Intro To Access Controls
Upcoming SlideShare
Loading in...5

Intro To Access Controls



Presentation on Introduction to Access Controls by Sundar during the OWASP Bangalore Chapter meeting on 14 Dec 2008

Presentation on Introduction to Access Controls by Sundar during the OWASP Bangalore Chapter meeting on 14 Dec 2008



Total Views
Slideshare-icon Views on SlideShare
Embed Views



3 Embeds 12 7 4 1



Upload Details

Uploaded via as Microsoft PowerPoint

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
Post Comment
Edit your comment

    Intro To Access Controls Intro To Access Controls Presentation Transcript

    • Overview of Access controls Sundar N
    • Access
      • A specific interaction between a subject and object resulting information flow from one to another .
      R FW R X Mail
      • Trusted computer security evaluation criteria (TCSEC) is a DOD standard 5200.28
      • It defined a standard for manufacturers and set a metrics for degree of measurement for security.
        • MAC (Mandatory access control): defined for multilevel security access generally used for military applications.
        • DAC (Discretionary access control): defined for single level access generally deployed for non military applications.
    • MAC
      • Mandatory access control
      • Is defined in the security policy of an organization and enforced by an admin
      • Has a multilevel security level access in terms of hierarchy
      • Generally used for confidential or classified information.
      • Define the appropriate Read and write access separately to the information depending on the levels of security for each user.
      • It is more of a micromanagement
      • It is a centrally administered access.
    • DAC
      • Discretionary access control
      • Information owner defines the access to data and type of access to it for the users.
      • It is more of a hands off approach
      • Mostly depends on the discretion of the information owner.
      • Access can be passed on from one individual to another
    • Models
      • RBAC (Role based access controls)
      • It is non discretionary
      • Defined as per role
        • Duties
        • Responsibilities
        • Qualifications
        • Has flexibility of DAC but not as hard policies as MAC
    • Access control administration methods
      • Centralized
      X Admin S1 S2
    • Access control administration methods
      • Decentralized
      X S1 S2
    • Security models
      • BELL LAPADULA (1970)
      • BIBA (1977)
      • Clark Wilson (1987)
      • Maintain the property of the confidentiality
      • Maintain the simple security rule.
      • Do not downgrade the security levels.
      TS S C P
    • BIBA
      • Maintain the integrity of the information
      • Follow the rules against each of the security on the information levels.
      • Maintain the property of the information
    • Clark Wilson
      • Introduction of a middle man in the transaction from subject to the object
      • Limit the capabilities for the subject
      • Have well formed transactions to prevent manipulations .
    • Authentication Methods
      • Username/Passwords
      • Tokens (HW/SW)
      • Biometrics (Retina/fingerprints/voice)
    • Access Attacks
      • Protocol Analysis
      • Dos attacks (Smurf/Syn Flood/DDos)
      • Spoofing
    • Appendix
      • Preventive access control
      • Deterrent access control
      • Detective access control
      • Corrective access control
      • Recovery access control
      • Compensation access control
      • Directive access control
      • Administrative access controls
      • Logical/technical access controls
      • Physical access controls