Access Control Two - Integrated Computer Security - Lecture Slides, Slides of Computer Security

These lecture slides are very easy to understand the ntegrated Computer Security system.The major points in these lecture slides are:Access Control Two, Top Secret, Mandatory Access Control, Secret, Confidential, Unclassified, Prevent, Military Security, Information Access, Compartments

Typology: Slides

2012/2013

Uploaded on 04/25/2013

bageshri
bageshri 🇮🇳

4.3

(24)

175 documents

1 / 35

Toggle sidebar

This page cannot be seen from the preview

Don't miss anything!

bg1
Lecture 8
Access Control (cont)
Docsity.com
pf3
pf4
pf5
pf8
pf9
pfa
pfd
pfe
pff
pf12
pf13
pf14
pf15
pf16
pf17
pf18
pf19
pf1a
pf1b
pf1c
pf1d
pf1e
pf1f
pf20
pf21
pf22
pf23

Partial preview of the text

Download Access Control Two - Integrated Computer Security - Lecture Slides and more Slides Computer Security in PDF only on Docsity!

Lecture 8

Access Control (cont)

Mandatory Access Control (MAC)

2

Unclassified

Confidential

Secret

Top Secret

dominance^ can-flow ≥

Labeling Mechanism is used

Military Security

Require a strict classification of subjects and objects in security levels

Drawback of being too rigid

Applicable only to very few environments

Prevent any illegal flow of information through the enforcement of multilevel security

Adopted from : Role-Based Access Control by Prof.Ravi Sandhu

Classification & Clearance

• <rank; compartments>

– class of a piece of information

• Clearance : an indication that a person is

trusted to access information up to a certain

level of sensitivity

• <rank; compartments>

– clearance of a subject

Dominance Relation

• We say that s dominates o (or o is dominated

by s) if o <= s

For a subject s and an object o,

o <= s if and only if

rank(o) <= rank(s) and

compartments(o) is subset of compartments(s)

• A subject can read an object if the subject

dominates the object.

Role-Based

Access

Control

(RBAC)

Access

Control

Matrix

Role-Based Access Control

Scope RBAC Models

Constraints - RBAC

• provide a means of adapting RBAC to the

specifics of administrative and security

policies of an organization

• a defined relationship among roles or a

condition related to roles

mutually exclusive roles

  • a user can only be assigned to one role in the set (during a session or statically)
  • any permission can be granted to only one role in the set

cardinality

  • setting a maximum number with respect to roles

prerequisite roles

  • dictates that a user can only be assigned to a particular role if it is already assigned to some other specified role

RBAC System

administrative

functions

  • provide the

capability to

create, delete, and

maintain RBAC

elements and

relations

supporting

system

functions

  • provide functions

for session

management and

for making access

control decisions

review

functions

  • provide the

capability to

perform query

operations on

RBAC elements

and relations

NIST RBAC Model

Core RBAC

administrative

functions

  • add and delete users from the set of users
  • add and delete roles from the set of roles
  • create and delete instances of user- to-role assignment
  • create and delete instances of permission-to-role assignment

supporting

system functions

  • create a user session with a default set of active roles
  • add an active role to a session
  • delete a role from a session
  • check if the session subject has permission to perform a request operation on an object

review functions

  • enable an administrator to view but not modify all the elements of the model and their relations

Static Separation of Duty

• enables the definition of a set of mutually exclusive

roles,

  • if a user is assigned to one role in the set, the user may not be

assigned to any other role in the set

• can place a cardinality constraint on a set of roles

  • defined as a pair (role set, n) where no user is assigned to n or

more roles from the role set

• includes administrative functions for creating and

deleting role sets and adding and deleting role members

• includes review functions for viewing the properties of

existing SSD sets

Dynamic Separation of Duty

• limit the permissions available to a user

  • places constraints on the roles that can be activated within

or across a user’s sessions

• define constraints as a pair (role set, n) with the

property that no user session may activate n or more

roles from the role set

  • where n is a natural number n ≤ 2

• enables the administrator to specify certain

capabilities for a user at different, time spans

• includes administrative and review functions for

defining and viewing DSD relations