Intro To Access Controls

3,619 views

Published on

Presentation on Introduction to Access Controls by Sundar during the OWASP Bangalore Chapter meeting on 14 Dec 2008

Published in: Technology, Business
  • Be the first to comment

Intro To Access Controls

  1. 1. Overview of Access controls Sundar N suntracks@gmail.com
  2. 2. Access <ul><li>A specific interaction between a subject and object resulting information flow from one to another . </li></ul>R FW R X Mail
  3. 3. <ul><li>Trusted computer security evaluation criteria (TCSEC) is a DOD standard 5200.28 </li></ul><ul><li>It defined a standard for manufacturers and set a metrics for degree of measurement for security. </li></ul><ul><ul><li>MAC (Mandatory access control): defined for multilevel security access generally used for military applications. </li></ul></ul><ul><ul><li>DAC (Discretionary access control): defined for single level access generally deployed for non military applications. </li></ul></ul>
  4. 4. MAC <ul><li>Mandatory access control </li></ul><ul><li>Is defined in the security policy of an organization and enforced by an admin </li></ul><ul><li>Has a multilevel security level access in terms of hierarchy </li></ul><ul><li>Generally used for confidential or classified information. </li></ul><ul><li>Define the appropriate Read and write access separately to the information depending on the levels of security for each user. </li></ul><ul><li>It is more of a micromanagement </li></ul><ul><li>It is a centrally administered access. </li></ul>
  5. 5. DAC <ul><li>Discretionary access control </li></ul><ul><li>Information owner defines the access to data and type of access to it for the users. </li></ul><ul><li>It is more of a hands off approach </li></ul><ul><li>Mostly depends on the discretion of the information owner. </li></ul><ul><li>Access can be passed on from one individual to another </li></ul>
  6. 6. Models <ul><li>RBAC (Role based access controls) </li></ul><ul><li>It is non discretionary </li></ul><ul><li>Defined as per role </li></ul><ul><ul><li>Duties </li></ul></ul><ul><ul><li>Responsibilities </li></ul></ul><ul><ul><li>Qualifications </li></ul></ul><ul><ul><li>Has flexibility of DAC but not as hard policies as MAC </li></ul></ul>
  7. 7. Access control administration methods <ul><li>Centralized </li></ul>X Admin S1 S2
  8. 8. Access control administration methods <ul><li>Decentralized </li></ul>X S1 S2
  9. 9. Security models <ul><li>BELL LAPADULA (1970) </li></ul><ul><li>BIBA (1977) </li></ul><ul><li>Clark Wilson (1987) </li></ul>
  10. 10. BELL LAPADULA <ul><li>Maintain the property of the confidentiality </li></ul><ul><li>Maintain the simple security rule. </li></ul><ul><li>Do not downgrade the security levels. </li></ul>TS S C P
  11. 11. BIBA <ul><li>Maintain the integrity of the information </li></ul><ul><li>Follow the rules against each of the security on the information levels. </li></ul><ul><li>Maintain the property of the information </li></ul>
  12. 12. Clark Wilson <ul><li>Introduction of a middle man in the transaction from subject to the object </li></ul><ul><li>Limit the capabilities for the subject </li></ul><ul><li>Have well formed transactions to prevent manipulations . </li></ul>
  13. 13. Authentication Methods <ul><li>Username/Passwords </li></ul><ul><li>Tokens (HW/SW) </li></ul><ul><li>Biometrics (Retina/fingerprints/voice) </li></ul>
  14. 14. Access Attacks <ul><li>Protocol Analysis </li></ul><ul><li>Dos attacks (Smurf/Syn Flood/DDos) </li></ul><ul><li>Spoofing </li></ul>
  15. 15. Appendix <ul><li>Preventive access control </li></ul><ul><li>Deterrent access control </li></ul><ul><li>Detective access control </li></ul><ul><li>Corrective access control </li></ul><ul><li>Recovery access control </li></ul><ul><li>Compensation access control </li></ul><ul><li>Directive access control </li></ul><ul><li>Administrative access controls </li></ul><ul><li>Logical/technical access controls </li></ul><ul><li>Physical access controls </li></ul>

×