Access Control: Policies, Models, and Role-Based Access in Information Security, Slides of Computer Security

An introduction to access control in information security. It discusses the concept of access control, protected resources, subjects, access modes, and access control requirements. The document also covers different access control models, including discretionary access control (dac), mandatory access control (mac), and role-based access control (rbac). Examples of access control policies and their implementation, as well as the advantages and disadvantages of each model.

Typology: Slides

2012/2013

Uploaded on 04/22/2013

satheesh
satheesh 🇮🇳

4.5

(11)

85 documents

1 / 23

Toggle sidebar

This page cannot be seen from the preview

Don't miss anything!

bg1
Introduction to Information
Security
Access Control
Docsity.com
pf3
pf4
pf5
pf8
pf9
pfa
pfd
pfe
pff
pf12
pf13
pf14
pf15
pf16
pf17

Partial preview of the text

Download Access Control: Policies, Models, and Role-Based Access in Information Security and more Slides Computer Security in PDF only on Docsity!

Introduction to Information

Security

Access Control

Access Control Example

  • Access Control Policy for son Edward - Allowed access: - House - Disallowed access: - Automobile

Access Control Example

 Access Control policy

  • Allowed access:  House:
  • Disallowed access:  Automobile

Problem! Unauthorized access

Access Control Example

 Access Control Policy for son Edward

  • Allowed access:  House  Kitchen
  • Disallowed access:  Automobile  Car key

Access Control

  • Protected resources : system resources for which protection is desirable - Memory, file, directory, hardware resource, software resources, external devices, etc.
  • Subjects : active entities requesting accesses to resources - User, owner, program, etc.
  • Access mode : type of access
    • Read, write, execute

Access Control Requirement

  • Cannot be bypassed
  • Enforce least-privilege and need-to-know

restrictions

  • Enforce organizational policy

Access Control

 Access control components:

  • Access control policy : specifies the authorized accesses of a system
  • Access control mechanism : implements and enforces the policy

 Separation of components allows to:

  • Define access requirements independently from implementation
  • Compare different policies
  • Implement mechanisms that can enforce a wide range of policies

Closed v.s. Open Systems

Closed system Open System

Access requ. Access requ.

Exists Rule? Exists Rule?

Access permitted

Access denied

Access denied

Access permitted

Allowed accesses

Disallowed accesses yes no (^) no yes

(minimum privilege) (maximum privilege)

Discretionary Access Control

  • Access control is based on
    • User’s identity and
    • Access control rules
  • Most common administration: owner based
    • Users can protect what they own
    • Owner may grant access to others
    • Owner may define the type of access given to others

Access Matrix Model

Read Write Own

Read

Read Write Own

OBJECTS AND SUBJECTS

S U B J E C T S

Joe

Sam

File 1 File 2

DAC and Trojan Horse

Employee

Black’s Employee

Brown: read, write

Brown Black, Brown: read, write

Black

Word Processor

TH Inserts Trojan Horse Into shared program

Uses shared program Reads Employee

Copies Employee To Black’s Employee

DAC Overview

  • Advantages:
    • Intuitive
    • Easy to implement
  • Disadvantages:
    • Inherent vulnerability (look TH example)
    • Maintenance of ACL or Capability lists
    • Maintenance of Grant/Revoke
    • Limited power of negative authorization

CSCE 201 - Farkas 19

Motivation

 Express organizational policies

  • Separation of duties
  • Delegation of authority

 Flexible: easy to modify to meet new security requirements

 Supports

  • Least-privilege
  • Separation of duties
  • Data abstraction

CSCE 201 - Farkas 20

Roles

 User group: collection of user with possibly different permissions

 Role: mediator between collection of users and collection of permissions

 RBAC independent from DAC and MAC (they may coexist)

 RBAC is policy neutral: configuration of RBAC determines the policy to be enforced