Access Road 0.7
Why to simulate access controls


Access control design is a hard work, but it is possible to outline some reasonable principles to ensure the quality of the design, like these ones:

  • give to each one the minimal rights he needs to work, but in providing the versatility to be resilient in the crisis,

  • never trust in a single software, and structure the technical architecture in levels to mitigate the failures in one software,

  • the more the system is complex to maintain, the more the human errors occur, the more the system is costly.

For instance, the removal of administrator rights from Windows users is a mitigating factor in 75 percent of Critical Windows 7 vulnerabilities. This is also true for the separation of duties among the current users at the application level.

The limitation of the rights is always a critical factor, even for a program. The rights of any program in its environment execution, on a server or on a terminal, have to be well managed. Applying the principle of least privilege, the system is then more resilient if a given program becomes infected by a malware, or if it executes some malicious entered data.

Another design principle is to enforce the continuity of the access control context over all the software and computers, for each working session of a given principal. Enforcing the access control context is difficult to achieve in the real world, but this is very important for the most sensible systems. Without such an architectural property, the management of rights, the analysis of security events, and the handling of security crisis are much more difficult.

The bad news is all these very fonded design principles may be contradictory. The situation is even worse if you consider other important criteria like the level of confidence in each software, or the effective skills of the rights administration people. This is why designing the access controls in a large IT system is today more an art than a science, just like designing software.

Simulation should then appear as a golden way to improve the access controls. Unfortunately, simulating a complex network of access controls requires a powerful tool. This is probably why no such a software has appeared until now. One of the goals for a simulator is to try to bring simplicity in a complex issue. This is possible at the three levels:

  • To offer some generic tools able to catch the diversity of the issues: is this guy authorized to do this on that object? Is it not too much? Have I seen all the paths to access to that application? Does this application use efficiently the access control functions of its DBMS or its host operating system? How to restraint the rights of this group without impact on this other group rights? How to improve the maintainability of this access control scheme, to limit the errors by the maintainers? And so on.

  • To split the issue in elementary and generic concepts – by this way, the simulator is universal and powerful, and the user may more easily understand the simulation of any software – even if it is necessary to model each software, and it is useful to keep the vocabulary of the software each time it is possible.

  • To offer a generic vocabulary describing all the access control relations, like the relations between the access controls in an application and the same functions in its database management system - these issues are rarely well covered in the documentation of each software (the application or the DBMS).

Let's take another example where a powerful tool brings simplicity in complex issues. Access Road may find all the access paths between two simulated objects. This means that it describes the authorized paths from a program P to a group G, and all the programs, called PI, that may be intermediate nodes from P to G. Such a simulation answers to a question which it is not so easy to deal with: what are all the programs PI one can run with the rights of the group G, by the way of running the program P?

Mastering the varied access controls in a large IT system is now the ability of rare experts. An expert has to pass though several steps for delivering a good design:

  • well understand the access controls of each important software,

  • apply a strategy to design step-by-step the access controls, whatever this strategy,

  • discover some design patterns he will try to apply to his next work on access controls.

The critical point is there to define powerful design patterns. The aim is to think better and faster, just like with design patterns in software programming.

The beauty of access control simulation is to show the quality of a design without explaining the implied design patterns. Then, design patterns are not mandatory. But if the expert want to do it, the simulation helps to explain thoroughly the efficiency of a given design pattern and its variances. Furthermore, the simulation helps to adapt a given pattern to several contexts.

Finally, the greater help from a simulation is when it allows to discover the design patterns an expert uses, while he is not able to formulate them clearly. This is the difference between the knowledge that can be computerized through algorithms, and the true human expertise that cannot be computerized. Once modeled by a simulation software, the human expertise may be powered to move beyond.

®All trademarks are property of their respective holders. Copyright ACCBEE – 08 June 2012





Overview

Downloads

Features

Why to simulate access controls

Why Access Road is unique