SlideShare a Scribd company logo

Isys20261 lecture 12

Download as PPT, PDF
Wiliam Ferraciolli
Wiliam Ferraciolli
1 of 13
Computer Security Management (ISYS20261) Lecture 12 – Access Control Module Leader: Dr Xiaoqi Ma School of Science and Technology
Last time … • Protection (defence) against harm: – Prevent it by blocking attack or closing vulnerabilities – Deter it by making the attack harder (but not impossible!) – Deflect it by making another target more attractive – Detect it either as it happens or some time after – Recover from effects – Using any combination of the above • Using countermeasures (controls) • Methods of defence – Software controls – Encryption – Physical and hardware controls Computer Security Management Page 2
Today • Access control • Authentication • authorisation Computer Security Management Page 3
Access control • Permit or deny the use of a particular resource by a particular entity • Two dimensions: authentication and authorisation • Authentication – User to system – System to user • Authorisation – Discretionary access control – Mandatory access control – Role-based access control Computer Security Management Page 4
User to system authentication • Something you know – Password, PIN, challenge-response • Something you have – Key, smart card, code book, etc. • Something you are – Biometrics: fingerprints, retina scan, etc. • Somewhere you are – Secure terminals, subnets, etc. • Any combination of the above (Two-factor authentication) Computer Security Management Page 5
System to user authentication • Secure paths – Mechanism that ensures that user communicates with the system he intents to communicate with – Cannot be intercepted by attacker – Example: Windows ctrl+alt+del • Browser clues • Etc. Computer Security Management Page 6
Authorisation • Discretionary access control – Based on identity of user – Sometimes organised in groups • Mandatory access control – Based on security clearance of user • Role-based access control – Based on user’s function, authority and responsibilities Computer Security Management Page 7
Discretionary access control (DAC) • Restricting access to objects based on the identity of users and/or groups to which they belong • Access: read, write, execute, etc. • Often every object has an owner that controls the permissions to access the object • Discretionary: a subject with a certain access permission is capable of passing that permission on to other subjects • Permissions are stored in Access Control Lists (ACLs) • System first checks the list for an applicable entry in order to decide whether to proceed with the operation Computer Security Management Page 8
Access control lists (ACLs) • Specifies who is allowed to access the object and what operations are allowed to be performed on the object • List of users and associated permissions attached to an object • Usually implemented as a table • Every user needs to have an entry: – ACL can grow easily – Maintaining ACLs can be cumbersome Computer Security Management Page 9
Mandatory access control (MAC) • Assigns security labels (classifications) to system resources – Examples: RESTRICTED, CLASSIFIED, SECRET, TOP SECRET, … • Ordered (not necessarily in linear order!) • Allows access only to entities (people, processes, devices) with appropriate levels of authorisation (clearance) • Only administrators, not owners, make changes to a resource's security label • Assigned security level reflects the relative sensitivity, confidentiality, and protection value, of data Computer Security Management Page 10
Bell and La Padula • Model that focuses on data confidentiality and access to classified information • Information must not flow from high to low classification: – No read up: lowly classified entities may not read more highly classified data – No write down: highly classified entities may not write to more lowly classified files • Limitations – Restricted to confidentiality – intended for systems with static security levels - no policies for changing access rights – Sometimes, it is not sufficient to hide only the contents of objects. Their existence may have to be hidden as well, BUT a low subject can detect the existence of high objects when it is denied access Computer Security Management Page 11
Role-based access control (RBAC) • Approach to restricting system access to authorised users that reduces the costs • User has access to an object based on his or her assigned role – Users change frequently, roles don’t • Operations on an object are invoked based on permissions • An object is concerned with the user’s role and not the user • Roles are – a collection of users and a collection of permissions – Arranged in hierarchies user-role assignment role-permission assignment Roles Permissions users Computer Security Management Page 12
Summary Today we learned: • Access control permits or denies the use of a particular resource by a particular entity • To dimensions: authentication and authorisation • Authentication – User to system – System to user • Authorisation – Discretional access control – Mandatory access control – Role-based access control Computer Security Management Page 13

Recommended

Access Control: Principles and Practice
Access Control: Principles and PracticeAccess Control: Principles and Practice
Access Control: Principles and PracticeNabeel Yoosuf
 
Access Controls
Access ControlsAccess Controls
Access Controlsprimeteacher32
 
Ch07 Access Control Fundamentals
Ch07 Access Control FundamentalsCh07 Access Control Fundamentals
Ch07 Access Control FundamentalsInformation Technology
 
Intro To Access Controls
Intro To Access ControlsIntro To Access Controls
Intro To Access ControlsHari Pudipeddi
 
Os8
Os8Os8
Os8gopal10scs185
 
Information Security Principles - Access Control
Information Security Principles - Access ControlInformation Security Principles - Access Control
Information Security Principles - Access Controlidingolay
 
Access Control Fundamentals
Access Control FundamentalsAccess Control Fundamentals
Access Control FundamentalsSetiya Nugroho
 
security and privacy in dbms and in sql database
security and privacy in dbms and in sql databasesecurity and privacy in dbms and in sql database
security and privacy in dbms and in sql databasegourav kottawar
 

Recommended

Access Control: Principles and Practice
Access Control: Principles and PracticeAccess Control: Principles and Practice
Access Control: Principles and PracticeNabeel Yoosuf
 
Access Controls
Access ControlsAccess Controls
Access Controlsprimeteacher32
 
Ch07 Access Control Fundamentals
Ch07 Access Control FundamentalsCh07 Access Control Fundamentals
Ch07 Access Control FundamentalsInformation Technology
 
Intro To Access Controls
Intro To Access ControlsIntro To Access Controls
Intro To Access ControlsHari Pudipeddi
 
Os8
Os8Os8
Os8gopal10scs185
 
Information Security Principles - Access Control
Information Security Principles - Access ControlInformation Security Principles - Access Control
Information Security Principles - Access Controlidingolay
 
Access Control Fundamentals
Access Control FundamentalsAccess Control Fundamentals
Access Control FundamentalsSetiya Nugroho
 
security and privacy in dbms and in sql database
security and privacy in dbms and in sql databasesecurity and privacy in dbms and in sql database
security and privacy in dbms and in sql databasegourav kottawar
 
Mandatory access control for information security
Mandatory access control for information securityMandatory access control for information security
Mandatory access control for information securityAjit Dadresa
 
01 database security ent-db
01 database security ent-db01 database security ent-db
01 database security ent-dbuncleRhyme
 
Database Security And Authentication
Database Security And AuthenticationDatabase Security And Authentication
Database Security And AuthenticationSudeb Das
 
Access Control Presentation
Access Control PresentationAccess Control Presentation
Access Control PresentationWajahat Rajab
 
Database security
Database securityDatabase security
Database securityArpana shree
 
Data security authorization and access control
Data security authorization and access controlData security authorization and access control
Data security authorization and access controlLeo Mark Villar
 
DB security
DB security DB security
DB securityERSHUBHAM TIWARI
 
Security models
Security models Security models
Security models LJ PROJECTS
 
Dbms ii mca-ch12-security-2013
Dbms ii mca-ch12-security-2013Dbms ii mca-ch12-security-2013
Dbms ii mca-ch12-security-2013Prosanta Ghosh
 
Database security and security in networks
Database security and security in networksDatabase security and security in networks
Database security and security in networksG Prachi
 
8 Access Control
8 Access Control8 Access Control
8 Access ControlAlfred Ouyang
 
Database Security
Database SecurityDatabase Security
Database SecurityFerdous Pathan
 
Database Security
Database SecurityDatabase Security
Database SecurityShingalaKrupa
 
Chapter 5 - Identity Management
Chapter 5 - Identity ManagementChapter 5 - Identity Management
Chapter 5 - Identity ManagementKarthikeyan Dhayalan
 
Security and Integrity
Security and IntegritySecurity and Integrity
Security and Integritylubna19
 
Database security copy
Database security copyDatabase security copy
Database security copyfika sweety
 
3. security architecture and models
3. security architecture and models3. security architecture and models
3. security architecture and models7wounders
 
Data base security
Data base securityData base security
Data base securitySara Nazir
 
Data base security & integrity
Data base security & integrityData base security & integrity
Data base security & integrityPooja Dixit
 
Chap5 2007 C I S A Review Course
Chap5 2007 C I S A Review CourseChap5 2007 C I S A Review Course
Chap5 2007 C I S A Review CourseDesmond Devendran
 
4_5949547032388570388.ppt
4_5949547032388570388.ppt4_5949547032388570388.ppt
4_5949547032388570388.pptMohammedMohammed578197
 
Least privilege, access control, operating system security
Least privilege, access control, operating system securityLeast privilege, access control, operating system security
Least privilege, access control, operating system securityG Prachi
 

More Related Content

What's hot

Mandatory access control for information security
Mandatory access control for information securityMandatory access control for information security
Mandatory access control for information securityAjit Dadresa
 
01 database security ent-db
01 database security ent-db01 database security ent-db
01 database security ent-dbuncleRhyme
 
Database Security And Authentication
Database Security And AuthenticationDatabase Security And Authentication
Database Security And AuthenticationSudeb Das
 
Access Control Presentation
Access Control PresentationAccess Control Presentation
Access Control PresentationWajahat Rajab
 
Data security authorization and access control
Data security authorization and access controlData security authorization and access control
Data security authorization and access controlLeo Mark Villar
 
Security models
Security models Security models
Security models LJ PROJECTS
 
Dbms ii mca-ch12-security-2013
Dbms ii mca-ch12-security-2013Dbms ii mca-ch12-security-2013
Dbms ii mca-ch12-security-2013Prosanta Ghosh
 
Database security and security in networks
Database security and security in networksDatabase security and security in networks
Database security and security in networksG Prachi
 
Security and Integrity
Security and IntegritySecurity and Integrity
Security and Integritylubna19
 
Database security copy
Database security copyDatabase security copy
Database security copyfika sweety
 
3. security architecture and models
3. security architecture and models3. security architecture and models
3. security architecture and models7wounders
 
Data base security
Data base securityData base security
Data base securitySara Nazir
 
Data base security & integrity
Data base security & integrityData base security & integrity
Data base security & integrityPooja Dixit
 
Chap5 2007 C I S A Review Course
Chap5 2007 C I S A Review CourseChap5 2007 C I S A Review Course
Chap5 2007 C I S A Review CourseDesmond Devendran
 

What's hot (20)

Mandatory access control for information security
Mandatory access control for information securityMandatory access control for information security
Mandatory access control for information security
 
01 database security ent-db
01 database security ent-db01 database security ent-db
01 database security ent-db
 
Database Security And Authentication
Database Security And AuthenticationDatabase Security And Authentication
Database Security And Authentication
 
Access Control Presentation
Access Control PresentationAccess Control Presentation
Access Control Presentation
 
Database security
Database securityDatabase security
Database security
 
Data security authorization and access control
Data security authorization and access controlData security authorization and access control
Data security authorization and access control
 
DB security
DB security DB security
DB security
 
Security models
Security models Security models
Security models
 
Dbms ii mca-ch12-security-2013
Dbms ii mca-ch12-security-2013Dbms ii mca-ch12-security-2013
Dbms ii mca-ch12-security-2013
 
Database security and security in networks
Database security and security in networksDatabase security and security in networks
Database security and security in networks
 
8 Access Control
8 Access Control8 Access Control
8 Access Control
 
Database Security
Database SecurityDatabase Security
Database Security
 
Database Security
Database SecurityDatabase Security
Database Security
 
Chapter 5 - Identity Management
Chapter 5 - Identity ManagementChapter 5 - Identity Management
Chapter 5 - Identity Management
 
Security and Integrity
Security and IntegritySecurity and Integrity
Security and Integrity
 
Database security copy
Database security copyDatabase security copy
Database security copy
 
3. security architecture and models
3. security architecture and models3. security architecture and models
3. security architecture and models
 
Data base security
Data base securityData base security
Data base security
 
Data base security & integrity
Data base security & integrityData base security & integrity
Data base security & integrity
 
Chap5 2007 C I S A Review Course
Chap5 2007 C I S A Review CourseChap5 2007 C I S A Review Course
Chap5 2007 C I S A Review Course
 

Similar to Isys20261 lecture 12

Least privilege, access control, operating system security
Least privilege, access control, operating system securityLeast privilege, access control, operating system security
Least privilege, access control, operating system securityG Prachi
 
Security & Risk Mgmt_WK1.pptx
Security & Risk Mgmt_WK1.pptxSecurity & Risk Mgmt_WK1.pptx
Security & Risk Mgmt_WK1.pptxdotco
 
Security & Risk Mgmt_WK1.pptx
Security & Risk Mgmt_WK1.pptxSecurity & Risk Mgmt_WK1.pptx
Security & Risk Mgmt_WK1.pptxTechnocracy2
 
Access C systrm.pptx
Access C systrm.pptxAccess C systrm.pptx
Access C systrm.pptxUgyenWangmo8
 
Week No 13 Access Control Part 1.pptx
Week No 13 Access Control Part 1.pptxWeek No 13 Access Control Part 1.pptx
Week No 13 Access Control Part 1.pptxXhamiiiCH
 
informations_security_presentations.pptx
informations_security_presentations.pptxinformations_security_presentations.pptx
informations_security_presentations.pptxFAKHARZAMANPROUD
 
Database managementsystemes_Unit-7.pptxe
Database managementsystemes_Unit-7.pptxeDatabase managementsystemes_Unit-7.pptxe
Database managementsystemes_Unit-7.pptxechnrketan
 
Application Security -- Authorization Models
Application Security -- Authorization ModelsApplication Security -- Authorization Models
Application Security -- Authorization Modelsadinath7
 
Information Security
Information SecurityInformation Security
Information Securitysonykhan3
 
Authentication Authorization-Lesson-2-Slides.ppt
Authentication Authorization-Lesson-2-Slides.pptAuthentication Authorization-Lesson-2-Slides.ppt
Authentication Authorization-Lesson-2-Slides.pptMuhammadAbdullah311866
 
CISSP Chapter 7 - Security Operations
CISSP Chapter 7 - Security OperationsCISSP Chapter 7 - Security Operations
CISSP Chapter 7 - Security OperationsKarthikeyan Dhayalan
 
Data security and Integrity
Data security and IntegrityData security and Integrity
Data security and IntegrityZaid Shabbir
 
Slide Deck – Session 4 – FRSecure CISSP Mentor Program 2017
Slide Deck – Session 4 – FRSecure CISSP Mentor Program 2017Slide Deck – Session 4 – FRSecure CISSP Mentor Program 2017
Slide Deck – Session 4 – FRSecure CISSP Mentor Program 2017FRSecure
 
Protection in general purpose operating system
Protection in general purpose operating systemProtection in general purpose operating system
Protection in general purpose operating systemG Prachi
 

Similar to Isys20261 lecture 12 (20)

4_5949547032388570388.ppt
4_5949547032388570388.ppt4_5949547032388570388.ppt
4_5949547032388570388.ppt
 
Least privilege, access control, operating system security
Least privilege, access control, operating system securityLeast privilege, access control, operating system security
Least privilege, access control, operating system security
 
Topic 7 access control
Topic 7 access controlTopic 7 access control
Topic 7 access control
 
Security & Risk Mgmt_WK1.pptx
Security & Risk Mgmt_WK1.pptxSecurity & Risk Mgmt_WK1.pptx
Security & Risk Mgmt_WK1.pptx
 
Security & Risk Mgmt_WK1.pptx
Security & Risk Mgmt_WK1.pptxSecurity & Risk Mgmt_WK1.pptx
Security & Risk Mgmt_WK1.pptx
 
Access C systrm.pptx
Access C systrm.pptxAccess C systrm.pptx
Access C systrm.pptx
 
Week No 13 Access Control Part 1.pptx
Week No 13 Access Control Part 1.pptxWeek No 13 Access Control Part 1.pptx
Week No 13 Access Control Part 1.pptx
 
informations_security_presentations.pptx
informations_security_presentations.pptxinformations_security_presentations.pptx
informations_security_presentations.pptx
 
Database managementsystemes_Unit-7.pptxe
Database managementsystemes_Unit-7.pptxeDatabase managementsystemes_Unit-7.pptxe
Database managementsystemes_Unit-7.pptxe
 
security in is.pptx
security in is.pptxsecurity in is.pptx
security in is.pptx
 
Application Security -- Authorization Models
Application Security -- Authorization ModelsApplication Security -- Authorization Models
Application Security -- Authorization Models
 
Network Security Topic 1 intro
Network Security Topic 1 introNetwork Security Topic 1 intro
Network Security Topic 1 intro
 
Ch1 cse
Ch1 cseCh1 cse
Ch1 cse
 
ISBB_Chapter6.pptx
ISBB_Chapter6.pptxISBB_Chapter6.pptx
ISBB_Chapter6.pptx
 
Information Security
Information SecurityInformation Security
Information Security
 
Authentication Authorization-Lesson-2-Slides.ppt
Authentication Authorization-Lesson-2-Slides.pptAuthentication Authorization-Lesson-2-Slides.ppt
Authentication Authorization-Lesson-2-Slides.ppt
 
CISSP Chapter 7 - Security Operations
CISSP Chapter 7 - Security OperationsCISSP Chapter 7 - Security Operations
CISSP Chapter 7 - Security Operations
 
Data security and Integrity
Data security and IntegrityData security and Integrity
Data security and Integrity
 
Slide Deck – Session 4 – FRSecure CISSP Mentor Program 2017
Slide Deck – Session 4 – FRSecure CISSP Mentor Program 2017Slide Deck – Session 4 – FRSecure CISSP Mentor Program 2017
Slide Deck – Session 4 – FRSecure CISSP Mentor Program 2017
 
Protection in general purpose operating system
Protection in general purpose operating systemProtection in general purpose operating system
Protection in general purpose operating system
 

More from Wiliam Ferraciolli

Lecture 12 monitoring the network
Lecture 12 monitoring the networkLecture 12 monitoring the network
Lecture 12 monitoring the networkWiliam Ferraciolli
 
Lecture 11 managing the network
Lecture 11 managing the networkLecture 11 managing the network
Lecture 11 managing the networkWiliam Ferraciolli
 
Lecture 10 the user experience
Lecture 10 the user experienceLecture 10 the user experience
Lecture 10 the user experienceWiliam Ferraciolli
 
Lecture 10 the user experience (1)
Lecture 10 the user experience (1)Lecture 10 the user experience (1)
Lecture 10 the user experience (1)Wiliam Ferraciolli
 
Lecture 7 naming and structuring objects
Lecture 7 naming and structuring objectsLecture 7 naming and structuring objects
Lecture 7 naming and structuring objectsWiliam Ferraciolli
 
Lecture 5&6 corporate architecture
Lecture 5&6 corporate architectureLecture 5&6 corporate architecture
Lecture 5&6 corporate architectureWiliam Ferraciolli
 
Lecture 3 more on servers and services
Lecture 3 more on servers and servicesLecture 3 more on servers and services
Lecture 3 more on servers and servicesWiliam Ferraciolli
 
Lecture 2 servers and services
Lecture 2 servers and servicesLecture 2 servers and services
Lecture 2 servers and servicesWiliam Ferraciolli
 
Lecture 13, 14 & 15 c# cmd let programming and scripting
Lecture 13, 14 & 15 c# cmd let programming and scriptingLecture 13, 14 & 15 c# cmd let programming and scripting
Lecture 13, 14 & 15 c# cmd let programming and scriptingWiliam Ferraciolli
 

More from Wiliam Ferraciolli (20)

Lecture 12 monitoring the network
Lecture 12 monitoring the networkLecture 12 monitoring the network
Lecture 12 monitoring the network
 
Lecture 11 managing the network
Lecture 11 managing the networkLecture 11 managing the network
Lecture 11 managing the network
 
Lecture 10 the user experience
Lecture 10 the user experienceLecture 10 the user experience
Lecture 10 the user experience
 
Lecture 10 the user experience (1)
Lecture 10 the user experience (1)Lecture 10 the user experience (1)
Lecture 10 the user experience (1)
 
Lecture 9 further permissions
Lecture 9 further permissionsLecture 9 further permissions
Lecture 9 further permissions
 
Lecture 8 permissions
Lecture 8 permissionsLecture 8 permissions
Lecture 8 permissions
 
Lecture 7 naming and structuring objects
Lecture 7 naming and structuring objectsLecture 7 naming and structuring objects
Lecture 7 naming and structuring objects
 
Lecture 5&6 corporate architecture
Lecture 5&6 corporate architectureLecture 5&6 corporate architecture
Lecture 5&6 corporate architecture
 
Lecture 4 client workstations
Lecture 4 client workstationsLecture 4 client workstations
Lecture 4 client workstations
 
Lecture 3 more on servers and services
Lecture 3 more on servers and servicesLecture 3 more on servers and services
Lecture 3 more on servers and services
 
Lecture 2 servers and services
Lecture 2 servers and servicesLecture 2 servers and services
Lecture 2 servers and services
 
Lecture 1 introduction
Lecture 1 introductionLecture 1 introduction
Lecture 1 introduction
 
Lecture 13, 14 & 15 c# cmd let programming and scripting
Lecture 13, 14 & 15 c# cmd let programming and scriptingLecture 13, 14 & 15 c# cmd let programming and scripting
Lecture 13, 14 & 15 c# cmd let programming and scripting
 
Isys20261 lecture 14
Isys20261 lecture 14Isys20261 lecture 14
Isys20261 lecture 14
 
Isys20261 lecture 11
Isys20261 lecture 11Isys20261 lecture 11
Isys20261 lecture 11
 
Isys20261 lecture 10
Isys20261 lecture 10Isys20261 lecture 10
Isys20261 lecture 10
 
Isys20261 lecture 09
Isys20261 lecture 09Isys20261 lecture 09
Isys20261 lecture 09
 
Isys20261 lecture 08
Isys20261 lecture 08Isys20261 lecture 08
Isys20261 lecture 08
 
Isys20261 lecture 07
Isys20261 lecture 07Isys20261 lecture 07
Isys20261 lecture 07
 
Isys20261 lecture 06
Isys20261 lecture 06Isys20261 lecture 06
Isys20261 lecture 06
 

Isys20261 lecture 12

  • 1. Computer Security Management (ISYS20261) Lecture 12 – Access Control Module Leader: Dr Xiaoqi Ma School of Science and Technology
  • 2. Last time … • Protection (defence) against harm: – Prevent it by blocking attack or closing vulnerabilities – Deter it by making the attack harder (but not impossible!) – Deflect it by making another target more attractive – Detect it either as it happens or some time after – Recover from effects – Using any combination of the above • Using countermeasures (controls) • Methods of defence – Software controls – Encryption – Physical and hardware controls Computer Security Management Page 2
  • 3. Today • Access control • Authentication • authorisation Computer Security Management Page 3
  • 4. Access control • Permit or deny the use of a particular resource by a particular entity • Two dimensions: authentication and authorisation • Authentication – User to system – System to user • Authorisation – Discretionary access control – Mandatory access control – Role-based access control Computer Security Management Page 4
  • 5. User to system authentication • Something you know – Password, PIN, challenge-response • Something you have – Key, smart card, code book, etc. • Something you are – Biometrics: fingerprints, retina scan, etc. • Somewhere you are – Secure terminals, subnets, etc. • Any combination of the above (Two-factor authentication) Computer Security Management Page 5
  • 6. System to user authentication • Secure paths – Mechanism that ensures that user communicates with the system he intents to communicate with – Cannot be intercepted by attacker – Example: Windows ctrl+alt+del • Browser clues • Etc. Computer Security Management Page 6
  • 7. Authorisation • Discretionary access control – Based on identity of user – Sometimes organised in groups • Mandatory access control – Based on security clearance of user • Role-based access control – Based on user’s function, authority and responsibilities Computer Security Management Page 7
  • 8. Discretionary access control (DAC) • Restricting access to objects based on the identity of users and/or groups to which they belong • Access: read, write, execute, etc. • Often every object has an owner that controls the permissions to access the object • Discretionary: a subject with a certain access permission is capable of passing that permission on to other subjects • Permissions are stored in Access Control Lists (ACLs) • System first checks the list for an applicable entry in order to decide whether to proceed with the operation Computer Security Management Page 8
  • 9. Access control lists (ACLs) • Specifies who is allowed to access the object and what operations are allowed to be performed on the object • List of users and associated permissions attached to an object • Usually implemented as a table • Every user needs to have an entry: – ACL can grow easily – Maintaining ACLs can be cumbersome Computer Security Management Page 9
  • 10. Mandatory access control (MAC) • Assigns security labels (classifications) to system resources – Examples: RESTRICTED, CLASSIFIED, SECRET, TOP SECRET, … • Ordered (not necessarily in linear order!) • Allows access only to entities (people, processes, devices) with appropriate levels of authorisation (clearance) • Only administrators, not owners, make changes to a resource's security label • Assigned security level reflects the relative sensitivity, confidentiality, and protection value, of data Computer Security Management Page 10
  • 11. Bell and La Padula • Model that focuses on data confidentiality and access to classified information • Information must not flow from high to low classification: – No read up: lowly classified entities may not read more highly classified data – No write down: highly classified entities may not write to more lowly classified files • Limitations – Restricted to confidentiality – intended for systems with static security levels - no policies for changing access rights – Sometimes, it is not sufficient to hide only the contents of objects. Their existence may have to be hidden as well, BUT a low subject can detect the existence of high objects when it is denied access Computer Security Management Page 11
  • 12. Role-based access control (RBAC) • Approach to restricting system access to authorised users that reduces the costs • User has access to an object based on his or her assigned role – Users change frequently, roles don’t • Operations on an object are invoked based on permissions • An object is concerned with the user’s role and not the user • Roles are – a collection of users and a collection of permissions – Arranged in hierarchies user-role assignment role-permission assignment Roles Permissions users Computer Security Management Page 12
  • 13. Summary Today we learned: • Access control permits or denies the use of a particular resource by a particular entity • To dimensions: authentication and authorisation • Authentication – User to system – System to user • Authorisation – Discretional access control – Mandatory access control – Role-based access control Computer Security Management Page 13