2. CONTENTS
• Introduction
• Access Control Challenges
• Access Control Principles
• Access Control Practices
• Security Principles
• Identification Authentication &
Authorization
• Access Control Categories
• Access Control Types
• Access Control Threats
• Access Control Technologies- Single
Sign-On
• Access Control Models
• Access Control Techniques
• Access Control Administration
• Access Control Monitoring(IDS/IPS)
• Access Control Assurance
3. Introduction
• Access controls :
• security features that control how users & systems communicate &
interact with other systems & resources.
• Access : flow of information between a subject & a resource.
• A subject : an active entity that requests access to a resource
or the data within a resource. (E.g.: user, program, process,
etc.)
• A resource : an entity that contains the information.(E.g.:
Computer, Database, File, Program, Printer, etc.)
• Access controls give the organization the ability to control,
restrict, monitor, & protect resource availability, integrity, &
confidentiality
4. Access Control Challenges
Credentials, personal data, contact
information, work-related data, digital
certificates, cognitive passwords, etc.
Diverse identity data
must be kept on
different types of users
The corporate
environment is
continually changing
Resources have
different
classification
levels
Various types of
users need
different levels of
access
Business environment needs,
resource access needs, employee
roles, actual employees, etc.
Internal users, contractors,
outsiders, partners, etc.
Confidential, internal use
only, private, public, etc.
5. Access Control
Principles
States that if nothing has been specifically configured for an
individual or the groups, he/she belongs to, the user should not be
able to access that resource i.e.Default no access
Separating any conflicting areas of responsibility so as to
reduce opportunities for unauthorized or unintentional
modification or misuse of organizational assets &/or
information.
It is based on the concept that individuals should be given access only
to the information that they absolutely require in order to perform
their job duties.
Separation of Duties
Need to know
Principle of Least Privilege
1
2
3
6. Access Control
Practices
Disable unneeded system
features, services, & ports.
Deny access to systems by
undefined users or
anonymous accounts.
Suspend inactive accounts
after 30 to 60 days.
Enforce the need-to-know
& least-privilege practices.
Enforce strict access
criteria.
Remove obsolete user
accounts as soon as the user
leaves the company.
Suspend or delay
access capability after
a specific number of
unsuccessful logon
attempts.
Limit & monitor the
usage of administrator
& other powerful
accounts.
1 8
7
6
5
2
3
4
7. 9
Replace default
password settings
on accounts.
10
Limit &
monitor global
access rules.
13
Remove redundant
user IDs, accounts, &
role-based accounts
from resource access
lists.
12
Remove redundant
resource rules from
accounts & group
memberships.
11
Ensure that logon IDs
are nondescriptive of
job function.
14
Enforce password
rotation.
15
Enforce password
requirements (length,
contents, lifetime,
distribution, storage,
& transmission).
16
Audit system & user
events & actions &
review reports
periodically.
17
Protect audit logs.
9. Identification Authentication &
Authorization
Identification describes a method of ensuring that a subject is the entity it claims
to be. (E.g.: A username or an account no.)
Authentication is the method of proving the subject's identity, (e.g., Password,
Passphrase, PIN.)
Authorization is the method of controlling the access of objects by the subject.
(E.g.: A user cannot delete a particular file after logging into the system.)
Note: There must be a three-step process of Identification, Authentication, & Authorization in order for a subject to
access an object
10. Identification Component Requirements
When issuing
identification
values to
users or
subjects,
ensure that:
1. Each value should be unique, for user accountability;
2. A standard naming scheme should be followed;
3. The values should be non-descriptive of the user's
position or task;
4. The values should not be shared between the users.
13. Identity Management
• Identity Management is a broad term that encompasses
the use of different products to identify, authenticate, &
authorize users through automated means.
• The identity is established as:
• a name (or number) is associated to the subject or object; &
• the identity is re-established: a new or additional name (or
number) is connected to the subject or object;
• The identity is described as:
• one or more attributes which are applicable to this particular
subject or object may be assigned to the identity; &
• the identity is newly described: one or more attributes which are
applicable to this particular subject or object may be changed;
18. Access Control Types
Avoid undesirable events
from occurring
1. Preventative
2. Detective
Identify undesirable events
that have occurred
3. Corrective
Correct undesirable events
that have occurred
4. Deterrent
Discourage security violations
5. Recovery
Restore resources &
capabilities
6. Compensative
Provide alternatives to
other controls
19. Access Control Threats
Denial of
Service(DoS/DDoS)
Buffer Overflows Malicious Software Password Crackers
Spoofing/
Masquerading
Emanations Shoulder Surfing Object Reuse Data Remanence
Backdoor/
Trapdoor
Dictionary Attacks Brute force Attacks Social Engineering
20. Access Control Technologies- Single Sign-
On
• Introduction
• SSO is a technology that allows a
user to enter credentials one
time & be able to access all
resources in primary &
secondary network domains
Advantages
Reduces the amount of time users spend
authenticating to resources.
Enable the administrator to streamline
user accounts & better control access
rights
Improves security by reducing the
probability that users will write down
their passwords
Reduces the administrators time in
managing the access permissions
Limitations
Every platform application &
resource needs to accept the
same type of credentials, in the
same format, & interpret their
meaning in the same way.
Disadvantages
Once an individual is in,
he is in, thus giving a
bigger scope to an
attacker.
21. Access Control
Models
▪ Framework that dictates how subjects access
objects.
▪ Uses access control technologies & security
mechanisms to enforce the rules &
objectives of the model.
Discretionary
1
➢ Based on the
discretion (wish) of the
owner
➢ A system that uses
DAC enables the
owner of the resource
to specify which
subjects can access
specific resources
➢ Examples: Unix, Linux,
Windows access
control is based on
DAC
Mandatory
2
➢ This model is very
structured & strict & is
based on a security
label (also known as
sensitivity label)
attached to all objects
➢ The subjects are given
security clearance by
classifying the subjects
as secret, top-secret,
confidential, etc.) &
the objects are also
classified similarly.
➢ Examples: SE Linux, by
NSA, trusted Solaris
Role-based
3
➢ A RBAC is based on
user roles & uses a
centrally administered
set of controls to
determine how
subjects & objects
interact.
➢ The RBAC approach
simplifies the access
control administration
➢ It is a best system for a
company that has high
employee turnover.
➢ Note: The RBAC can be
generally used in
combination with MAC
& DAC systems
Model Access
Control
Owner
Sec Policy enforced by
DAC Data Owners Access-control list
MAC Operating
Systems
Security Labels
RBAC Administrator Roles/ Functional
Position
23. Rule-Based Access
Control
Constrained User
Interface
Access Control Matrix Content Dependent
Access Control
Context-Dependent
Access Control
• Uses specific rules that
indicate what can &
cannot happen
between a subject &
an object.
• E.g.: Routers & firewall
use rules to filter
incoming & outgoing
packets
• Constrained user
interfaces restrict
user’s access ability by
not allowing them to
request certain
functions or
information, or to
have access to specific
system resources.
• 3 major types of
restricted interfaces:
Menus & Shells,
Database Views,
Physically Constrained
Interfaces
• An access control matrix is a
table of subjects & objects
indicating what actions
individual subjects can take
upon individual objects.
• Access to the
objects is based on
the content within
the object.
• Example: Database
Views, E-mail
filtering etc.
• The access
decisions are
based on the
context of a
collection of
information rather
than on the
sensitivity of the
data.
• Example: A firewall
makes a context-
based access
decisions when
they collect state
information on a
packet before
allowing it into the
network
24. Access Control
Administration
Centralized
Access Control
Here one entity (dept or an
individual) is responsible for
overseeing access to all
corporate resources.
This type of administration
provides a consistent and
uniform method of controlling
the users' access rights.
Example: RADIUS, TACACS, and
Diameter
Decentralized
Access Control
Gives control of access to the
people closer to the resources
There is a possibility of certain
controls to overlap, in which case
actions may not be properly
proscribed or restricted.
This type of administration does
not provide methods for
consistent control, as a
centralized method would.
25. Access Control
Monitoring(IDS/IPS)
Method of keeping track of who attempts to access
specific network resources.
Intrusion Detection
System (IDS)
Process of detecting
unauthorized use of, or
attack upon, a computer,
network, or
telecommunication
infrastructure.
Designed to aid in mitigating
the damage that can be
caused by hacking or
breaking into sensitive
computer and network
systems.
Intrusion Prevention
System
Examines network traffic
flows to detect & prevent
vulnerability exploits.
IPS is a preventative &
proactive technology,
whereas an IDS is a detective
& after-the-fact technology.
26. Access Control Assurance
Accountability is the method of tracking and
logging the subject’s actions on the objects.
Auditing is an activity where the users/subjects'
actions on the objects are monitored in order to
verify that the sensitivity policies are enforced &
can be used as an investigation tool.
Advantages of Auditing
❖ To track unauthorized activities
performed by individuals.
❖ Detect intrusion.
❖ Reconstruct events & system
conditions.
❖ Provide legal resource material &
produce problem reports.