The Role Based Access Control

Published Date: 02 Nov 2017

The primary goal of the military is to provide Britain with protection from external threats. In order to achieve this goal, the Department of Defense (DoD) has to deploy systems that not only protect it from external threats, but also internal ones. This has been necessitated by the tendency of terror organizations and individuals with ill intent to sabotage security systems internally. As such, it has become crucial for the military to authenticate the identity of every individual accessing its premises and systems (National Science and Technology Council Subcommitteen on Biometrics, 2006). Whereas this has been happening through security tools such as access cards, passwords, and tokens, these systems have proven to be ineffective as they can be forgotten, duplicated, shared, or stolen(Weicheng Shen, 1999). There is, therefore, need for a system that cannot be easily compromised. The use of human features, biometrics comes in handy in the identification of individuals while keeping their privacy intact. These features may be physical or biological and may include characteristics such as skin color, height, eye color and weight. These features are unique to individuals and readily available; hence, making them ideal for the development of dependable authentication systems. If used together with traditional systems such as password protection and fingerprint technology, the result will be a secure, complex, very efficient and hard to manipulate system.

Role Based Access Control

DoD could develop access control systems based on the roles individuals play. This control algorithm allows users access to premises and equipment that are relevant to their activities in the military. The system, therefore, limits the accessibility of information and critical equipment to people who are authorized to interact with them (Ferraiolo, Kuhn, & Chandramouli, 2007). DoD could decide to develop a system, costs notwithstanding. A lot of resources would be deployed in the project, as long as it guarantees that the role based access control will be possible. Since it would be hard to develop systems that cater for individual staff, DoD can come up with an authentication system based on the roles people play. Staff can be categorized into groups, depending on theirranks and responsibilities in the military and offered access rights relative to their statuses(Murrell, 2001). This would provide officers within the same ranks similar access rights while still providing exceptions for exceptional cases.

Enterprise RBAC (ERBAC)

DoD spends public funds as it endeavors to provide security to the county. Just like any other public institution, it is necessary for the department to account for its expenses. It is, therefore, necessary for DoD to make sure all its activities make business sense. Enterprise Role Based Access Control seeks to ensure that as DoD invests in role based access control measures, the results of using the system are not only financially measurable, but also provide an acceptable return on investment.

Depending on the severity of the case at hand, DoD is at liberty to choose the role based access control methodology it wants to deploy. In sensitive matters of national or international security, DoD could develop authentication systems without considering costs and returns on investment (Ballad, Ballad, & Banks, 2010). However, this ought to be done with caution as it is important for DoD to appear to use public resources appropriately and in the best interest of the citizens of the United Kingdom.

Alternative solutions

Discretionary Access Control

This access control mechanism restricts access based on subject identity. A subject with access to the resource can share access rights to any other person that joins the group (Jordan, 1987). Access rights can therefore be shared at the discretion of users who already have rights to access the system. When a user leaves the group, any other member who has access rights to the system can delete their profile. In this context, DoD could use this mechanism to provide access to its non-critical systems to its personnel.

Mandatory Access Control (MAC)

This access control mechanism limits the possibility of a user to carry out some actions on the system. Users are located security attributes; a user cannot access or modify processes which his or her security attributes do not approve. This makes MAC similar to RBAC; the difference comes in the scope of operation. RBAC operates at the role level, whereas MAC operates at the individual level. This approach could be very instrumental to DoD as it would allow the department to determine security clearance levels fmor all system users individually; thereby ensuring that users have access to information that is relevant to them.

Hand biometrics has been in use for the longest period among the methods used in biometrics. It includes such characteristics as palm print, palm vein, finger print, and hand geometry (Jain, Ross, & Nandakumar, 2011). Whereas the other hand biometrics use features in the external section of the hand, palm vein biometrics utilizes the internal alignment and arrangement of veins in the palm, which are unique even among twins (Biometric Newsportal). Palm print biometrics recognizes prints made on the surface of the palm.

Just like other biometric authentication techniques, palm biometrics has its strengths and weaknesses:

Strengths of Palm biometrics

Palm veins and prints are part of the body and does not change significantly as a person grow.

Patterns formed by palms are unique to individuals; hence, eliminating the possibility of having two people with similar prints (Chirillo & Blaul, 2003).

Palm veins are hidden inside the human body; hence, it is not easy to manipulate them (Kenneth Wong).

The palm is large, hence provides a large surface area over which to cover distinctive features, making it better than fingerprint reading.

Weaknesses of Palm biometrics

The success of the system depends on the quality of pictures taken. Powerful equipment takes quality images with distinct features while faulty equipment fails to identify critical features. This can compromise the reliability of the system.

Palm print scanners are bulky and expensive, limiting their use to localized positions.

The fact that palm biometrics provides a large surface area, enabling the detection of more distinctive characteristics than fingerprints; which in turn means that palm biometrics could be used to identify people in place of fingerprint technology.

Apart from biometric authentication, DoD could employ the following techniques to protect the integrity of its systems and premises:

Password protection

DoD could develop a system that creates user profiles for all its officers. The officers access the system using passwords that only they would know. The system should be able to distinguish the access rights of all users, and allow them access to areas that are relevant to them only.

Advantages:

Passwords are easy to be generated and managed

Disadvantages:

Passwords can easily be shared, stolen, or intercepted by hackers; hence, making it possible for more than one individual to access the system using similar login information (Wolak, 1998).

Using the Intranet

DoD could opt to deploy its system within its local intranet and deploy security protocols and firewalls to ensure that it cannot be accessed from outside the intranet. This would ensure that any access from without its premises is blocked (Jang, 2010).

Advantages

It minimizes the number of external threats hence reducing unauthorized access (Goodrich & Tamassia, 2010).

It does not require a lot of maintenance

Disadvantages

The protocols cannot protect the system from attack within the intranet; hence, necessitating the deployment of other security measures to protect the system from local attacks (Bertino & Takahashi, 2010).

The protocols can be expensive to install

Tokens

These are physical items that can be used to authenticate their owners (McGraw, 2006). DoD could opt to develop special physical keys or proximity cards to regulate user access. Users would have to produce these at strategic points to be given authority to use or access military information, equipment, or premises(Ferguson, Scheneier, & Kohno, 2010).

Advantages

Tokens are easy and cheap to produce

Disadvantages

Their physical nature makes them easy to steal

They can easily and cheaply be reproduced

They require other security systems like passwords and biometrics in order to function effectively (Gibson, 2010).

At the end-user (PC) level, the most optimal authentication would be achieved through a marriage of tokens and passwords. The PC should have a card slot where the user inserts his or her proximity card. The system will then identify the user on the card and prompt him or her to enter his or her username and password (Solomon, 2010).The system will compare the username and password the user enters with those in the system without alerting the user of the information contained in the card. The system will authorize access only when the information the user submits is valid (Hardwood, Goncalves, & Pemble, 2010). Communication amongst PCs should also be conducted over a secure shell (SSH), and cryptographic keys deployed to ensure that the system not only authenticates users, but also validates messages shared and encrypts data on transit (Mallow)(Anderson, 2008).

A combination of these security measures would be necessary at the DoDto ensure that not only authorized users access the system, but also that their activities are authenticated and data transmitted in secure ways. This will help guarantee both authenticity and privacy of information and data at the DoD.