Uploaded byprimeteacher32
PPTX, PDF26,324 views

Access Controls

This document discusses access controls and various access control models. It defines access control as granting or denying approval to use specific resources. It describes common access control models like discretionary access control (DAC), mandatory access control (MAC), and role-based access control (RBAC). It also discusses access control terminology, technical processes, and best practices for implementing access controls.

Embed presentation

Downloaded 722 times
ACCESS CONTROLS
INTRODUCTION • USERS FIRST MUST BE IDENTIFIED AS AUTHORIZED USER, SUCH AS BY LOGGING IN WITH USER NAME AND PASSWORD TO LAPTOP COMPUTER • BECAUSE LAPTOP CONNECTS TO CORPORATE NETWORK THAT CONTAINS CRITICAL DATA, IMPORTANT ALSO TO RESTRICT USER ACCESS TO ONLY SOFTWARE, HARDWARE, AND OTHER RESOURCES FOR WHICH USER HAS BEEN APPROVED • THESE TWO ACTS—AUTHENTICATING ONLY APPROVED USERS AND CONTROLLING THEIR ACCESS TO RESOURCES—ARE IMPORTANT FOUNDATIONS IN INFORMATION SECURITY
WHAT IS ACCESS CONTROL? • ACCESS CONTROL - GRANTING OR DENYING APPROVAL TO USE SPECIFIC RESOURCES; IT IS CONTROLLING ACCESS • PHYSICAL ACCESS CONTROL - FENCING, HARDWARE DOOR LOCKS, AND MANTRAPS THAT LIMIT CONTACT WITH DEVICES • TECHNICAL ACCESS CONTROL - TECHNOLOGY RESTRICTIONS THAT LIMIT USERS ON COMPUTERS FROM ACCESSING DATA
ACCESS CONTROL TERMINOLOGY • IDENTIFICATION - PRESENTING CREDENTIALS (EXAMPLE: DELIVERY DRIVER PRESENTING EMPLOYEE BADGE) • AUTHENTICATION - CHECKING CREDENTIALS (EXAMPLE: EXAMINING THE DELIVERY DRIVER’S BADGE) • AUTHORIZATION - GRANTING PERMISSION TO TAKE ACTION (EXAMPLE: ALLOWING DELIVERY DRIVER TO PICK UP PACKAGE)
TECHNICAL ACCESS CONTROL PROCESS
ACCESS CONTROL MODELS • ACCESS CONTROL MODEL - HARDWARE AND SOFTWARE PREDEFINED FRAMEWORK THAT CUSTODIAN CAN USE FOR CONTROLLING ACCESS • ACCESS CONTROL MODELS USED BY CUSTODIANS FOR ACCESS CONTROL ARE NEITHER CREATED NOR INSTALLED BY CUSTODIANS OR USERS; INSTEAD, THESE MODELS ARE ALREADY PART OF SOFTWARE AND HARDWARE. • ACCESS CONTROL MODELS • DAC - LEAST RESTRICTIVE MODEL • MAC - OPPOSITE OF DAC AND IS MOST RESTRICTIVE ACCESS CONTROL MODEL • UAC - USER/ADMIN LEVEL MODEL THAT NOTIFIES OR REQUIRES AUTHENTICATION PRIOR TO GRANTING ACCESS
DISCRETIONARY ACCESS CONTROL (DAC) • DISCRETIONARY ACCESS CONTROL (DAC) - LEAST RESTRICTIVE MODEL • EVERY OBJECT HAS OWNER, WHO HAS TOTAL CONTROL OVER THAT OBJECT • OWNERS CAN CREATE AND ACCESS THEIR OBJECTS FREELY • OWNER CAN GIVE PERMISSIONS TO OTHER SUBJECTS OVER THESE OBJECTS • DAC USED ON OPERATING SYSTEMS LIKE UNIX AND MICROSOFT WINDOWS • DAC HAS TWO SIGNIFICANT WEAKNESSES: • DAC RELIES ON DECISIONS BY END-USER TO SET PROPER LEVEL OF SECURITY; INCORRECT PERMISSIONS MIGHT BE GRANTED TO SUBJECT OR PERMISSIONS MIGHT BE GIVEN TO UNAUTHORIZED SUBJECT • SUBJECT’S PERMISSIONS WILL BE “INHERITED” BY ANY PROGRAMS THAT SUBJECT EXECUTES; ATTACKERS OFTEN TAKE ADVANTAGE OF THIS INHERITANCE BECAUSE END-USERS
MANDATORY ACCESS CONTROL (MAC) • MANDATORY ACCESS CONTROL (MAC) - OPPOSITE OF DAC AND IS MOST RESTRICTIVE ACCESS CONTROL MODEL • MAC ASSIGNS USERS’ ACCESS CONTROLS STRICTLY ACCORDING TO CUSTODIAN’S DESIRES AND USER HAS NO FREEDOM TO SET ANY CONTROLS • TWO KEY ELEMENTS TO MAC: • LABELS - EVERY ENTITY IS AN OBJECT (LAPTOPS, FILES, PROJECTS, AND SO ON) AND ASSIGNED CLASSIFICATION LABEL (CONFIDENTIAL, SECRET, AND TOP SECRET) WHILE SUBJECTS ASSIGNED PRIVILEGE LABEL (A CLEARANCE) • LEVELS - HIERARCHY BASED ON LABELS IS ALSO USED, BOTH FOR OBJECTS AND SUBJECTS (TOP SECRET HIGHER LEVEL THAN SECRET)
MANDATORY ACCESS CONTROL (MAC): MAJOR IMPLEMENTATIONS • LATTICE MODEL - SUBJECTS AND OBJECTS ARE ASSIGNED “RUNG” ON LATTICE AND MULTIPLE LATTICES CAN BE PLACED BESIDE EACH OTHER • BELL-LAPADULA - SIMILAR TO LATTICE MODEL BUT SUBJECTS MAY NOT CREATE NEW OBJECT OR PERFORM SPECIFIC FUNCTIONS ON LOWER LEVEL OBJECTS • BIBA INTEGRITY MODEL - GOES BEYOND BLP MODEL AND ADDS PROTECTING DATA INTEGRITY AND CONFIDENTIALITY • MANDATORY INTEGRITY CONTROL (MIC) - BASED ON BIBA MODEL, MIC ENSURES DATA INTEGRITY BY CONTROLLING ACCESS TO SECURABLE OBJECTS
WINDOWS USER ACCOUNT CONTROL (UAC)
ROLE BASED ACCESS CONTROL (RBAC) • ROLE BASED ACCESS CONTROL (RBAC) - CONSIDERED MORE “REAL-WORLD” ACCESS CONTROL THAN OTHER MODELS BECAUSE ACCESS BASED ON USER’S JOB FUNCTION WITHIN ORGANIZATION • INSTEAD OF SETTING PERMISSIONS FOR EACH USER OR GROUP ASSIGNS PERMISSIONS TO PARTICULAR ROLES IN ORGANIZATION AND THEN ASSIGNS USERS TO THOSE ROLES • OBJECTS ARE SET TO BE A CERTAIN TYPE, TO WHICH SUBJECTS WITH THAT PARTICULAR ROLE HAVE ACCESS • SUBJECTS MAY HAVE MULTIPLE ROLES ASSIGNED TO THEM
RULE BASED ACCESS CONTROL (RBAC) • RULE BASED ACCESS CONTROL (RBAC) - DYNAMICALLY ASSIGN ROLES TO SUBJECTS BASED ON SET OF RULES DEFINED BY CUSTODIAN • EACH RESOURCE OBJECT CONTAINS SET OF ACCESS PROPERTIES BASED ON RULES • WHEN USER ATTEMPTS TO ACCESS THAT RESOURCE, SYSTEM CHECKS RULES CONTAINED IN OBJECT TO DETERMINE IF ACCESS IS PERMISSIBLE
ACCESS CONTROL MODELS
BEST PRACTICES FOR ACCESS CONTROL • ESTABLISHING BEST PRACTICES FOR LIMITING ACCESS CAN HELP SECURE SYSTEMS AND DATA • A FEW BEST PRACTICES: • SEPARATION OF DUTIES - NOT TO GIVE ONE PERSON TOTAL CONTROL • JOB ROTATION - INDIVIDUALS PERIODICALLY MOVED BETWEEN JOB RESPONSIBILITIES • LEAST PRIVILEGE - LIMITING ACCESS TO INFORMATION BASED ON WHAT IS NEEDED TO PERFORM A JOB FUNCTION • IMPLICIT DENY - IF CONDITION IS NOT EXPLICITLY MET, ACCESS REQUEST IS REJECTED • MANDATORY VACATIONS - LIMITS FRAUD, BECAUSE PERPETRATOR MUST BE PRESENT DAILY TO HIDE FRAUDULENT ACTIONS
IMPLEMENTING ACCESS CONTROL • NOW THAT WE HAVE DISCUSSED THE MODELS THAT CAN BE IMPLEMENTED IT IS TIME TO EXAMINE THE TECHNOLOGIES USED TO IMPLEMENT ACCESS CONTROL: • ACCESS CONTROL LISTS • GROUP POLICY • ACCOUNT RESTRICTIONS
ACCESS CONTROL LISTS (ACLS) • ACCESS CONTROL LIST (ACL) - SET OF PERMISSIONS ATTACHED TO AN OBJECT • SPECIFIES WHICH SUBJECTS MAY ACCESS THE OBJECT AND WHAT OPERATIONS THEY CAN PERFORM • WHEN SUBJECT REQUESTS TO PERFORM AN OPERATION SYSTEM CHECKS ACL FOR AN APPROVED ENTRY • ACLS USUALLY VIEWED IN RELATION TO OPERATING SYSTEM FILES • EACH ENTRY IN THE ACL TABLE IS CALLED ACCESS CONTROL ENTRY (ACE) • ACE STRUCTURE (WINDOWS) • SECURITY IDENTIFIER FOR THE USER OR GROUP ACCOUNT OR LOGON SESSION • ACCESS MASK THAT SPECIFIES ACCESS RIGHTS CONTROLLED BY ACE • FLAG THAT INDICATES TYPE OF ACE
ACCESS CONTROL LIST (ACLS): LIMITATIONS • ALTHOUGH WIDELY USED, ACLS HAVE LIMITATIONS: • USING ACLS IS NOT EFFICIENT - ACL FOR EACH FILE, PROCESS, OR RESOURCE MUST BE CHECKED EVERY TIME THE RESOURCE IS ACCESSED. • CAN BE DIFFICULT TO MANAGE IN AN ENTERPRISE SETTING WHERE MANY USERS NEED TO HAVE DIFFERENT LEVELS OF ACCESS TO MANY DIFFERENT RESOURCES; SELECTIVELY ADDING, DELETING, AND CHANGING ACLS ON INDIVIDUAL FILES, OR EVEN GROUPS OF FILES, CAN BE TIME-CONSUMING AND OPEN TO ERRORS, PARTICULARLY IF CHANGES MUST BE MADE FREQUENTLY
GROUP POLICIES • GROUP POLICY - MICROSOFT WINDOWS FEATURE THAT PROVIDES CENTRALIZED MANAGEMENT AND CONFIGURATION OF COMPUTERS AND REMOTE USERS USING ACTIVE DIRECTORY (AD) • USUALLY USED IN ENTERPRISE ENVIRONMENTS • SETTINGS STORED IN GROUP POLICY OBJECTS (GPOS) • LOCAL GROUP POLICY HAS FEWER OPTIONS THAN A GROUP POLICY AND USED TO CONFIGURE SETTINGS FOR SYSTEMS NOT PART OF AD
ACCOUNT RESTRICTIONS TIME OF DAY RESTRICTIONS • TIME OF DAY RESTRICTIONS - LIMITS THE TIME OF DAY A USER MAY LOG ONTO A SYSTEM • TIME BLOCKS FOR PERMITTED ACCESS ARE CHOSEN • CAN BE SET ON INDIVIDUAL SYSTEMS ACCOUNT EXPIRATION RESTRICTIONS • ORPHANED ACCOUNTS - ACCOUNTS THAT REMAIN ACTIVE AFTER EMPLOYEE HAS LEFT ORGANIZATION • DORMANT ACCOUNTS – ACCOUNTS NOT ACCESSED FOR LENGTHY PERIOD OF TIME • BOTH CAN BE SECURITY RISKS • ACCOUNT EXPIRATION - PROCESS OF SETTING A USER’S ACCOUNT TO EXPIRE • ACCOUNT EXPIRATION CAN BE EXPLICIT (ACCOUNT EXPIRES ON A SET DATE) OR BASED ON SPECIFIC NUMBER OF DAYS OF INACTIVITY

More Related Content

PDF
Access Control Presentation
byWajahat Rajab
 
PPT
2. access control
by7wounders
 
PDF
An overview of access control
byElimity
 
PPT
Ch07 Access Control Fundamentals
byInformation Technology
 
PPT
Information Security Principles - Access Control
byidingolay
 
PPTX
Introduction to Network Security
byJohn Ely Masculino
 
PPT
Design for security in operating system
byBhagyashree Barde
 
PPTX
Unauthorized access and use
bychrispaul8676
 
Access Control Presentation
byWajahat Rajab
 
2. access control
by7wounders
 
An overview of access control
byElimity
 
Ch07 Access Control Fundamentals
byInformation Technology
 
Information Security Principles - Access Control
byidingolay
 
Introduction to Network Security
byJohn Ely Masculino
 
Design for security in operating system
byBhagyashree Barde
 
Unauthorized access and use
bychrispaul8676
 

What's hot

PPT
Network security
byGichelle Amon
 
PPTX
User authentication
byCAS
 
PDF
Network Security Fundamentals
byRahmat Suhatman
 
PPTX
Types of attacks
byVivek Gandhi
 
PPSX
Security policies
byNishant Pahad
 
PPTX
Firewall ppt
byOECLIB Odisha Electronics Control Library
 
PPTX
Network security
byEstiak Khan
 
PPTX
What is Penetration Testing?
bybtpsec
 
PPT
Introduction to Cyber Security
byStephen Lahanas
 
PPTX
Firewall in Network Security
bylalithambiga kamaraj
 
PPTX
Mobile Device Security
byNemwos
 
PPT
IT Security management and risk assessment
byCAS
 
PPTX
Network defenses
byPrachi Gulihar
 
PPTX
Network security
byMadhumithah Ilango
 
PDF
Authentication techniques
byIGZ Software house
 
PPTX
Cryptography and Information Security
byDr Naim R Kidwai
 
PPT
Security models
byLJ PROJECTS
 
PPTX
Intrusion detection and prevention system
byNikhil Raj
 
PPTX
System security
bysommerville-videos
 
PPTX
Operating System Security
byRamesh Upadhaya
 
Network security
byGichelle Amon
 
User authentication
byCAS
 
Network Security Fundamentals
byRahmat Suhatman
 
Types of attacks
byVivek Gandhi
 
Security policies
byNishant Pahad
 
Firewall ppt
byOECLIB Odisha Electronics Control Library
 
Network security
byEstiak Khan
 
What is Penetration Testing?
bybtpsec
 
Introduction to Cyber Security
byStephen Lahanas
 
Firewall in Network Security
bylalithambiga kamaraj
 
Mobile Device Security
byNemwos
 
IT Security management and risk assessment
byCAS
 
Network defenses
byPrachi Gulihar
 
Network security
byMadhumithah Ilango
 
Authentication techniques
byIGZ Software house
 
Cryptography and Information Security
byDr Naim R Kidwai
 
Security models
byLJ PROJECTS
 
Intrusion detection and prevention system
byNikhil Raj
 
System security
bysommerville-videos
 
Operating System Security
byRamesh Upadhaya
 

Viewers also liked

PPSX
8 Access Control
byAlfred Ouyang
 
PPTX
Chapter 9: Access Control Management
byNada G.Youssef
 
PDF
Access Control Models: Controlling Resource Authorization
byMark Niebergall
 
PPT
Attribute Based Access Control
byChandra Sharma
 
PDF
Attribute based access control
byElimity
 
PPSX
Multiple access control protocol
bymeenamunesh
 
PPTX
Rule-Based Access-Control Evaluation through Model-Transformation
byJordi Cabot
 
PPT
Intro To Access Controls
byHari Pudipeddi
 
8 Access Control
byAlfred Ouyang
 
Chapter 9: Access Control Management
byNada G.Youssef
 
Access Control Models: Controlling Resource Authorization
byMark Niebergall
 
Attribute Based Access Control
byChandra Sharma
 
Attribute based access control
byElimity
 
Multiple access control protocol
bymeenamunesh
 
Rule-Based Access-Control Evaluation through Model-Transformation
byJordi Cabot
 
Intro To Access Controls
byHari Pudipeddi
 

Similar to Access Controls

PPT
4_5949547032388570388.ppt
byMohammedMohammed578197
 
PPT
Access Control
byazida3
 
PPTX
Abac and the evolution of access control
byAkbar Azwir, MM, PMP, PMI-SP, PSM I, CISSP
 
PPTX
009 Authentication and Access Control.pptx
byAssadLeo1
 
PPTX
Week No 13 Access Control Part 1.pptx
byXhamiiiCH
 
PDF
Access Control Fundamentals
bySetiya Nugroho
 
PPTX
Access Control for Database Priciples IS
byerricnocteam
 
PPTX
Lecture-12-ACL_information_Security.pptx
byhomecooking511
 
PPT
lecture7-accesscontroool_ct1405.pptx.ppt
bymaneltighiouart7
 
PPT
Access control mechanism (DAC, MAC and RBAC).ppt
byDAKSHATAPANCHAL2
 
PPTX
Security policy(DAS, MAS, PAS) model [in]
byErAnilKumarGupta1
 
PPT
access control information security professor hossein saiedian fall 2014
bymaneltighiouart7
 
PPTX
484444398-Chapter-11-Access-Control-Fundamentals.pptx
bysomeoneelse1981
 
PPTX
Access Control in internet and computer science.pptx
bymoromoro8
 
PPT
Chapter 5-Security Mechanisms and Techniques.ppt
byLina Shimelis
 
PPT
AccessControl.ppt
byDAKSHATAPANCHAL2
 
PPT
Access control (authorisation) in distributed systems.ppt
byangeldna767
 
PPT
Access control (authorization) in distributed systems.ppt
byDesalegn70
 
PDF
access-control-week-2
byjemtallon
 
PPT
14-accessCtrl.ppt
byCNSHacking
 
4_5949547032388570388.ppt
byMohammedMohammed578197
 
Access Control
byazida3
 
Abac and the evolution of access control
byAkbar Azwir, MM, PMP, PMI-SP, PSM I, CISSP
 
009 Authentication and Access Control.pptx
byAssadLeo1
 
Week No 13 Access Control Part 1.pptx
byXhamiiiCH
 
Access Control Fundamentals
bySetiya Nugroho
 
Access Control for Database Priciples IS
byerricnocteam
 
Lecture-12-ACL_information_Security.pptx
byhomecooking511
 
lecture7-accesscontroool_ct1405.pptx.ppt
bymaneltighiouart7
 
Access control mechanism (DAC, MAC and RBAC).ppt
byDAKSHATAPANCHAL2
 
Security policy(DAS, MAS, PAS) model [in]
byErAnilKumarGupta1
 
access control information security professor hossein saiedian fall 2014
bymaneltighiouart7
 
484444398-Chapter-11-Access-Control-Fundamentals.pptx
bysomeoneelse1981
 
Access Control in internet and computer science.pptx
bymoromoro8
 
Chapter 5-Security Mechanisms and Techniques.ppt
byLina Shimelis
 
AccessControl.ppt
byDAKSHATAPANCHAL2
 
Access control (authorisation) in distributed systems.ppt
byangeldna767
 
Access control (authorization) in distributed systems.ppt
byDesalegn70
 
access-control-week-2
byjemtallon
 
14-accessCtrl.ppt
byCNSHacking
 

More from primeteacher32

PPTX
Windows File Systems
byprimeteacher32
 
PPTX
Input Validation
byprimeteacher32
 
PPTX
Introduction to Repetition Structures
byprimeteacher32
 
PPTX
Variable Scope
byprimeteacher32
 
PPTX
Function Parameters
byprimeteacher32
 
PPT
Hardware vs. Software Presentations
byprimeteacher32
 
PPTX
Variables and User Input
byprimeteacher32
 
PPT
Software Development Life Cycle
byprimeteacher32
 
PPT
Intro to Python with GPIO
byprimeteacher32
 
PPTX
Variables and Statements
byprimeteacher32
 
PPTX
Returning Data
byprimeteacher32
 
PPT
Conditional Loops
byprimeteacher32
 
PPTX
Nested Loops
byprimeteacher32
 
PPTX
Introduction to GUIs with guizero
byprimeteacher32
 
PPTX
Conditionals
byprimeteacher32
 
PPTX
Intro to Functions
byprimeteacher32
 
PPTX
Nesting Conditionals
byprimeteacher32
 
PPTX
Block chain security
byprimeteacher32
 
PPT
Intro to Python
byprimeteacher32
 
PPTX
Raspberry Pi
byprimeteacher32
 
Windows File Systems
byprimeteacher32
 
Input Validation
byprimeteacher32
 
Introduction to Repetition Structures
byprimeteacher32
 
Variable Scope
byprimeteacher32
 
Function Parameters
byprimeteacher32
 
Hardware vs. Software Presentations
byprimeteacher32
 
Variables and User Input
byprimeteacher32
 
Software Development Life Cycle
byprimeteacher32
 
Intro to Python with GPIO
byprimeteacher32
 
Variables and Statements
byprimeteacher32
 
Returning Data
byprimeteacher32
 
Conditional Loops
byprimeteacher32
 
Nested Loops
byprimeteacher32
 
Introduction to GUIs with guizero
byprimeteacher32
 
Conditionals
byprimeteacher32
 
Intro to Functions
byprimeteacher32
 
Nesting Conditionals
byprimeteacher32
 
Block chain security
byprimeteacher32
 
Intro to Python
byprimeteacher32
 
Raspberry Pi
byprimeteacher32
 

Recently uploaded

PDF
reStartEvents January 22nd TS:SCI & Above Employer Directory.pdf
byKen Fuller
 
PDF
AWS Solutions Architect Certification Training Guide – Sterling Next.pdf
byStreling next pvt ltd
 
PDF
Physics_pRAC_2026.pdf .
byasunaimana
 
PDF
Interview Interview Preparation Plan - Group product Manager - Netflix.pdf
byRicardoGuia5
 
PDF
GLOMERULONEPHRITIS in pathology for Bsc nursing 4th semester
byKrutibasSwain
 
PDF
BCG Attorney Search's Top 24 Law Firm Interview Tips
byBCG Attorney Search
 
PDF
Top 10 Home and Online Tutoring Platforms in Karnataka for Teachers.pdf
byDigital Marketing Services India
 
PDF
Ethical hacking in preventing cyber attacks.pdf
byKarthikaTs7
 
PDF
Top 10 Home and Online Tutoring Platforms in Telangana for Teachers.pdf
byDigital Marketing Services India
 
PPTX
Isaac Mentouri A Story of Curiosity, Learning, and Giving Back
byirishlion789
 
PPTX
Individual_Development_Plan_-_Guide_and_Template.pptx
byAUBREYSINGANYAMA1
 
PDF
Lecture 4 AI.pdfgggfggghggffgvvvcgggggdggf
bymohammeedd2000d
 
PPTX
-Thinking-Skills-Decision-Making-Process-PPT.pptx
bySoniaAniruddhTyagi
 
PDF
BCG Attorney Search's The Five Most Important Questions to Ask
byBCG Attorney Search
 
PPTX
The PhD Viva Voice Presentation on Coercive Diplomacy
byBhuwanesworpant2
 
PPTX
CareerOptionsAfterHSCCommerceMumbaiNEP2020pptx.pptx
byABDUL RASHEED MOHAMMED MOGHEES
 
DOCX
To prepare and dispense one packet ORS Powder for One liter water (Pharmacy E...
bykopalsharma85
 
PPTX
9-Breakeaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaven-Point.pptx
bydominicdaltoncaling2
 
PPTX
583395073-Presentation-on-Artificial-intelligence.pptx
byPRAVEENRAI365425
 
DOCX
CIPRA-OUTPUT-Gap-Analysis-template-schools-finally-edited.docx
bySarahJaneBarcelona
 
reStartEvents January 22nd TS:SCI & Above Employer Directory.pdf
byKen Fuller
 
AWS Solutions Architect Certification Training Guide – Sterling Next.pdf
byStreling next pvt ltd
 
Physics_pRAC_2026.pdf .
byasunaimana
 
Interview Interview Preparation Plan - Group product Manager - Netflix.pdf
byRicardoGuia5
 
GLOMERULONEPHRITIS in pathology for Bsc nursing 4th semester
byKrutibasSwain
 
BCG Attorney Search's Top 24 Law Firm Interview Tips
byBCG Attorney Search
 
Top 10 Home and Online Tutoring Platforms in Karnataka for Teachers.pdf
byDigital Marketing Services India
 
Ethical hacking in preventing cyber attacks.pdf
byKarthikaTs7
 
Top 10 Home and Online Tutoring Platforms in Telangana for Teachers.pdf
byDigital Marketing Services India
 
Isaac Mentouri A Story of Curiosity, Learning, and Giving Back
byirishlion789
 
Individual_Development_Plan_-_Guide_and_Template.pptx
byAUBREYSINGANYAMA1
 
Lecture 4 AI.pdfgggfggghggffgvvvcgggggdggf
bymohammeedd2000d
 
-Thinking-Skills-Decision-Making-Process-PPT.pptx
bySoniaAniruddhTyagi
 
BCG Attorney Search's The Five Most Important Questions to Ask
byBCG Attorney Search
 
The PhD Viva Voice Presentation on Coercive Diplomacy
byBhuwanesworpant2
 
CareerOptionsAfterHSCCommerceMumbaiNEP2020pptx.pptx
byABDUL RASHEED MOHAMMED MOGHEES
 
To prepare and dispense one packet ORS Powder for One liter water (Pharmacy E...
bykopalsharma85
 
9-Breakeaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaven-Point.pptx
bydominicdaltoncaling2
 
583395073-Presentation-on-Artificial-intelligence.pptx
byPRAVEENRAI365425
 
CIPRA-OUTPUT-Gap-Analysis-template-schools-finally-edited.docx
bySarahJaneBarcelona
 

Access Controls

  • 1.
  • 2.
    INTRODUCTION • USERS FIRSTMUST BE IDENTIFIED AS AUTHORIZED USER, SUCH AS BY LOGGING IN WITH USER NAME AND PASSWORD TO LAPTOP COMPUTER • BECAUSE LAPTOP CONNECTS TO CORPORATE NETWORK THAT CONTAINS CRITICAL DATA, IMPORTANT ALSO TO RESTRICT USER ACCESS TO ONLY SOFTWARE, HARDWARE, AND OTHER RESOURCES FOR WHICH USER HAS BEEN APPROVED • THESE TWO ACTS—AUTHENTICATING ONLY APPROVED USERS AND CONTROLLING THEIR ACCESS TO RESOURCES—ARE IMPORTANT FOUNDATIONS IN INFORMATION SECURITY
  • 3.
    WHAT IS ACCESSCONTROL? • ACCESS CONTROL - GRANTING OR DENYING APPROVAL TO USE SPECIFIC RESOURCES; IT IS CONTROLLING ACCESS • PHYSICAL ACCESS CONTROL - FENCING, HARDWARE DOOR LOCKS, AND MANTRAPS THAT LIMIT CONTACT WITH DEVICES • TECHNICAL ACCESS CONTROL - TECHNOLOGY RESTRICTIONS THAT LIMIT USERS ON COMPUTERS FROM ACCESSING DATA
  • 4.
    ACCESS CONTROL TERMINOLOGY •IDENTIFICATION - PRESENTING CREDENTIALS (EXAMPLE: DELIVERY DRIVER PRESENTING EMPLOYEE BADGE) • AUTHENTICATION - CHECKING CREDENTIALS (EXAMPLE: EXAMINING THE DELIVERY DRIVER’S BADGE) • AUTHORIZATION - GRANTING PERMISSION TO TAKE ACTION (EXAMPLE: ALLOWING DELIVERY DRIVER TO PICK UP PACKAGE)
  • 5.
  • 6.
    ACCESS CONTROL MODELS •ACCESS CONTROL MODEL - HARDWARE AND SOFTWARE PREDEFINED FRAMEWORK THAT CUSTODIAN CAN USE FOR CONTROLLING ACCESS • ACCESS CONTROL MODELS USED BY CUSTODIANS FOR ACCESS CONTROL ARE NEITHER CREATED NOR INSTALLED BY CUSTODIANS OR USERS; INSTEAD, THESE MODELS ARE ALREADY PART OF SOFTWARE AND HARDWARE. • ACCESS CONTROL MODELS • DAC - LEAST RESTRICTIVE MODEL • MAC - OPPOSITE OF DAC AND IS MOST RESTRICTIVE ACCESS CONTROL MODEL • UAC - USER/ADMIN LEVEL MODEL THAT NOTIFIES OR REQUIRES AUTHENTICATION PRIOR TO GRANTING ACCESS
  • 7.
    DISCRETIONARY ACCESS CONTROL(DAC) • DISCRETIONARY ACCESS CONTROL (DAC) - LEAST RESTRICTIVE MODEL • EVERY OBJECT HAS OWNER, WHO HAS TOTAL CONTROL OVER THAT OBJECT • OWNERS CAN CREATE AND ACCESS THEIR OBJECTS FREELY • OWNER CAN GIVE PERMISSIONS TO OTHER SUBJECTS OVER THESE OBJECTS • DAC USED ON OPERATING SYSTEMS LIKE UNIX AND MICROSOFT WINDOWS • DAC HAS TWO SIGNIFICANT WEAKNESSES: • DAC RELIES ON DECISIONS BY END-USER TO SET PROPER LEVEL OF SECURITY; INCORRECT PERMISSIONS MIGHT BE GRANTED TO SUBJECT OR PERMISSIONS MIGHT BE GIVEN TO UNAUTHORIZED SUBJECT • SUBJECT’S PERMISSIONS WILL BE “INHERITED” BY ANY PROGRAMS THAT SUBJECT EXECUTES; ATTACKERS OFTEN TAKE ADVANTAGE OF THIS INHERITANCE BECAUSE END-USERS
  • 8.
    MANDATORY ACCESS CONTROL(MAC) • MANDATORY ACCESS CONTROL (MAC) - OPPOSITE OF DAC AND IS MOST RESTRICTIVE ACCESS CONTROL MODEL • MAC ASSIGNS USERS’ ACCESS CONTROLS STRICTLY ACCORDING TO CUSTODIAN’S DESIRES AND USER HAS NO FREEDOM TO SET ANY CONTROLS • TWO KEY ELEMENTS TO MAC: • LABELS - EVERY ENTITY IS AN OBJECT (LAPTOPS, FILES, PROJECTS, AND SO ON) AND ASSIGNED CLASSIFICATION LABEL (CONFIDENTIAL, SECRET, AND TOP SECRET) WHILE SUBJECTS ASSIGNED PRIVILEGE LABEL (A CLEARANCE) • LEVELS - HIERARCHY BASED ON LABELS IS ALSO USED, BOTH FOR OBJECTS AND SUBJECTS (TOP SECRET HIGHER LEVEL THAN SECRET)
  • 9.
    MANDATORY ACCESS CONTROL(MAC): MAJOR IMPLEMENTATIONS • LATTICE MODEL - SUBJECTS AND OBJECTS ARE ASSIGNED “RUNG” ON LATTICE AND MULTIPLE LATTICES CAN BE PLACED BESIDE EACH OTHER • BELL-LAPADULA - SIMILAR TO LATTICE MODEL BUT SUBJECTS MAY NOT CREATE NEW OBJECT OR PERFORM SPECIFIC FUNCTIONS ON LOWER LEVEL OBJECTS • BIBA INTEGRITY MODEL - GOES BEYOND BLP MODEL AND ADDS PROTECTING DATA INTEGRITY AND CONFIDENTIALITY • MANDATORY INTEGRITY CONTROL (MIC) - BASED ON BIBA MODEL, MIC ENSURES DATA INTEGRITY BY CONTROLLING ACCESS TO SECURABLE OBJECTS
  • 10.
    WINDOWS USER ACCOUNTCONTROL (UAC)
  • 11.
    ROLE BASED ACCESSCONTROL (RBAC) • ROLE BASED ACCESS CONTROL (RBAC) - CONSIDERED MORE “REAL-WORLD” ACCESS CONTROL THAN OTHER MODELS BECAUSE ACCESS BASED ON USER’S JOB FUNCTION WITHIN ORGANIZATION • INSTEAD OF SETTING PERMISSIONS FOR EACH USER OR GROUP ASSIGNS PERMISSIONS TO PARTICULAR ROLES IN ORGANIZATION AND THEN ASSIGNS USERS TO THOSE ROLES • OBJECTS ARE SET TO BE A CERTAIN TYPE, TO WHICH SUBJECTS WITH THAT PARTICULAR ROLE HAVE ACCESS • SUBJECTS MAY HAVE MULTIPLE ROLES ASSIGNED TO THEM
  • 12.
    RULE BASED ACCESSCONTROL (RBAC) • RULE BASED ACCESS CONTROL (RBAC) - DYNAMICALLY ASSIGN ROLES TO SUBJECTS BASED ON SET OF RULES DEFINED BY CUSTODIAN • EACH RESOURCE OBJECT CONTAINS SET OF ACCESS PROPERTIES BASED ON RULES • WHEN USER ATTEMPTS TO ACCESS THAT RESOURCE, SYSTEM CHECKS RULES CONTAINED IN OBJECT TO DETERMINE IF ACCESS IS PERMISSIBLE
  • 13.
  • 14.
    BEST PRACTICES FORACCESS CONTROL • ESTABLISHING BEST PRACTICES FOR LIMITING ACCESS CAN HELP SECURE SYSTEMS AND DATA • A FEW BEST PRACTICES: • SEPARATION OF DUTIES - NOT TO GIVE ONE PERSON TOTAL CONTROL • JOB ROTATION - INDIVIDUALS PERIODICALLY MOVED BETWEEN JOB RESPONSIBILITIES • LEAST PRIVILEGE - LIMITING ACCESS TO INFORMATION BASED ON WHAT IS NEEDED TO PERFORM A JOB FUNCTION • IMPLICIT DENY - IF CONDITION IS NOT EXPLICITLY MET, ACCESS REQUEST IS REJECTED • MANDATORY VACATIONS - LIMITS FRAUD, BECAUSE PERPETRATOR MUST BE PRESENT DAILY TO HIDE FRAUDULENT ACTIONS
  • 15.
    IMPLEMENTING ACCESS CONTROL •NOW THAT WE HAVE DISCUSSED THE MODELS THAT CAN BE IMPLEMENTED IT IS TIME TO EXAMINE THE TECHNOLOGIES USED TO IMPLEMENT ACCESS CONTROL: • ACCESS CONTROL LISTS • GROUP POLICY • ACCOUNT RESTRICTIONS
  • 16.
    ACCESS CONTROL LISTS(ACLS) • ACCESS CONTROL LIST (ACL) - SET OF PERMISSIONS ATTACHED TO AN OBJECT • SPECIFIES WHICH SUBJECTS MAY ACCESS THE OBJECT AND WHAT OPERATIONS THEY CAN PERFORM • WHEN SUBJECT REQUESTS TO PERFORM AN OPERATION SYSTEM CHECKS ACL FOR AN APPROVED ENTRY • ACLS USUALLY VIEWED IN RELATION TO OPERATING SYSTEM FILES • EACH ENTRY IN THE ACL TABLE IS CALLED ACCESS CONTROL ENTRY (ACE) • ACE STRUCTURE (WINDOWS) • SECURITY IDENTIFIER FOR THE USER OR GROUP ACCOUNT OR LOGON SESSION • ACCESS MASK THAT SPECIFIES ACCESS RIGHTS CONTROLLED BY ACE • FLAG THAT INDICATES TYPE OF ACE
  • 17.
    ACCESS CONTROL LIST(ACLS): LIMITATIONS • ALTHOUGH WIDELY USED, ACLS HAVE LIMITATIONS: • USING ACLS IS NOT EFFICIENT - ACL FOR EACH FILE, PROCESS, OR RESOURCE MUST BE CHECKED EVERY TIME THE RESOURCE IS ACCESSED. • CAN BE DIFFICULT TO MANAGE IN AN ENTERPRISE SETTING WHERE MANY USERS NEED TO HAVE DIFFERENT LEVELS OF ACCESS TO MANY DIFFERENT RESOURCES; SELECTIVELY ADDING, DELETING, AND CHANGING ACLS ON INDIVIDUAL FILES, OR EVEN GROUPS OF FILES, CAN BE TIME-CONSUMING AND OPEN TO ERRORS, PARTICULARLY IF CHANGES MUST BE MADE FREQUENTLY
  • 18.
    GROUP POLICIES • GROUPPOLICY - MICROSOFT WINDOWS FEATURE THAT PROVIDES CENTRALIZED MANAGEMENT AND CONFIGURATION OF COMPUTERS AND REMOTE USERS USING ACTIVE DIRECTORY (AD) • USUALLY USED IN ENTERPRISE ENVIRONMENTS • SETTINGS STORED IN GROUP POLICY OBJECTS (GPOS) • LOCAL GROUP POLICY HAS FEWER OPTIONS THAN A GROUP POLICY AND USED TO CONFIGURE SETTINGS FOR SYSTEMS NOT PART OF AD
  • 19.
    ACCOUNT RESTRICTIONS TIME OFDAY RESTRICTIONS • TIME OF DAY RESTRICTIONS - LIMITS THE TIME OF DAY A USER MAY LOG ONTO A SYSTEM • TIME BLOCKS FOR PERMITTED ACCESS ARE CHOSEN • CAN BE SET ON INDIVIDUAL SYSTEMS ACCOUNT EXPIRATION RESTRICTIONS • ORPHANED ACCOUNTS - ACCOUNTS THAT REMAIN ACTIVE AFTER EMPLOYEE HAS LEFT ORGANIZATION • DORMANT ACCOUNTS – ACCOUNTS NOT ACCESSED FOR LENGTHY PERIOD OF TIME • BOTH CAN BE SECURITY RISKS • ACCOUNT EXPIRATION - PROCESS OF SETTING A USER’S ACCOUNT TO EXPIRE • ACCOUNT EXPIRATION CAN BE EXPLICIT (ACCOUNT EXPIRES ON A SET DATE) OR BASED ON SPECIFIC NUMBER OF DAYS OF INACTIVITY

Editor's Notes

  • #5 Getting into an office space, similar to OOP or visit someone
  • #6 Object - Specific resource (Example: file or hardware device) Subject - User or process functioning on behalf of a user (Example: computer user) Operation - Action taken by the subject over an object (Example: deleting file) Owner Description: Person responsible for the information Duties: Determines the level of security needed for the data and delegates security duties as required Example: Determines that the file SALARY.XLSX can be read only by department managers Custodian Description: Individual to whom day-to-day actions have been assigned by the owner Duties: Periodically reviews security settings and maintains records of access by end-users Example: Sets and reviews security settings on SALARY.XLSX End-user Description: User who accesses information in the course of routine job responsibilities Duties: Follows organization’s security guidelines and does not attempt to circumvent security Example: Opens SALARY.XLSX
  • #8 Group or User enroll
  • #12 BCM Explain difference between this and groups Groups can be depts. But within a group you can have diff roles ie Dept Chairs and Advisors and Lab techs
  • #13 2 sports teams part of the same organization and share stadium resources but only have access to their sport specific equipment
  • #15 Separation of Duties Fraud can result from single user being trusted with complete control of a process Requiring two or more people responsible for functions related to handling money System is not vulnerable to actions of a single person Job Rotation Limits amount of time individuals are in position to manipulate security configurations Helps expose potential avenues for fraud Reduces employee burnout Least Privilege Helps reduce attack surface by eliminating unnecessary privileges Should apply to users and processes on the system Processes should run at minimum security level needed to correctly function Temptation to assign higher levels of privilege is great Challenges of least privilege Legacy applications Explanation: Many older software applications were designed to run only with a high level of privilege. Many of these applications were internally developed and are no longer maintained or are third-party applications that are no longer supported. Redeveloping the application may be seen as too costly. An alternative is to run the application in a virtualized environment. Common administrative tasks Explanation: In some organizations, basic system administration tasks are performed by the user, such as connecting printers or defragmenting a disk. Without a higher level of privilege, users must contact the help desk so that a technician can help with the tasks. Software installation/upgrade Explanation: A software update that is not centrally deployed can require a higher privilege level, which can mean support from the local help desk. This usually results in decreased productivity and increased support costs. Implicit Deny Example: Network router rejects access to all except conditions matching the rule restrictions When creating access control restrictions, recommended that unless condition is specifically met then access should be denied Mandatory Vacations Audit of employee’s activities usually scheduled during vacation for sensitive positions
  • #17 DAC