Overview of Access controls Sundar N suntracks@gmail.com

Access A specific interaction between a subject and object resulting information flow from one to another . R FW R X Mail

A specific interaction between a subject and object resulting information flow from one to another .

Trusted computer security evaluation criteria (TCSEC) is a DOD standard 5200.28 It defined a standard for manufacturers and set a metrics for degree of measurement for security. MAC (Mandatory access control): defined for multilevel security access generally used for military applications. DAC (Discretionary access control): defined for single level access generally deployed for non military applications.

Trusted computer security evaluation criteria (TCSEC) is a DOD standard 5200.28

It defined a standard for manufacturers and set a metrics for degree of measurement for security.

MAC (Mandatory access control): defined for multilevel security access generally used for military applications.

DAC (Discretionary access control): defined for single level access generally deployed for non military applications.

MAC Mandatory access control Is defined in the security policy of an organization and enforced by an admin Has a multilevel security level access in terms of hierarchy Generally used for confidential or classified information. Define the appropriate Read and write access separately to the information depending on the levels of security for each user. It is more of a micromanagement It is a centrally administered access.

Mandatory access control

Is defined in the security policy of an organization and enforced by an admin

Has a multilevel security level access in terms of hierarchy

Generally used for confidential or classified information.

Define the appropriate Read and write access separately to the information depending on the levels of security for each user.

It is more of a micromanagement

It is a centrally administered access.

DAC Discretionary access control Information owner defines the access to data and type of access to it for the users. It is more of a hands off approach Mostly depends on the discretion of the information owner. Access can be passed on from one individual to another

Discretionary access control

Information owner defines the access to data and type of access to it for the users.

It is more of a hands off approach

Mostly depends on the discretion of the information owner.

Access can be passed on from one individual to another

Models RBAC (Role based access controls) It is non discretionary Defined as per role Duties Responsibilities Qualifications Has flexibility of DAC but not as hard policies as MAC

RBAC (Role based access controls)

It is non discretionary

Defined as per role

Duties

Responsibilities

Qualifications

Has flexibility of DAC but not as hard policies as MAC

Access control administration methods Centralized X Admin S1 S2

Centralized

Access control administration methods Decentralized X S1 S2

Decentralized

Security models BELL LAPADULA (1970) BIBA (1977) Clark Wilson (1987)

BELL LAPADULA (1970)

BIBA (1977)

Clark Wilson (1987)

BELL LAPADULA Maintain the property of the confidentiality Maintain the simple security rule. Do not downgrade the security levels. TS S C P

Maintain the property of the confidentiality

Maintain the simple security rule.

Do not downgrade the security levels.

BIBA Maintain the integrity of the information Follow the rules against each of the security on the information levels. Maintain the property of the information

Maintain the integrity of the information

Follow the rules against each of the security on the information levels.

Maintain the property of the information

Clark Wilson Introduction of a middle man in the transaction from subject to the object Limit the capabilities for the subject Have well formed transactions to prevent manipulations .

Introduction of a middle man in the transaction from subject to the object

Limit the capabilities for the subject

Have well formed transactions to prevent manipulations .

Authentication Methods Username/Passwords Tokens (HW/SW) Biometrics (Retina/fingerprints/voice)

Username/Passwords

Tokens (HW/SW)

Biometrics (Retina/fingerprints/voice)

Access Attacks Protocol Analysis Dos attacks (Smurf/Syn Flood/DDos) Spoofing

Protocol Analysis

Dos attacks (Smurf/Syn Flood/DDos)

Spoofing

Appendix Preventive access control Deterrent access control Detective access control Corrective access control Recovery access control Compensation access control Directive access control Administrative access controls Logical/technical access controls Physical access controls

Preventive access control

Deterrent access control

Detective access control

Corrective access control

Recovery access control

Compensation access control

Directive access control

Administrative access controls

Logical/technical access controls

Physical access controls