Computer Security Management(ISYS20261)Lecture 12 – Access Control Module Leader: Dr Xiaoqi Ma School of Science and Techn...
Last time …• Protection (defence) against harm:  – Prevent it by blocking attack or closing vulnerabilities  – Deter it by...
Today• Access control• Authentication• authorisationComputer Security ManagementPage 3
Access control• Permit or deny the use of a particular resource by a particular entity• Two dimensions: authentication and...
User to system authentication• Something you know  – Password, PIN, challenge-response• Something you have  – Key, smart c...
System to user authentication• Secure paths  – Mechanism that ensures that user communicates with the system he intents to...
Authorisation• Discretionary access control  – Based on identity of user  – Sometimes organised in groups• Mandatory acces...
Discretionary access control (DAC)• Restricting access to objects based on the identity of users and/or  groups to which t...
Access control lists (ACLs)• Specifies who is allowed to access the object and what operations  are allowed to be performe...
Mandatory access control (MAC)• Assigns security labels (classifications) to system resources  – Examples: RESTRICTED, CLA...
Bell and La Padula• Model that focuses on data confidentiality and access to classified  information• Information must not...
Role-based access control (RBAC)• Approach to restricting system access to authorised users that  reduces the costs• User ...
SummaryToday we learned:• Access control permits or denies the use of a particular resource by  a particular entity• To di...
Upcoming SlideShare
Loading in …5
×

Isys20261 lecture 12

177 views
123 views

Published on

0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
177
On SlideShare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
3
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

Isys20261 lecture 12

  1. 1. Computer Security Management(ISYS20261)Lecture 12 – Access Control Module Leader: Dr Xiaoqi Ma School of Science and Technology
  2. 2. Last time …• Protection (defence) against harm: – Prevent it by blocking attack or closing vulnerabilities – Deter it by making the attack harder (but not impossible!) – Deflect it by making another target more attractive – Detect it either as it happens or some time after – Recover from effects – Using any combination of the above• Using countermeasures (controls)• Methods of defence – Software controls – Encryption – Physical and hardware controlsComputer Security ManagementPage 2
  3. 3. Today• Access control• Authentication• authorisationComputer Security ManagementPage 3
  4. 4. Access control• Permit or deny the use of a particular resource by a particular entity• Two dimensions: authentication and authorisation• Authentication – User to system – System to user• Authorisation – Discretionary access control – Mandatory access control – Role-based access controlComputer Security ManagementPage 4
  5. 5. User to system authentication• Something you know – Password, PIN, challenge-response• Something you have – Key, smart card, code book, etc.• Something you are – Biometrics: fingerprints, retina scan, etc.• Somewhere you are – Secure terminals, subnets, etc.• Any combination of the above (Two-factor authentication)Computer Security ManagementPage 5
  6. 6. System to user authentication• Secure paths – Mechanism that ensures that user communicates with the system he intents to communicate with – Cannot be intercepted by attacker – Example: Windows ctrl+alt+del• Browser clues• Etc.Computer Security ManagementPage 6
  7. 7. Authorisation• Discretionary access control – Based on identity of user – Sometimes organised in groups• Mandatory access control – Based on security clearance of user• Role-based access control – Based on user’s function, authority and responsibilitiesComputer Security ManagementPage 7
  8. 8. Discretionary access control (DAC)• Restricting access to objects based on the identity of users and/or groups to which they belong• Access: read, write, execute, etc.• Often every object has an owner that controls the permissions to access the object• Discretionary: a subject with a certain access permission is capable of passing that permission on to other subjects• Permissions are stored in Access Control Lists (ACLs)• System first checks the list for an applicable entry in order to decide whether to proceed with the operationComputer Security ManagementPage 8
  9. 9. Access control lists (ACLs)• Specifies who is allowed to access the object and what operations are allowed to be performed on the object• List of users and associated permissions attached to an object• Usually implemented as a table• Every user needs to have an entry: – ACL can grow easily – Maintaining ACLs can be cumbersomeComputer Security ManagementPage 9
  10. 10. Mandatory access control (MAC)• Assigns security labels (classifications) to system resources – Examples: RESTRICTED, CLASSIFIED, SECRET, TOP SECRET, …• Ordered (not necessarily in linear order!)• Allows access only to entities (people, processes, devices) with appropriate levels of authorisation (clearance)• Only administrators, not owners, make changes to a resources security label• Assigned security level reflects the relative sensitivity, confidentiality, and protection value, of dataComputer Security ManagementPage 10
  11. 11. Bell and La Padula• Model that focuses on data confidentiality and access to classified information• Information must not flow from high to low classification: – No read up: lowly classified entities may not read more highly classified data – No write down: highly classified entities may not write to more lowly classified files• Limitations – Restricted to confidentiality – intended for systems with static security levels - no policies for changing access rights – Sometimes, it is not sufficient to hide only the contents of objects. Their existence may have to be hidden as well, BUT a low subject can detect the existence of high objects when it is denied accessComputer Security ManagementPage 11
  12. 12. Role-based access control (RBAC)• Approach to restricting system access to authorised users that reduces the costs• User has access to an object based on his or her assigned role – Users change frequently, roles don’t• Operations on an object are invoked based on permissions• An object is concerned with the user’s role and not the user• Roles are – a collection of users and a collection of permissions – Arranged in hierarchies user-role assignment role-permission assignment Roles Permissions usersComputer Security ManagementPage 12
  13. 13. SummaryToday we learned:• Access control permits or denies the use of a particular resource by a particular entity• To dimensions: authentication and authorisation• Authentication – User to system – System to user• Authorisation – Discretional access control – Mandatory access control – Role-based access controlComputer Security ManagementPage 13

×