Principle 5 - Identity Access Control
Detail
[To Do]
Access Control Policy
Access control policies (e.g., identity-based policies, role-based policies, attribute-based policies) and access enforcement mechanisms (e.g., access control lists, access control matrices, cryptography) are employed by organisations to control access between users (or processes acting on behalf of users) and objects (e.g., devices, files, records, processes, programs, domains) in the information system. In addition to enforcing authorised access at the information-system level, access enforcement mechanisms are employed at the application level, when necessary, to provide increased information security for the organization.
A design decision on the level of identity assurance required for the access to processes or data, and an access control policy must be decided upon an used throughout a solution.
Acceptable and Recognised Access Control Policies
- Mandatory Access Control (MAC)
- Role-Based Access Control (RBAC)
- Discretionary Access Control (DAC)
Separation of duties
Solutions and services should be designed in such a manner which minimises the extent of damage that could be caused by a single person or resource. Functionality relating to security critical operations should be compartmentalised into two or more separate conditions fulfilled by multiple disparate user roles and governed by business rules, all of which much be satisfied by the operate completes.
Decision Evaluation Criteria:
- Are all security critical business processes identified and threat assessed ?
- Does the solution use an identified access control policy to determine permissions against set processes ?
- Does the solution allow for an individual account to perform an elevated or privileged role ?
- Does the solution utilise a process of requesting and approval for privileged processes ?
Basis
- NIST 32 - Authenticate users & processes to ensure access controls, decisions both within and across domains
- CSSLP - Enforce separation of duties