN THIS ISSUE Access Control Software: What It Will and Will Not Do
H More Attention Needs to Be Paid to Insider Computer Criminals
m Book Reviews
Abstracts & Commentary
Of Interest d
Executive Editor THE EDP AUDITORS ASSOCIATION
Editor BELDEN MENKUS, ClSA
Associate Editor MICHAEL P. CANGEMI, CPA, ClSA
AUERBACH PUBLISHERS A DIVISION OF WARREN, GORHAM & IAMONT
Dow
nloa
ded
by [
Uni
vers
ity o
f A
uckl
and
Lib
rary
] at
15:
09 2
6 O
ctob
er 2
014
E P P A C S FEBRUARY 1991
MANY ACCESS
CONTROL
SOFTWARE
PRODUCTS DO
NOT PROVIDE
THE SECURE
ENVIRONMENT THAT
THE ORGANIZATION
SELIEVED IT WAS
GETTING WHEN THE
PACKAGE WAS
ACQUIRED.
ACCESS CONTROL SOFTWARE PROVIDES PROTECT1 ON Organizations use access control software for many reasons. Four of the most common are to:
Achieve electronic segregation of duties-Access control software can electronically segregate access to programs and functions and access to data and other resources. This is accomplished electronically with user IDS, user names, pass- words, and the access profiles associated with them. Protect the system user-Access control software protects system users from unintentional destruction or compromise of data. The software also protects a user from the actions of others because it bars unauthorized intrusion into the sys- tem, whether by other employees of the organization or by outside individuals.
0 Monitor and record access-An important function of access control software is to monitor all accesses, keeping a record of them for subsequent follow-up and verification. It can also provide reports to assist in the timely investigation of any unauthorized access attempts so that appropriate preventive techniques can be implemented. Report violations-Access control software provides reports for use as evidence in disciplinary actions or prosecution of violators.
THE OPERATION O F ACCESS CONTROL SOFTWARE Access control software works as a part of or addition to a computer’s operating system. It protects terminals, data, and the system itself from unauthorized access by intercepting ac- cess requests for system resources. It verifies user IDS, pass- words, and in certain cases, the terminal ID and location, per- mitting access to only those resources that have been predefined for the authorized user. Exhibit 1 illustrates the functional operation of a typical access control software product.
SELECTING A N ACCESS CONTROL SOFTWARE PRODUCT Selecting an access control software product requires that an organization determine:
What information it wants to protect. 0 How it wants to protect that information. 0 How much it is willing to spend to achieve that protection.
~ ~~ ~~~ ~ ~~~
If you have infarmation of interest to EDPACS, contact Debra Rhoades, Managing Editor, Auerbach Publishers, a division of Warren, (porham & Lamont, One Penn Plaza, New York Ky 10119. EDPACS (ISSN 0736-6981) is published monthly by Auerbach Publishers, a division of Warren, Gorham M Lamont, 210 South St. Boston MA 02111, (617) 423-2020. The subscription rate is S125lyear in the US. Prices elsewhere vary. Printed in USA Copyright 0 1991 Warren. Gorham M Lamont, Inc. All rights, including translation into other languages, reserved by the publisher in the US. Great Britain, Mexico, and all countries participating in the International Copyright Convention and the Pan American Copyright Convention. No part of this publication may be reproduced in any form-by microfilm, xerography, or otherwise-or incorporated in any informational retrieval system without the written permission of the copyright owner. Postmaster: Send address change to Auerbach Publishers. 210 South St. Boston MA 02111. Second class postage is pending at Boston MA
The EDP Auditors Association InC (EDPAA) is the only professional association dedicated to information systems auditing. Founded in 1969, the EDPAA represents information systems audit professionals in 52 countries. The EDPAA fosters professionalism through information transfer, certiflcatlon, communication, and education. For more information. contact: The EDPAA, PO Box 88180. Carol Stream IL 60188.
2
Dow
nloa
ded
by [
Uni
vers
ity o
f A
uckl
and
Lib
rary
] at
15:
09 2
6 O
ctob
er 2
014
FEBRUARY 1991 E D P A C S
- t-
Exhibit 1. Functional. Operation of a Typical Access Control Product
Operating System
Application --+ Interface -
I I I 1
Request I ",,
Determining the appropriate access control software product for an organization to use requires the development of a risk model and the assessment of the alternatives identified through the use of this model. Before developing a model, the organi- zation should review the standards issued by the US National Computer Security Center (NCSC). The NCSC, a component of the US National Security Agency, was established as a US De- partment of Defense (DoD) initiative in 1978. Currently, the NCSC is responsible for: 0 Developing standards for access control software perfor-
0 Conducting research onverification and analysis techniques. 0 Providing support for access control products. In 1983, the NCSC published the first edition of the DoD Trusted Computer Systems Evaluation Guide, commonly called the Or- ange Book. This book provides an evaluation of access control software in four categories, discussed in the following sections.
mance.
Division D: Minimal Protection. Many access control software packages, particularly those for microcomputer sys- tems, fall into this category, but none have been evaluated and reported on formally by the NCSC. Products in this category include systemwide access products, products that do not log all authorized accesses, and those products that do not provide audit records.
Division C: Discretionary Protection. This category is subdivided into classes C 1 and CW. Class C 1 systems enforce access limitation on an individual user basis. These systems require the cooperation of users at the same or relatively sim- ilar levels of data sensitivity. Class C 2 systems ensure that all of the requirements of class C 1 systems are met and provide additional security in the log-on process, the creation of audit records, and the enforcement of accountability for individual system user actions.
3
Dow
nloa
ded
by [
Uni
vers
ity o
f A
uckl
and
Lib
rary
] at
15:
09 2
6 O
ctob
er 2
014
E D P A C S FEBRUARY 1991
Division B: Mandatory Protection. This category is sub- divided into classes B1, B2, and B3. Class B1 requires the exis- tence of an informal security policy and provides managed access control over names, subjects, and objects. Class B2 re- quires the existence of a formal and documented security policy model and is an extension of class B1. Class B3 requires all of the attributes of classes B1 and BZ and adds requirements for security administration and audit.
Division A: Verified Protection. Division A products mustbe equivalent functionally to products a t the class B 3 level. They must also offer a greater degree of confidence in imple- mentation, with added assurance over design specification techniques.
Exhibit 2 provides a list of items evaluated by the NCSC in rating a security product. Organizations considering the irn- plementation of access control software should review the ap- plicability of items evaluated by the NCSC to determine their relevance and importance in their environment.
The NCSC ratings do not indicate how well a product per- forms in different environments. Organizations often carry out considerable customization in the implementation of operating systems and even in the techniques for implementing access control software products in those operating systems. For ex- ample, by definition, any add-on products (e.g., CA-TOP SECRET, Guardian, RACF, CA-ACF2, or VMSecure) cannot obtain a rating higher than class C 1 or C2, depending on the product. Because these are add-on products, their implementation is discretion- ary according to Orange Book guidelines. Even integrated prod- ucts (e.g., the security offered within Digital Equipment Corp’s VAX-VMS operating system) does not rate higher than class C2. One of the major drawbacks to the NCSC ratings is the limited number of products currently rated.
Exhibit 2. NCSC Evaluation Criteria
Security Policy 0 Discretionary access control 0 Object reuse 0 Labels 0 Label integrity 0 Exportation of labeled information 0 Exportation to multilevel devices 0 Labeling human-readable output 0 Mandatory access control 0 Subject sensitivity labels 0 Device labels
Accountability 0 Identification and authentication 0 Audit 0 Trusted path
Assurance 0 System architecture 0 System integrity 0 Security testing 0 Design specification and verification 0 Convert channel analysis 0 Trusted facility management 0 Configuration management 0 Trusted recovery 0 Trusted distribution
Documentation 0 Security features users guide 0 Trusted facility manual 0 Test documentation CI Design documentation
4
Dow
nloa
ded
by [
Uni
vers
ity o
f A
uckl
and
Lib
rary
] at
15:
09 2
6 O
ctob
er 2
014
FEBRUARY 1991 E D P A C S
ACCESS CONTROL SOFTWARE RISKS AND PIT FA L LS Implementing an access control software product usually is not difficult, but the process is facilitated when someone who specializes in implementing such a product is involved. This can help an organization avoid the pitfalls that sometimes impede even the simplest installation. Commonly encountered risks and pitfalls in implementing an access control software product are discussed in the following sections.
Undue Complexity. Unless carefully thought out and im- plemented properly, the system in which the access control software product is used may become overly complex. The soft- ware can then become difEcult to maintain, use an unnecessary amount of resources, and degrade system performance.
Excessive Customization. Customization initially may meet all of the user requirements for the product. As vliith all other types of software products, however, excessive customi- zation is difficult to maintain and sometimes impossible to upgrade and introduces additional procedures that may mini- mize the effectiveness of some of the product’s basic features.
Security Policy. As stated earlier, only access control soft- ware products with an NCSC rating of class B2 or higher require the existence of a formal and documented security policy. Ac- cess control software is often implemented without the crea- tion of a formal security policy, a clear definition of information protection objectives, or the implementation of classification policies to ensure that critical or sensitive organizational in- formation is accessed only on a need-to-know basis.
Responsibility Acceptance. To be effective, the provi- sions (e.g., the use of an access control software product) that have been instituted for maintaining security and controlling access to information must be taken seriously by all employees of the organization. Adherence to these requirements must be supported not only by the users of the affected computing sys- tems but by the organization’s senior executives. Management should use the appraisal and reward system as a means of continually reenforcing the importance of security to the or- ganization.
Partial Implementation. For an access control software product to receive an NCSC evaluation designation higher than class C2, its implementation and use must be mandatory. Most access control software products currently on the market are discretionary products. Accordingly, they may be implemented on a partial basis. Partial implementation of such a product leaves unprotected information resources vulnerable. As a re- sult, the overall environment is less than totally secure. In turn, this reduces the effectiveness of the security that has been established for those information resources that are protected. Partial implementation of an access control software product
INVOLVING
SOMEONE FAMILIAR
WITH ACCESS
CONTROL
IMPLEMEN TATlON
CAN HELP AVOID
THE PITFALLS THAT
SOMETIMES IMPEDE
EVEN THE SIMPLEST
INSTALLATION.
5
Dow
nloa
ded
by [
Uni
vers
ity o
f A
uckl
and
Lib
rary
] at
15:
09 2
6 O
ctob
er 2
014
E D P A C S FEBRUARY 1991
ACCESS CONTROL
SOFTWARE
PRODUCTS ARE
CERTAINLY SETTER
THAN NO
PROTECTION AT ALL.
usually results from a lack of an adequate organizational con- cern for and commitment to data security. Making the imple- mentation of such a product mandatory rather than discretion- ary is a management consideration, not a technical issue.
Despite the risks and pitfalls, using an access control soft- ware product, regardless of the degree to which it is imple- mented, is better than no protection a t all. From an information systems security point of view, it is impossible to go too far in the use of such a product.
WHAT ACCESS CONTROL SOFTWARE DOES N O T PROVIDE Most access control software products lack four desirable man- agement features, discussed in the following sections.
Reporting. Most of these products provide only minimum levels of reporting such actions as access attempts and security violations. Some of these products do provide a more compre- hensive reporting package-at an additional cost. Generally, it is necessary to acquire the additional reporting capabilities offered by the access control software manufacturer or to de- velop a reporting software package tailored to the organiza- tion’s particular requirements. Once the reporting require- ments have been identified, it is essential to ensure that all of the required information is being logged and maintained. (e.g., in an IBM mainframe environment, this means specifying the particular SMF records to be maintained as well as any addi- tional information that must be collected).
Record Cleanup. Some access control software products provide reasonable record maintenance. Others do not com- pletely remove all associated records when a particular user or resource record is deleted. For example, in some products, when auser or group is removed, not all of the access lists are updated to reflect this removal. It is possible to reestablish that user, with all previous access capabilities intact, In addition, it may be possible to inadvertently use an already deleted user ID with a new user and grant this user access to data sets and resources for which the new user is not authorized. Complete and proper record maintenance, as well as procedures to ensure that user identifications are not reused, is a n important consideration in the selection and implementation of access control software.
Product Maintenance. When an access control software product is initially installed, many organizations create a model of the relevant information security requirements. As a part of this process, individual profiles are developed that match particular tasks to particular users. Often, positional or generic IDS are used to define the users. The problem, however, is that organizations change: people are promoted, transferred, or terminated, and j ob responsibilities are continually modified.
6
Dow
nloa
ded
by [
Uni
vers
ity o
f A
uckl
and
Lib
rary
] at
15:
09 2
6 O
ctob
er 2
014
FEBRUARY 1991 E D P A C S
Maintenance procedures must therefore be implemented to en- sure that the models are kept up to date. Otherwise, the infor- mation security benefits that were gained when the access control software product was initially installed are diminished or even lost.
Logical Separation. Generally, the access profiles and the user capabilities defined when an access control software prod- uct is initially implemented are based on an appropriate seg- regation of duties. Over time, however, through inadequate rec- ord maintenance and other control failures, the logical separation of duties may be compromised. Furthermore, as in- dicated in Exhibit 3, granting access on the basis of positional IDS, which are not narrowly defined, could result in a n individ- ual’s being granted inappropriate access to data or resources. Exhibit 3 identifes a user who was granted access to data in 1988 and since then has not accessed the data. Continuing to grant such access violates the principle of information access on the basis of the need to know and, accordingly, weakens the security intended for these information resources.
THE BENEFITS OF ACCESS CONTROL SOFTWARE Access control software can provide many benefits, including the following: 0 A framework for control over information access. O A methodology for managing access to information re-
sources. 0 The information, and in some cases the capabilities, for pro-
viding timely reports and preventing erroneous or inten- tional destruction or corruption of data.
0 The creation of interactive violation reports for immediate follow-up on the incident. Vendor, consultant, and third-party user support.
Installation of an access control software product provides a basic framework within which information security can be provided. The organization, however, must identlfy its security needs to ensure that they are addressed appropriately. This involves ensuring that the framework is used effectively to build a security model and to implement adequate security and control techniques.
ARE M O S T COMPUTER FACILITIES SECURE? In most cases, an organization’s computer facilities are not secure. Far too few access control software products are being used. For instance, major savings and loan organizations, trust companies, and credit unions, which handle billions of dollars each year, often are left exposed to compromise of their data through the lack of access control software.
EECAUSE
ORGANIZATIONS
CHANGE,
MAINTENANCE OF
THE SECURITY
MODELS MUST BE
KEPT RIGOROUSLY
UP TO DATE.
7
Dow
nloa
ded
by [
Uni
vers
ity o
f A
uckl
and
Lib
rary
] at
15:
09 2
6 O
ctob
er 2
014
E D P A C S FEBRUARY 1991
Exhibit 3. Access Granted to lnactive Users
GROUP= B80J AUTH =CREATECONNECT-OWNER=MOSADMCONNECT-DATE=88.114
CONNECTS=4,488 UACC=NONE LAST-C0NNECT=89.168~’08:05:04 CONNECT ATTRIBUTES=NONE REVOKE DATE=NONE RESUME DATE=NONE
GROUP=MOADPRCHAUTH=USE CONNECT-OWNER=MOADPRCHCONNECT-DATE=89.273
CONNECTS=473 UACC= NONE LAST-CONNECT=90.104/08:11:18 CONNECT AlTRIBUTES= NONE REVOKE DATE=NONE RESUME DATE=NONE
GROUP=MOADACQUAUTH =CREATECONNECT-OWNER= MOADPRCHCONNECT-DATE=88.205
CONNECTS=OO UACC=NONE LAST-CONNECT= UNKNOWN CONNECT ATTRIBUTES=NONE REVOKE DATE=NONE RESUME DATE=NONE
CONNECTS=OO UACC=NONE LAST-CONNECT=UNKNOWN CONNECT ATTRIBUTES=NONE REVOKE DATE=NONE RESUME DATE=NONE
Some access control software products are being used that are not implemented fully. This partial implementation leaves both information users and information resources exposed to manipulation. It also reduces the degree of protection that ex- ists over already-controlled resources on that system.
ACHIEVING SUCCESS Management of access control software needs to be more effec- tive than it is. The organization’s senior executives must create a security-conscious environment-that is, one in which both information users and MIS personnel recognize the impor- tance of security. The access control software and the proce- dures related to its use must be managed effectively. Situations in which access control software is discretionary or may be easily bypassed should not be tolerated.
Access control software that is integral to a computer’s op- erating system is available only in a few systems. Senior man- agement and users as well as security, quality assurance, and MIS personnel must pressure manufacturers to develop better access control software products. It is essential to convey this message to the vendors: security must be an integral part of the systems architecture. rn
Robert Parker, MBA, FCA, CISA, is apartnerin the Victoria, British Columbia, consulting practice of Deloitte 13’ Touche. He has spent the last 20 years involved with security, control, and management issues o f computer tech- nology and information systems. Parker was the international president of the EDP Auditors Association in 1986-87 a n d is a frequent speaker at con- ferences a n d seminars.
8
Dow
nloa
ded
by [
Uni
vers
ity o
f A
uckl
and
Lib
rary
] at
15:
09 2
6 O
ctob
er 2
014
