Database InfoSec: Access Control (W4)

Have you ever had to verify that you were an employee when entering the front doors of your job, like a key card, code word, or signing in? If not, why not? Does your employer not hold important information within its facility or database? These questions should lead you to think about access control, which is responsible for control of rules determined by security policies for all direct accesses to the system.

ten7dMwLm2_1424546

There are many types of access control such as MAC and DAC. MAC (Mandatory Access Control) is a system which allows controlled settings to be set by the administrator. “It is not possible under MAC enforcement for users to change the access control of a resource” (Techotopia, 2016). As a result, MAC is considered to be the strictest level of control by most organizations. Discretionary access control (DAC) allows each worker to control access their individual data. DAC is normally the standard access control device for most PC operating systems. An example of DAC would be “User A may provide read-only access on one of her files to User B, read and write access on the same file to User C and full control to any user belonging to Group 1” (Techotopia, 2016).

MAC and DAC are great examples of access control, but I think the most important is RBAC when securing a database. RBAC (Role-Based Access Control) grants access according to the user’s role (job title). The use of RBAC is rapidly increasing, and I believe it should be a default security measure for databases. Role-based access control should typically depend on three aspects: roleindividuality and locality. For example, when an IT firm engages a new person – Sandifer. His position is data analysis (role). During his probationary period, you do not want him to access the database for data without the proper supervision (individuality), and finally you do not want him to access your system elsewhere than in your working location in Texas (locality). I believe “this approach offers very suitable abstraction for expression of security policies of large companies and seems to be promising alternative to the traditional MAC and DAC models” (Cvrček, n.d.).

Schema of secure database management system

References

Cvrček, D. (n.d.). Access Control in Database Management Systems. Retrieved from Faculty of Information Technology: http://www.fit.vutbr.cz/~cvrcek/confers98/datasem/datasem.html.cz

Techotopia. (2016, October 27). Mandatory, Discretionary, Role and Rule Based Access Control. Retrieved from Techotopia: http://www.techotopia.com/index.php/Mandatory,_Discretionary,_Role_and_Rule_Based_Access_Control

 

 

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s