Compromises and complexities associated with removal of MIS from the logical access authorization loop

Abstract

Logical access to computer-housed assets involves the allowance or denial of access requests to entities such as files, database tables, and programs. Although specific control objectives may vary from site to site in the commercial sector, some basic access control objec­ tives can be identified which are nearly universal. These objectives are based strongly upon the notions of asset ownership and authorization. Control of access to computer-housed assets typicnlly follows the same authorization path as the delegation of control of other types of assets, that is, from the board of directors down to some appropriate, workable level. In many installations, however, the responsibility for granting and revoking access to these entities has tra­ ditionally fallen upon the MIS Data Security Officer. This means that either 1) the Security Officer must gain authorization from the proper authority each time an ac­ cess rule is changed, or 2) the Security Officer is the authority for all assets in his or her domain. Neither one of these is a healthy situation. After development of some general access control objectives and an explanation of why the MIS Data Se­ curity Officer bears the mantle of authority, this paper examines the possibility of placing the mechanics of logical access authorization in the hands of the true authority within the appropriate business function. There are two primary obstacles to achieving this end. One is the sheer magnitude of the number of assets under consideration. In an envimoment in which appli­ cations are built and delivered to automate business ac­ tivities, a single application can contain a very large number of assets. The other obstacle is that of identifica­ tion of assets. Often the naming conventions developed and used by the MIS staff have a great deal of meaning to those who are familiar with the workings of the appli­ cation, but will mean little or nothing to someone out­ side MIS. This paper proposes a method of overcoming these obstacles, but the proposal carries with it a substantial price tag. Compromises must be made in the way that com­ puter resources are used and applications are delivered, and a level of complexity is introduced to the access control system which will most probably strain the secu­ rity features available in the target operating system past the limits of their flexibility. The proposal defines an access package, which represents all the operations and atomic accesses neces­ sary to accomplish a particular business activity. The ac­ cess package can be thought of as an access operation raised to a higher level of abstraction. It allows the asset owner to have a business oriented understanding of Ills or her responsibility. However, if a system of access control based on ac­ cess packages can be engineered, it will require that computer users be limited to executing only those access packages to which they have been given access. This is not an attractive thought as the age of end-user comput­ ing arrives. Also, the design of access packages to ac­ complish each application function will have to become a part of the application development process. The complexities encountered in an attempt to de­ sign a specific implementation are explored in this pa­ per. The general control objectives are achieved as well as a logical access authorization loop limited to endusers and asset owners. The latter is based, of course, on the use of access packages. The target computer system is the Digital Equipment Corporation V A X /V M S envi­ ronment. The access control features within the operating system provide some capabilities for defining access packages, but leave a lot to be desired as well. Permission to copy without fee «11 or part of this m«1erin! is granted provided that (he copies are not made or distributed for direct com­ mercial advantage, the ACM copyright notice and the title of five publication and its date appear, and notice is given that copying is by permission of the Association for Computing Machinery. To copy otherwise, or to republish, requires a fee and/or specific per­ mission.