Access Control Flashcards
What is access control?
a security mechanism, ensures all accesses and actions operate within the security policy
What are the 2 parts to Access Control?
Authentication: • Are the principals/Subject who they claim to be? Authorization: • What should the principals/Subject be allowed to do?
What are the 4 Access Control Subjects?
- Users
- Groups:
- Roles, collection of privileges
- Processes:
How do you formalize access control policies?
Access Control Models are used.
What are the 3 main types of Access Control Models?
- Discretionary Access Control (DAC)
- Mandatory Access Control (MAC)
- Role-Based Access Control (RBAC)
What is DAC?
DISCRETIONARY ACCESS CONTROL
- Restrict access to objects based on the identity of the subjects and a set of explicit access rules
- Objects have owners and the owners have the ability to grant/revoke access rights for others
The simplest way of implementing DAC is using Access Control Matrix: Access Control Matrix (ACM) is easy to define and verify but it does not scale well.
Easy solution? Split ACM into Columns or Rows. If by column, then we have Access Control List (ACL)
What is MAC?
Mandatory Access Control (MAC)
• Centralized access control by means of system-wide policy.
• Access control rights are fixed by administrators.
• A group or a set of people are provided access based on the clearance
given to a specific level of access depending on the classification of
information/data.
What is RBAC?
Role-Based Access Control: Permission associated with roles and users assigned to appropriate roles.
A user can execute an operation only if there is a role
assigned to the subject.
• All user activities are carried out through operations.
What are the problems with RBAC?
Problem 1: Role Explosion
Problem 2: Simple RBAC has limited expressiveness
Problem 3: Separation of duty policies
What are security policies?
A level description of the Principals, Assets, and Security Properties
that must hold in the system.
• It defines what it means to be ”Secure” for a system/organization/user.
• It includes a set of requirements and a set of rules to obey.
What is the Bell-LaPadula Model (BLP)
Need to Know! Tranquillity - Covert Channels
A form of Mandatory Access Control (MAC) is Multi-level Security.
• Based on classification of subjects AND objects.
• Originated in World War II the classifications used are Top-Secret, Secret, Confidential (For Official Use Only, or Sensitive), Unclassified.
Limitations
It only covers READ and WRITE (not EXECUTE)
Too STRICT, a user at a higher-level cannot even send commands
What are Integrity Policies?
Integrity policies focus on integrity rather than confidentiality
A higher integrity level means more confidence
A program will be executed correctly
Data is accurate, reliable and not contaminated
What is the Biba Model?
NO READ DOWN (or, READ UP ONLY)
No WRITE UP (OR, WRITE DOWN ONLY)
Limitations of BLP Model:
Too STRICT, consider a USB stick
No support for confidentiality
What are the three levels of abstraction with the Ethical Wall Policy?
- Objects - such as files. Objects contain information about only one company.
- Company groups - collect all objects concerning a company.
- Conflict classes - cluster the groups of objects for competing companies
What is the Ethical Wall Policy?
this is not an integrity policy, but an access control confidentiality policy.
The permissions change dynamically. The access rights that any subject enjoys depends on the history of past accesses.
example: if you access a file from GM, you subsequently will be blocked from accessing any files from Ford or Chrysler. You are free to access files from companies in any other conflict class.
Study the octal Values
Image attached
