Authorization

Authorization – SSCP Access Controls Guide

What is Authorization?

Authorization is the process of determining what actions, resources, or services a subject (user, device, or process) is permitted to access after their identity has been verified through authentication. It answers the question: "What are you allowed to do?"

Authorization is the second critical step in the access control process, which follows the sequence: Identification → Authentication → Authorization → Accountability.

Why is Authorization Important?

Authorization is a cornerstone of information security for several key reasons:

• Principle of Least Privilege: Authorization ensures that users are granted only the minimum level of access necessary to perform their job functions. This limits the potential damage from both accidental and malicious actions.

• Data Protection: Proper authorization mechanisms prevent unauthorized users from accessing sensitive or classified information, maintaining confidentiality and integrity.

• Regulatory Compliance: Many regulations (HIPAA, PCI-DSS, SOX, GDPR) require organizations to implement and enforce proper authorization controls to protect data.

• Risk Reduction: By restricting access based on well-defined policies, organizations minimize the attack surface and reduce the risk of insider threats, data breaches, and privilege escalation.

• Accountability: Authorization policies define what a subject can do, making it possible to detect and audit unauthorized activities when they occur.

How Authorization Works

Once a subject has been authenticated, the system references an authorization policy or database to determine what the subject is permitted to do. Here are the core mechanisms and models:

1. Access Control Models:

• Discretionary Access Control (DAC): The resource owner decides who can access the resource. Access is granted at the owner's discretion. Common in Windows and UNIX file systems using Access Control Lists (ACLs).

• Mandatory Access Control (MAC): Access decisions are based on security labels (classifications and clearances) enforced by the system, not the resource owner. Used in military and government environments. Subjects cannot change access permissions on objects.

• Role-Based Access Control (RBAC): Access is assigned based on roles within an organization. Users are assigned to roles, and roles are granted permissions. This simplifies administration, especially in large organizations.

• Rule-Based Access Control: Access is determined by a set of rules defined by the system administrator. Firewalls often use rule-based access control (e.g., allow or deny traffic based on IP address, port, or protocol).

• Attribute-Based Access Control (ABAC): Access decisions are made based on attributes of the subject, object, environment, and action. This is a flexible, policy-driven model that can evaluate multiple attributes simultaneously.

2. Key Authorization Concepts:

• Access Control Lists (ACLs): Lists attached to objects that specify which subjects can access them and what operations they can perform.

• Capability Tables: Lists associated with subjects that define which objects they can access and the operations they can perform on those objects.

• Security Labels: Used in MAC environments to classify data and assign clearance levels to subjects.

• Need-to-Know: Even if a subject has the appropriate clearance level, they must also have a legitimate need to access specific information.

• Separation of Duties (SoD): Ensures that no single individual has enough access to complete a critical task alone, reducing fraud and error risk.

• Implicit Deny: If no rule or policy explicitly grants access, the default action is to deny access. This is a fundamental principle of secure authorization.

3. Authorization in Practice:

• Operating Systems: File permissions (read, write, execute) assigned to users and groups.
• Databases: Grants and privileges assigned to database users or roles (SELECT, INSERT, UPDATE, DELETE).
• Network Devices: ACLs on routers and firewalls controlling traffic flow.
• Applications: Application-level permissions controlling feature access and data visibility.
• Cloud Environments: Identity and Access Management (IAM) policies controlling access to cloud resources.

4. The Relationship Between Authentication and Authorization:

It is critical to understand that authentication must occur before authorization. Authentication verifies who you are; authorization determines what you can do. A system cannot make proper authorization decisions if the identity of the subject has not been confirmed.

Common Authorization Vulnerabilities:

• Privilege Escalation: A user gains higher access privileges than they are authorized for, either through exploiting a vulnerability (vertical escalation) or accessing another user's privileges (horizontal escalation).
• Excessive Permissions: Users granted more access than needed, violating the principle of least privilege.
• Broken Access Control: Application flaws that allow users to bypass authorization checks.
• Privilege Creep: Over time, users accumulate permissions from role changes that are never revoked. Regular access reviews help mitigate this.

---

Exam Tips: Answering Questions on Authorization

• Know the sequence: Always remember that authorization comes after authentication. If a question describes a scenario where access is being granted or denied based on a verified identity, it is referring to authorization.

• Differentiate access control models: The SSCP exam frequently tests your ability to distinguish between DAC, MAC, RBAC, rule-based, and ABAC. Focus on understanding who makes the access decision in each model (owner, system, or policy).

• MAC vs. DAC: If the question mentions security labels, classifications, or clearances, think MAC. If the question mentions the resource owner granting access, think DAC.

• Default to implicit deny: When a question asks what should happen when no access rule matches, the correct answer is almost always deny access.

• Least privilege is always relevant: If you see a question about granting access, look for the answer that limits permissions to the minimum necessary.

• Watch for privilege creep scenarios: Questions may describe employees changing roles. The correct answer typically involves reviewing and revoking old permissions.

• Need-to-know extends MAC: Even with proper clearance, a subject must have a need-to-know. Questions that test this concept may present scenarios where someone has the right clearance but should still be denied access because there is no business justification.

• RBAC simplifies management: If the scenario involves large organizations or simplifying access administration, RBAC is usually the best answer.

• Understand capability tables vs. ACLs: ACLs are object-focused (attached to the resource), while capability tables are subject-focused (attached to the user). Questions may test this distinction.

• Separation of Duties: If the question describes a scenario where a single person should not be able to complete an entire sensitive transaction, the answer relates to separation of duties as an authorization control.

• Read carefully for keywords: Words like "permitted," "allowed," "granted access," and "rights" all signal that the question is about authorization specifically, not authentication or identification.

• Think about the principle, not just the technology: Exam questions often test conceptual understanding. Focus on why a particular authorization control exists, not just how it is implemented technically.