Four Access Methods and Their Weaknesses

Four Access Methods and Their Weaknesses

Here are four access methods along with their weaknesses:

• Discretionary Access Control (DAC)

  DAC allows the owner of a resource to determine who can access it and what permissions they have. Permissions can be explicitly granted or revoked by the owner.

  Its primary weakness is the "Trojan horse" problem, where a malicious program, operating with the permissions of an authorized user, can grant unauthorized access to other users or programs. This model also lacks centralized control, making large-scale system management difficult.

  For example, a user creates a document and can grant another user read or write access to it.

  Source: Guide to Computer Network Security, authored by Joseph Migga Kizza.

• Mandatory Access Control (MAC)

  MAC enforces a security policy based on predefined security labels (e.g., classification levels like "Confidential" or "Secret") assigned to subjects and objects. Access is granted only if the subject's clearance level meets or exceeds the object's classification.

  MAC is very rigid and complex to administer and configure, especially in systems with a large number of subjects and objects. It requires extensive upfront classification of all data and users, which can be impractical in dynamic environments.

  For example, in a highly secure system, a user with a "Confidential" clearance cannot access a document marked "Top Secret."

  Source: Guide to Computer Network Security, authored by Joseph Migga Kizza.

• Role-Based Access Control (RBAC)

  RBAC assigns permissions to roles, and users are then assigned to one or more roles. Users inherit the permissions associated with their assigned roles, simplifying user management as access decisions are based on the user's function within an organization.

  Defining and managing an optimal set of roles can be challenging. In complex organizations, poor design can lead to "role explosion," where an excessive number of roles exists, making the system difficult to manage and potentially introducing vulnerabilities.

  For instance, all employees in a "Human Resources" role might automatically receive access to employee records, while those in a "Finance" role get access to financial reports.

  Source: An Introduction to Role-based Access Control. NIST/ITL Bulletin, December, 1995.

• Access Control Lists (ACLs)

  ACLs are lists associated with objects (e.g., files, directories) that specify which subjects (e.g., users, groups) have what permissions (e.g., read, write, execute) to that object.

  ACLs can be difficult to manage and scale in large systems, as permissions must be set on each individual object, leading to potential inconsistencies and errors. Managing changes, such as revoking access for a user across many files, can be cumbersome.

  For example, a file's ACL might grant "User A" read and write access, "Group B" only read access, and deny access to "Everyone else."

  Source: Guide to Computer Network Security, authored by Joseph Migga Kizza.