Richman Investments has decided to expand their business. We have been given their new growth projections of 10,000 employees in 20 countries, with 5,000 located within the U.S. Richman has also established eight branch offices located throughout the U.S. and has designated Phoenix, AZ being the main headquarters. With this scenario, I intend to design a remote access control policy for all systems, applications and data access within Richman Investments.
With so many different modes of Access Control to choose from it is my assessment that by choosing only one model would not be appropriate for Richman Investments. My recommendation would be a combination of multiple Access Control Models that overlap to provide maximum coverage and overall security. Here are my suggestions for access controls.
Role Based Access Control or RBAC, this will work well with the Non-Discretionary Access Control model, which will be detailed in the next paragraph. RBAC is defined as setting permissions or granting access to a group of people with the same job roles or responsibilities . With many different locations along with many different users it is important to identify the different users and different workstations within this network.
Every effort should be dedicated towards preventing user to access information they should not have access to. Non-Discretionary Access Control is defined as controls that are monitored by a security administrator. While RBAC identifies those with permissions, it is a security administrator that should further identify the level of access to each Role that is created. The security administrator should also designate certain users or workstations access to the information available within the network.
Rule Based Access Control can also be linked to the first two models detailed in the paper (RBAC and Non-Discretionary), and is similar to RBAC. Rule Based Access Control is a set of rules to determine which users have access to what data. Within each Role Based Access Control security can be further refined by applying Rules. These rules will be defined by the security administrator as part of the Non-Discretionary Access Control model.
Constrained User Interface incorporates similar concepts of two other access control models that have been detailed, Role Base and Rule Base. Constrained User Interface is defined as a user’s ability to get into certain resources based on the user’s rights and privileges. These rights and privileges are restricted and constrained on the asset they are attempting to access. While this requires many levels of protection it provides limitations on the request access to the resources available within the organization.
Another example of a access control model that can be applied in this situation is known as the Clark and Wilson Integrity Model. This model provides improvements from the Biba Integrity Model of access control. Developed by David Clark and David Wilson, the mode concentrates on what happens when a user tries to do things they are not permitted to do, which was one flaw of the Biba Integrity Model . The other flaw that was addressed was the model also reviews internal integrity threats .
There are 3 key elements of the Clark and Wilson integrity model; the first it stops unauthorized users from making changes within the system. The second, it stops authorized users from making improper changes, and the third, it maintains consistency both internally and externally . Within the Clark and Wilson model a user’s access is controlled by permissions, specifically to execute programs with authorized users having access to programs that allow changes.
While some of these models are similar they work best when working with each other. By providing multiple models of access controls within the network it will provide a more robust coverage of access control. It would not be beneficial to utilize only one access control model as there can be flaws and vulnerabilities for a single access control mode. REFERENCES:
Kim, D., & Solomon, M. G. (2012). Fundamentals of Information Systems SecuritY. Sudbury: Jones & Bartlett Learning.