Your company decides to start the business of selling toys online and shipping globally. The E-Commerce system that supports the new business will be developed in-house. In a requirement workshop, a participant proposed that discounted products in promotion campaigns shall be purchased by those customers who meet the criteria specified by marketing staff, e.g. customer’s identity, gender, role, city, income, login time, device type, etc. The development team considers the authorization rules of purchase are too complicated. As a security professional, which of the following will you best recommend to address the requirement?
A. Lattice-based access control
B. Role-based access control
C. Attribute-based access control
D. Rule-based access control
Kindly be reminded that the suggested answer is for your reference only. It doesn’t matter whether you have the right or wrong answer. What really matters is your reasoning process and justifications.
My suggested answer is C. Attribute-based access control.
Discretionary vs Nondiscretionary Access Control
In the discretionary access control model, access to objects is authorized by has the owner or delegated to the data custodian, while in the nondiscretionary access control model, access to objects is managed centrally by the security administrator. In general, any model that isn’t a discretionary model is a nondiscretionary model.
Lattice-based access control (LBAC)
LBAC is also known as label-based access control. Bell-LaPadula Model, Biba Model, and Brewer and Nash Model are Lattice-based.
Subjects under lattice-based access controls are assigned positions in a lattice. These positions fall between defined security labels or classifications. Subjects can access only those objects that fall into the range between the least upper bound (the nearest security label or classification higher than their lattice position) and the highest lower bound (the nearest security label or classification lower than their lattice position) of the labels or classifications for their lattice position.
Thus, a subject that falls between the private and sensitive labels in a commercial scheme that reads bottom up as public, sensitive, private, proprietary, and confidential can access only public and sensitive data but not private, proprietary, or confidential data.
Stewart, James M.; Chapple, Mike; Gibson, Darril. CISSP (ISC)2 Certified Information Systems Security Professional Official Study Guide. Wiley.
Role-based access control (RBAC)
RBAC is nondiscretionary. In the role-based access control, the authorization decision is based on the subject’s role.
Attribute-based access control (ABAC)
In the attribute-based access control, the authorization decision can be based on the rules with attributes of Object, Subject, Action, and Context.
Rule-based access control (RuBAC)
In rule-based access control, the authorization rules are subject-agnostic. That is, the rules are applied globally or to all subjects.
“Thus, a subject that falls between the private and sensitive labels in a commercial scheme that reads bottom up as public, sensitive, private, proprietary, and confidential can access only public and sensitive data but not private, proprietary, or confidential data. ”
.
From the definition of lattice-based access control, I think the subject in this example can only access private (least upper bound) and sensitive (highest lower bound). Can you clear it for me?
Thanks!
The statement “Thus, a subject that falls between the private and sensitive labels” is vague because the subject’s label is either private or sensitive; there is nowhere in between. It’s not like a math expression, e.g., 0 < x < 1. I suppose the author's statement assumed "sensitive <= subject's label < private"