This document discusses various access control models and concepts. It begins by defining access control as the prevention of unauthorized use of resources, controlling who can access a resource, under what conditions, and what they are allowed to do. It then covers different access control models and concepts in detail including access control matrices, access control lists, capabilities, role-based access control (RBAC), mandatory access control (MAC), and separation of duty constraints. RBAC is described as defining roles and associated permissions rather than assigning permissions directly to users. Hierarchical and static/dynamic separation of duty extensions to the core RBAC model are also summarized.
Access control regulates operations on protected data and resources. It aims to control what subjects can do to prevent damage. Access control is provided by operating systems and database management systems. It uses reference monitors to grant or deny access requests from subjects for objects based on access control policies and permissions. Access control mechanisms implement the access control function using permissions or subject/object attributes to make access decisions.
Least privilege, access control, operating system securityG Prachi
The document discusses principles of least privilege and access control concepts in operating system security. It defines security goals of confidentiality, integrity and availability known as the CIA triad. The principle of least privilege aims to limit a process's privileges to only those necessary for its execution. Access control concepts include discretionary access control where owners control access, and mandatory access control defined by security labels. A reference monitor provides complete mediation, is tamperproof, and verifiable to securely enforce access policies.
Authorization is the process of giving someone permission to do or have something.
Table of Content
Introduction Authorization
Common Attacker Testing Authentication
Strategies For Strong Authentication
Access Control
This document discusses protection in operating systems. It covers the goals of protection which include ensuring objects are only accessed by allowed processes. Principles of protection include least privilege and need-to-know. Protection domains and access matrices are used to specify allowed access. Implementation options for access matrices include access lists, capability lists, and lock-key systems. Role-based access control and revocation of access rights are also covered. Capability-based systems like Hydra and Cambridge CAP are described. Finally, language-based protection specifies policies through programming languages.
The document discusses security mechanisms in Linux operating systems. It covers access control modules, including audit, access control, and role-based access control modules. It also discusses security models like DAC, MAC, RBAC and how they integrate with the operating system's security tag library and audit log. The principles of least privilege, separation of duties and simplicity are important to the design.
The document discusses access control, including definitions, principles, policies, requirements, and basic elements. It covers discretionary access control models, protection domains, UNIX file access control using inodes, traditional UNIX controls like setuid and sticky bits, and newer access control lists in UNIX.
This document discusses various concepts related to protection in operating systems. It covers the goals of protection which include preventing unauthorized access and enforcing access policies. The principle of least privilege is introduced which dictates that users and programs be given only necessary privileges. Access control and its basic terminology like objects, access rights and access control policies are defined. Implementation techniques for access control like access matrix, access control lists, capability lists and language-based approaches are described at a high level. The document provides an overview of key protection concepts in operating systems.
Access control regulates operations on protected data and resources. It aims to control what subjects can do to prevent damage. Access control is provided by operating systems and database management systems. It uses reference monitors to grant or deny access requests from subjects for objects based on access control policies and permissions. Access control mechanisms implement the access control function using permissions or subject/object attributes to make access decisions.
Least privilege, access control, operating system securityG Prachi
The document discusses principles of least privilege and access control concepts in operating system security. It defines security goals of confidentiality, integrity and availability known as the CIA triad. The principle of least privilege aims to limit a process's privileges to only those necessary for its execution. Access control concepts include discretionary access control where owners control access, and mandatory access control defined by security labels. A reference monitor provides complete mediation, is tamperproof, and verifiable to securely enforce access policies.
Authorization is the process of giving someone permission to do or have something.
Table of Content
Introduction Authorization
Common Attacker Testing Authentication
Strategies For Strong Authentication
Access Control
This document discusses protection in operating systems. It covers the goals of protection which include ensuring objects are only accessed by allowed processes. Principles of protection include least privilege and need-to-know. Protection domains and access matrices are used to specify allowed access. Implementation options for access matrices include access lists, capability lists, and lock-key systems. Role-based access control and revocation of access rights are also covered. Capability-based systems like Hydra and Cambridge CAP are described. Finally, language-based protection specifies policies through programming languages.
The document discusses security mechanisms in Linux operating systems. It covers access control modules, including audit, access control, and role-based access control modules. It also discusses security models like DAC, MAC, RBAC and how they integrate with the operating system's security tag library and audit log. The principles of least privilege, separation of duties and simplicity are important to the design.
The document discusses access control, including definitions, principles, policies, requirements, and basic elements. It covers discretionary access control models, protection domains, UNIX file access control using inodes, traditional UNIX controls like setuid and sticky bits, and newer access control lists in UNIX.
This document discusses various concepts related to protection in operating systems. It covers the goals of protection which include preventing unauthorized access and enforcing access policies. The principle of least privilege is introduced which dictates that users and programs be given only necessary privileges. Access control and its basic terminology like objects, access rights and access control policies are defined. Implementation techniques for access control like access matrix, access control lists, capability lists and language-based approaches are described at a high level. The document provides an overview of key protection concepts in operating systems.
This chapter discusses protection in computer systems. It covers the goals of ensuring only authorized access to resources, the principle of least privilege, using access matrices to define access rights across protection domains, and different methods of implementing and revoking access controls, such as capability-based systems and language-based protections. Protection domains group objects and access rights, while access matrices specify the operations each domain can perform on different objects. Various operating systems implement domains and matrices in different ways to enforce access restrictions.
This chapter discusses protection in computer systems. It covers the goals of ensuring only authorized access to resources, the principle of least privilege, using access matrices to define access rights across protection domains, and different methods of implementing and revoking access controls, such as capability-based systems and language-based protections. Protection domains group objects and access rights, while access matrices specify the operations each domain can perform on different objects. Various operating systems implement domains and matrices in different ways, such as rings in Multics or roles in Solaris.
Access control permits or denies access to resources based on authentication and authorization. Authentication verifies the identity of users and systems, while authorization determines the resources a user can access based on discretionary access control using access control lists, mandatory access control using security labels, or role-based access control assigning roles and permissions.
IRJET- A Review On - Controlchain: Access Control using BlockchainIRJET Journal
This document summarizes several access control models that could be used for the Internet of Things (IoT), including Mandatory Access Control (MAC), Discretionary Access Control (DAC), Role-Based Access Control (RBAC), Attribute-Based Access Control (ABAC), Organization-Based Access Control (OrBAC), and OAuth. It discusses the key components, advantages, and limitations of each model. Specifically, it notes that MAC and DAC focus on confidentiality but lack flexibility, RBAC is well-suited for independent domains but not cross-domains, ABAC provides more flexible access based on user, resource, and environment attributes defined in XACML policies, and OrBAC extends this to incorporate organizational
Access control is a collection of methods that enforce confidentiality and integrity by controlling access to resources. It allows only authorized users to access permitted objects like files, devices, or network connections. There are different models of access control, including discretionary access control (DAC) where owners set access rules, mandatory access control (MAC) where rules are based on security labels, and role-based access control (RBAC) where rules are based on user roles. Effective access control requires policies, least privilege, auditing, and technical controls like access control lists that implement the rules.
This document provides an overview of cache security concepts including authentication, authorization, and auditing. It outlines an academy agenda to cover these topics through introductions, demonstrations, and exercises using a sample web application. Authentication methods like passwords, LDAP, and SSO are described. Authorization is explained in terms of resources, permissions, roles, and application-level controls. The document demonstrates viewing audit logs and granular security in the system management portal. Exercises guide setting authentication types, controlling database access through roles and permissions, and viewing audit records.
1. The document discusses access control models and concepts, including the reference monitor model, subjects and objects, access rights, and access control structures like access control matrices, capabilities, and access control lists.
2. Role-based access control (RBAC) is introduced as a model that uses roles as an intermediate access control layer between subjects and objects. Roles are defined by assigning permissions to perform certain procedures on particular types of objects.
3. Other access control concepts covered include security labels and partial orderings to compare sensitivity levels associated with subjects and objects. Lattices provide a mathematical structure to determine the least privileged label for a subject to access multiple objects.
This document discusses network security and firewalls. It describes how firewalls provide perimeter defense and control access between interconnected networks. Several types of firewalls are mentioned, including packet filtering firewalls, stateful firewalls, application-level gateways, and proxies. The document also briefly discusses access control models, multilevel security models like Bell-LaPadula, and security evaluation standards such as Common Criteria.
Database security and security in networksG Prachi
The document discusses database security and network security, including security requirements for databases like reliability, integrity and access control, threats in networks like firewalls and intrusion detection systems, and issues around sensitive data in databases like inference where sensitive data can be deduced from aggregate queries and statistical databases. It also covers security models for databases including discretionary access control using views, roles and privileges and mandatory access control using security labels.
The document discusses access control and authorization in distributed systems. It introduces role-based access control (RBAC) as a promising approach. RBAC separates the administration of principals and roles from the specification of authorization policy in terms of roles. This allows authorization policy to be expressed independently of changes to principal membership. RBAC also facilitates inter-domain authorization by allowing roles to span domains. The document presents an example RBAC implementation using the OASIS framework that specifies role activation and authorization policies using rules. It also discusses engineering role certificates and maintaining credential state to support RBAC in a distributed environment.
The document discusses access control and authorization in distributed systems. It introduces role-based access control (RBAC) as a promising approach. RBAC separates the administration of principals and roles from the specification of authorization policy in terms of roles. This allows authorization policy to be expressed independently of changes to principal membership. RBAC also facilitates inter-domain authorization by allowing roles to span domains. The document presents an example RBAC implementation using the OASIS framework that specifies role activation and authorization policies using rules. It describes how roles can be activated and how certificates tied to roles can be used to enforce authorization across distributed services.
SELinux is a method for mandatory access control (MAC) on Linux systems. MAC provides an additional layer of security beyond traditional discretionary access control (DAC) by labeling both subjects like users and objects like files. SELinux policies define which labeled subjects can access which labeled objects. In practice, both DAC and MAC are used together, so even if a SELinux policy allows access, the user still needs the correct file permissions via DAC. When running SELinux, commands like ps -Z and ls -Z can show the security labels on processes and files.
This document summarizes a presentation on Dataverse permissions and security. It discusses key concepts like environment access, data ownership, security roles for row-level access, business units, teams and users, column-level security profiles, record sharing and access teams, and hierarchical/positional security. The presentation provides examples and explanations of how to configure these different Dataverse security features.
Access Control: Principles and PracticeNabeel Yoosuf
Slides prepared based on the paper Access Control: Principles and Practice by Ravi S. Sandhu and Pierangela Samarati, IEEE Communications Magazine, 1994
Databases store logically interrelated data representing real-world aspects. They require security measures to protect data confidentiality, integrity, and availability from threats. Common threats include privilege abuse, injection attacks, and unmanaged sensitive data. Database security uses prevention techniques like access control and detection techniques like auditing. Access control policies include discretionary access control based on authorization rules, mandatory access control, and role-based access control. Views and stored procedures also help implement access control by restricting data access.
Security and LDAP integration in InduSoft Web StudioAVEVA
With cybersecurity threat vectors increasing and attacks on industrial control systems on the rise, it’s more important than ever to take proper safety precautions when developing HMI or SCADA applications. In this webinar, we’ll go over how your application can be integrated with LDAP, and some best practices for developing more secure SCADA/HMI systems.
The document discusses Apache Sentry, an authorization module for the Hadoop ecosystem. It provides fine-grained, role-based authorization and multi-tenant administration capabilities. Sentry concepts include bindings, policies, roles, and users/groups. Privileges can be granted on specific objects like databases and tables. Sentry integrates with Hive through minor changes and existing hooks. This allows read-only access to Hive data for remote clients.
Implementing role based access control on Web Application (sample case)Deny Prasetia
This document discusses implementing role-based access control (RBAC) on a web application. It begins by defining access control and RBAC. It then examines different approaches to access control, including level-based, user-based, role-based, and responsibility-based. For the project, it recommends a role-based or responsibility-based approach using tables to define users, roles, tasks, and permissions to allow restricting access based on a user's role(s). It also discusses designing this as a draft and considering requirements to control data updates based on user roles.
This document provides definitions and terminology related to computer security architecture and models. It defines key terms like access control, authentication, authorization, confidentiality, integrity, and availability. It also summarizes several influential security models like Bell-LaPadula, Biba, Clark-Wilson, and discusses certification and accreditation procedures. The document also briefly outlines the IPSEC standard and some general network and host security concepts.
Why Mobile App Regression Testing is Critical for Sustained Success_ A Detail...kalichargn70th171
A dynamic process unfolds in the intricate realm of software development, dedicated to crafting and sustaining products that effortlessly address user needs. Amidst vital stages like market analysis and requirement assessments, the heart of software development lies in the meticulous creation and upkeep of source code. Code alterations are inherent, challenging code quality, particularly under stringent deadlines.
This chapter discusses protection in computer systems. It covers the goals of ensuring only authorized access to resources, the principle of least privilege, using access matrices to define access rights across protection domains, and different methods of implementing and revoking access controls, such as capability-based systems and language-based protections. Protection domains group objects and access rights, while access matrices specify the operations each domain can perform on different objects. Various operating systems implement domains and matrices in different ways to enforce access restrictions.
This chapter discusses protection in computer systems. It covers the goals of ensuring only authorized access to resources, the principle of least privilege, using access matrices to define access rights across protection domains, and different methods of implementing and revoking access controls, such as capability-based systems and language-based protections. Protection domains group objects and access rights, while access matrices specify the operations each domain can perform on different objects. Various operating systems implement domains and matrices in different ways, such as rings in Multics or roles in Solaris.
Access control permits or denies access to resources based on authentication and authorization. Authentication verifies the identity of users and systems, while authorization determines the resources a user can access based on discretionary access control using access control lists, mandatory access control using security labels, or role-based access control assigning roles and permissions.
IRJET- A Review On - Controlchain: Access Control using BlockchainIRJET Journal
This document summarizes several access control models that could be used for the Internet of Things (IoT), including Mandatory Access Control (MAC), Discretionary Access Control (DAC), Role-Based Access Control (RBAC), Attribute-Based Access Control (ABAC), Organization-Based Access Control (OrBAC), and OAuth. It discusses the key components, advantages, and limitations of each model. Specifically, it notes that MAC and DAC focus on confidentiality but lack flexibility, RBAC is well-suited for independent domains but not cross-domains, ABAC provides more flexible access based on user, resource, and environment attributes defined in XACML policies, and OrBAC extends this to incorporate organizational
Access control is a collection of methods that enforce confidentiality and integrity by controlling access to resources. It allows only authorized users to access permitted objects like files, devices, or network connections. There are different models of access control, including discretionary access control (DAC) where owners set access rules, mandatory access control (MAC) where rules are based on security labels, and role-based access control (RBAC) where rules are based on user roles. Effective access control requires policies, least privilege, auditing, and technical controls like access control lists that implement the rules.
This document provides an overview of cache security concepts including authentication, authorization, and auditing. It outlines an academy agenda to cover these topics through introductions, demonstrations, and exercises using a sample web application. Authentication methods like passwords, LDAP, and SSO are described. Authorization is explained in terms of resources, permissions, roles, and application-level controls. The document demonstrates viewing audit logs and granular security in the system management portal. Exercises guide setting authentication types, controlling database access through roles and permissions, and viewing audit records.
1. The document discusses access control models and concepts, including the reference monitor model, subjects and objects, access rights, and access control structures like access control matrices, capabilities, and access control lists.
2. Role-based access control (RBAC) is introduced as a model that uses roles as an intermediate access control layer between subjects and objects. Roles are defined by assigning permissions to perform certain procedures on particular types of objects.
3. Other access control concepts covered include security labels and partial orderings to compare sensitivity levels associated with subjects and objects. Lattices provide a mathematical structure to determine the least privileged label for a subject to access multiple objects.
This document discusses network security and firewalls. It describes how firewalls provide perimeter defense and control access between interconnected networks. Several types of firewalls are mentioned, including packet filtering firewalls, stateful firewalls, application-level gateways, and proxies. The document also briefly discusses access control models, multilevel security models like Bell-LaPadula, and security evaluation standards such as Common Criteria.
Database security and security in networksG Prachi
The document discusses database security and network security, including security requirements for databases like reliability, integrity and access control, threats in networks like firewalls and intrusion detection systems, and issues around sensitive data in databases like inference where sensitive data can be deduced from aggregate queries and statistical databases. It also covers security models for databases including discretionary access control using views, roles and privileges and mandatory access control using security labels.
The document discusses access control and authorization in distributed systems. It introduces role-based access control (RBAC) as a promising approach. RBAC separates the administration of principals and roles from the specification of authorization policy in terms of roles. This allows authorization policy to be expressed independently of changes to principal membership. RBAC also facilitates inter-domain authorization by allowing roles to span domains. The document presents an example RBAC implementation using the OASIS framework that specifies role activation and authorization policies using rules. It also discusses engineering role certificates and maintaining credential state to support RBAC in a distributed environment.
The document discusses access control and authorization in distributed systems. It introduces role-based access control (RBAC) as a promising approach. RBAC separates the administration of principals and roles from the specification of authorization policy in terms of roles. This allows authorization policy to be expressed independently of changes to principal membership. RBAC also facilitates inter-domain authorization by allowing roles to span domains. The document presents an example RBAC implementation using the OASIS framework that specifies role activation and authorization policies using rules. It describes how roles can be activated and how certificates tied to roles can be used to enforce authorization across distributed services.
SELinux is a method for mandatory access control (MAC) on Linux systems. MAC provides an additional layer of security beyond traditional discretionary access control (DAC) by labeling both subjects like users and objects like files. SELinux policies define which labeled subjects can access which labeled objects. In practice, both DAC and MAC are used together, so even if a SELinux policy allows access, the user still needs the correct file permissions via DAC. When running SELinux, commands like ps -Z and ls -Z can show the security labels on processes and files.
This document summarizes a presentation on Dataverse permissions and security. It discusses key concepts like environment access, data ownership, security roles for row-level access, business units, teams and users, column-level security profiles, record sharing and access teams, and hierarchical/positional security. The presentation provides examples and explanations of how to configure these different Dataverse security features.
Access Control: Principles and PracticeNabeel Yoosuf
Slides prepared based on the paper Access Control: Principles and Practice by Ravi S. Sandhu and Pierangela Samarati, IEEE Communications Magazine, 1994
Databases store logically interrelated data representing real-world aspects. They require security measures to protect data confidentiality, integrity, and availability from threats. Common threats include privilege abuse, injection attacks, and unmanaged sensitive data. Database security uses prevention techniques like access control and detection techniques like auditing. Access control policies include discretionary access control based on authorization rules, mandatory access control, and role-based access control. Views and stored procedures also help implement access control by restricting data access.
Security and LDAP integration in InduSoft Web StudioAVEVA
With cybersecurity threat vectors increasing and attacks on industrial control systems on the rise, it’s more important than ever to take proper safety precautions when developing HMI or SCADA applications. In this webinar, we’ll go over how your application can be integrated with LDAP, and some best practices for developing more secure SCADA/HMI systems.
The document discusses Apache Sentry, an authorization module for the Hadoop ecosystem. It provides fine-grained, role-based authorization and multi-tenant administration capabilities. Sentry concepts include bindings, policies, roles, and users/groups. Privileges can be granted on specific objects like databases and tables. Sentry integrates with Hive through minor changes and existing hooks. This allows read-only access to Hive data for remote clients.
Implementing role based access control on Web Application (sample case)Deny Prasetia
This document discusses implementing role-based access control (RBAC) on a web application. It begins by defining access control and RBAC. It then examines different approaches to access control, including level-based, user-based, role-based, and responsibility-based. For the project, it recommends a role-based or responsibility-based approach using tables to define users, roles, tasks, and permissions to allow restricting access based on a user's role(s). It also discusses designing this as a draft and considering requirements to control data updates based on user roles.
This document provides definitions and terminology related to computer security architecture and models. It defines key terms like access control, authentication, authorization, confidentiality, integrity, and availability. It also summarizes several influential security models like Bell-LaPadula, Biba, Clark-Wilson, and discusses certification and accreditation procedures. The document also briefly outlines the IPSEC standard and some general network and host security concepts.
Similar to Week No 13 Access Control Part 1.pptx (20)
Why Mobile App Regression Testing is Critical for Sustained Success_ A Detail...kalichargn70th171
A dynamic process unfolds in the intricate realm of software development, dedicated to crafting and sustaining products that effortlessly address user needs. Amidst vital stages like market analysis and requirement assessments, the heart of software development lies in the meticulous creation and upkeep of source code. Code alterations are inherent, challenging code quality, particularly under stringent deadlines.
Neo4j - Product Vision and Knowledge Graphs - GraphSummit ParisNeo4j
Dr. Jesús Barrasa, Head of Solutions Architecture for EMEA, Neo4j
Découvrez les dernières innovations de Neo4j, et notamment les dernières intégrations cloud et les améliorations produits qui font de Neo4j un choix essentiel pour les développeurs qui créent des applications avec des données interconnectées et de l’IA générative.
Mobile app Development Services | Drona InfotechDrona Infotech
Drona Infotech is one of the Best Mobile App Development Company In Noida Maintenance and ongoing support. mobile app development Services can help you maintain and support your app after it has been launched. This includes fixing bugs, adding new features, and keeping your app up-to-date with the latest
Visit Us For :
May Marketo Masterclass, London MUG May 22 2024.pdfAdele Miller
Can't make Adobe Summit in Vegas? No sweat because the EMEA Marketo Engage Champions are coming to London to share their Summit sessions, insights and more!
This is a MUG with a twist you don't want to miss.
Mobile App Development Company In Noida | Drona InfotechDrona Infotech
Looking for a reliable mobile app development company in Noida? Look no further than Drona Infotech. We specialize in creating customized apps for your business needs.
Visit Us For : https://www.dronainfotech.com/mobile-application-development/
Utilocate offers a comprehensive solution for locate ticket management by automating and streamlining the entire process. By integrating with Geospatial Information Systems (GIS), it provides accurate mapping and visualization of utility locations, enhancing decision-making and reducing the risk of errors. The system's advanced data analytics tools help identify trends, predict potential issues, and optimize resource allocation, making the locate ticket management process smarter and more efficient. Additionally, automated ticket management ensures consistency and reduces human error, while real-time notifications keep all relevant personnel informed and ready to respond promptly.
The system's ability to streamline workflows and automate ticket routing significantly reduces the time taken to process each ticket, making the process faster and more efficient. Mobile access allows field technicians to update ticket information on the go, ensuring that the latest information is always available and accelerating the locate process. Overall, Utilocate not only enhances the efficiency and accuracy of locate ticket management but also improves safety by minimizing the risk of utility damage through precise and timely locates.
Launch Your Streaming Platforms in MinutesRoshan Dwivedi
The claim of launching a streaming platform in minutes might be a bit of an exaggeration, but there are services that can significantly streamline the process. Here's a breakdown:
Pros of Speedy Streaming Platform Launch Services:
No coding required: These services often use drag-and-drop interfaces or pre-built templates, eliminating the need for programming knowledge.
Faster setup: Compared to building from scratch, these platforms can get you up and running much quicker.
All-in-one solutions: Many services offer features like content management systems (CMS), video players, and monetization tools, reducing the need for multiple integrations.
Things to Consider:
Limited customization: These platforms may offer less flexibility in design and functionality compared to custom-built solutions.
Scalability: As your audience grows, you might need to upgrade to a more robust platform or encounter limitations with the "quick launch" option.
Features: Carefully evaluate which features are included and if they meet your specific needs (e.g., live streaming, subscription options).
Examples of Services for Launching Streaming Platforms:
Muvi [muvi com]
Uscreen [usencreen tv]
Alternatives to Consider:
Existing Streaming platforms: Platforms like YouTube or Twitch might be suitable for basic streaming needs, though monetization options might be limited.
Custom Development: While more time-consuming, custom development offers the most control and flexibility for your platform.
Overall, launching a streaming platform in minutes might not be entirely realistic, but these services can significantly speed up the process compared to building from scratch. Carefully consider your needs and budget when choosing the best option for you.
Atelier - Innover avec l’IA Générative et les graphes de connaissancesNeo4j
Atelier - Innover avec l’IA Générative et les graphes de connaissances
Allez au-delà du battage médiatique autour de l’IA et découvrez des techniques pratiques pour utiliser l’IA de manière responsable à travers les données de votre organisation. Explorez comment utiliser les graphes de connaissances pour augmenter la précision, la transparence et la capacité d’explication dans les systèmes d’IA générative. Vous partirez avec une expérience pratique combinant les relations entre les données et les LLM pour apporter du contexte spécifique à votre domaine et améliorer votre raisonnement.
Amenez votre ordinateur portable et nous vous guiderons sur la mise en place de votre propre pile d’IA générative, en vous fournissant des exemples pratiques et codés pour démarrer en quelques minutes.
Zoom is a comprehensive platform designed to connect individuals and teams efficiently. With its user-friendly interface and powerful features, Zoom has become a go-to solution for virtual communication and collaboration. It offers a range of tools, including virtual meetings, team chat, VoIP phone systems, online whiteboards, and AI companions, to streamline workflows and enhance productivity.
SOCRadar's Aviation Industry Q1 Incident Report is out now!
The aviation industry has always been a prime target for cybercriminals due to its critical infrastructure and high stakes. In the first quarter of 2024, the sector faced an alarming surge in cybersecurity threats, revealing its vulnerabilities and the relentless sophistication of cyber attackers.
SOCRadar’s Aviation Industry, Quarterly Incident Report, provides an in-depth analysis of these threats, detected and examined through our extensive monitoring of hacker forums, Telegram channels, and dark web platforms.
Introducing Crescat - Event Management Software for Venues, Festivals and Eve...Crescat
Crescat is industry-trusted event management software, built by event professionals for event professionals. Founded in 2017, we have three key products tailored for the live event industry.
Crescat Event for concert promoters and event agencies. Crescat Venue for music venues, conference centers, wedding venues, concert halls and more. And Crescat Festival for festivals, conferences and complex events.
With a wide range of popular features such as event scheduling, shift management, volunteer and crew coordination, artist booking and much more, Crescat is designed for customisation and ease-of-use.
Over 125,000 events have been planned in Crescat and with hundreds of customers of all shapes and sizes, from boutique event agencies through to international concert promoters, Crescat is rigged for success. What's more, we highly value feedback from our users and we are constantly improving our software with updates, new features and improvements.
If you plan events, run a venue or produce festivals and you're looking for ways to make your life easier, then we have a solution for you. Try our software for free or schedule a no-obligation demo with one of our product specialists today at crescat.io
Quarkus Hidden and Forbidden ExtensionsMax Andersen
Quarkus has a vast extension ecosystem and is known for its subsonic and subatomic feature set. Some of these features are not as well known, and some extensions are less talked about, but that does not make them less interesting - quite the opposite.
Come join this talk to see some tips and tricks for using Quarkus and some of the lesser known features, extensions and development techniques.
2. Compromise recording
• This principle states that sometimes it is more
desirable to record the details of an intrusion
than to adopt more sophisticated measures to
prevent it.
– Internet-connected surveillance cameras are a typical
example of an effective compromise record system
that can be deployed to protect a building in lieu of
reinforcing doors and windows.
– The servers in an office network may maintain logs for
all accesses to files, all emails sent and received, and
all web browsing sessions.
2
3. Topic: 2. Access Control
• Users and groups
• Authentication
• Passwords
• File protection
• Access control lists
• Which users can
read/write which files?
• Are my files really safe?
• What does it mean to be
root?
• What do we really want
to control?
12/12/2022 Introduction 3
4. Cont.
Access control
prevention of the unauthorized use of a
resource, that is this service controls
- who can have access to a resource
- under what condition access can occur
- and what those accessing are allowed to
do
4
5. Access Control Matrices
• A table that defines permissions.
– Each row of this table is associated with a subject, which is
a user, group, or system that can perform actions.
– Each column of the table is associated with an object,
which is a file, directory, document, device, resource, or
any other entity for which we want to define access rights.
– Each cell of the table is then filled with the access rights for
the associated combination of subject and object.
– Access rights can include actions such as reading, writing,
copying, executing and deleting.
– An empty cell means that no access rights are granted.
5
6. Example Access Control Matrix
6
• Adv:
– Fast and easy determination for access control rights
– Provide a simple visual way
• Disadv:
– What will happen when it grow
– n subject, m object then n.m cells
– Server have 1000 subjects (users) and 1,000,000
objects (which are files and folders)
7. Access Control Lists
• It defines, for each object, o, a list, L, called o’s access
control list, which enumerates(Computes) all the
subjects that have access rights for o and, for each
such subject, s, gives the access rights that s has for
object o.
7
/etc/passwd /usr/bin/ /u/roberto/ /admin/
root: r,w,x
backup: r,x
root: r,w,x
roberto: r,w,x
backup: r,x
root: r,w,x
mike: r,x
roberto: r,x
backup: r,x
root: r,w
mike: r
roberto: r
backup: r
8. Cont.
• Advantage:
– Less size as compare to access control matrices
• Size of ACL is proportional to No. of non empty cell in ACM
– ACL of the object is store as metadata with its object
• System only need to consult the ACL of that object
• Disadvantage:
– Do not provide the efficient way to see the access
control right of a given subject,
• Each object’s list must be accessed
8
9. Capabilities
• Takes a subject-centered
approach to access
control.
• It defines, for each
subject s, the list of the
objects for which s has
nonempty access control
rights with specific right
9
/etc/passwd: r,w,x; /usr/bin: r,w,x;
/u/roberto: r,w,x; /admin/: r,w,x
root
/usr/passwd: r; /usr/bin: r;
/u/roberto: r,w,x
roberto
/usr/passwd: r; /usr/bin: r,x
mike
backup
/etc/passwd: r,x; /usr/bin: r,x;
/u/roberto: r,x; /admin/: r,x
10. Cont.
• Same advantage in space over access control
matrix as the access control list
• Easy for admin to quickly determine access
right for a give subject
• When s request for o, system need to read
only the capabilities of s
• The only way to determine the access right of
object o is to search all the capabilities
10
11. Role-based Access Control
• Define roles and then specify access control
rights for these roles, rather than for subjects
directly.
11
Department
Member
Administrative
Personnel
Accountant Secretary
Administrative
Manager
Faculty
Lab
Technician
Lab
Manager
Student
Undergraduate
Student
Graduate
Student
Department
Chair
Technical
Personnel
Backup
Agent
System
Administrator
Undergraduate
TA
Graduate
TA
12. Mandatory Access Control (MAC)
12
Unclassified
Confidential
Secret
Top Secret
can-flow
dominance
Labeling Mechanism is used
Military Security
Require a strict classification of
subjects and objects in security levels
Drawback of being too rigid
Applicable only to very few
environments
Prevent any illegal flow of
information through the
enforcement of multilevel security
Adopted from : Role-Based Access Control by Prof.Ravi Sandhu
13. Compartments and Sensitivity Levels
Unclassified
Restricted
Confidential
Secret
Top Secret
Compartment 1
Compartment 3
Compartment 2
• Information access is limited by the need-to-know
• Compartment: Each piece of classified information
may be associated with one or more projects called
compartments
14. Classification & Clearance
• <rank; compartments>
– class of a piece of information
• Clearance: an indication that a person is
trusted to access information up to a certain
level of sensitivity
• <rank; compartments>
– clearance of a subject
15. Dominance Relation
• We say that s dominates o (or o is dominated
by s) if o <= s
For a subject s and an object o,
o <= s if and only if
rank(o) <= rank(s) and
compartments(o) is subset of compartments(s)
• A subject can read an object if the subject
dominates the object.
16. Example
• Information classified as <secret; {Sweden}>
• Which of the following subject clearances can
read the above information?
– <top secret; {Sweden}>
– <secret; {Sweden, crypto}>
– <top secret; {crypto}>
– <confidential; {Sweden}>
– <secret; {France}>
19. Role-Based Access Control
ROLES
Usrer-Role
Assignment
Permission-Role
Assignment
USERS PERMISSIONS
...
Sessions
Role Hierarchies
• Users are human beings or other active agents
• Business function the user perform is role
• A user can be a member of many roles
• Each role can have many users as members
• A user can invoke multiple sessions
• In each session a user can invoke any subset
of roles that the user is a member of
• A permission can be assigned to
many roles
• Each role can have many
permissions
‐ read, write, append, execute
Health-Care Provider
Physician
Primary-Care
Physician
Specialist
Physician
Adopted from : Role-Based Access Control by Prof.Ravi Sandhu
23. Constraints - RBAC
• provide a means of adapting RBAC to the
specifics of administrative and security
policies of an organization
• a defined relationship among roles or a
condition related to roles
mutually exclusive
roles
• a user can only be
assigned to one role in
the set (during a
session or statically)
• any permission can be
granted to only one
role in the set
cardinality
• setting a maximum
number with respect
to roles
prerequisite roles
• dictates that a user
can only be assigned
to a particular role if it
is already assigned to
some other specified
role
24. RBAC System
administrative
functions
• provide the
capability to
create, delete, and
maintain RBAC
elements and
relations
supporting
system
functions
• provide functions
for session
management and
for making access
control decisions
review
functions
• provide the
capability to
perform query
operations on
RBAC elements
and relations
25. NIST RBAC Basic Definitions
• object
– any system resource subject to access control,
such as a file, printer, terminal, database record
• operation
– an executable image of a program, which upon
invocation executes some function for the user
• permission
– an approval to perform an operation on one or
more RBAC protected objects
27. Core RBAC
administrative
functions
• add and delete
users from the set
of users
• add and delete
roles from the set
of roles
• create and delete
instances of user-
to-role assignment
• create and delete
instances of
permission-to-role
assignment
supporting
system functions
• create a user
session with a
default set of active
roles
• add an active role
to a session
• delete a role from a
session
• check if the session
subject has
permission to
perform a request
operation on an
object
review functions
• enable an
administrator to
view but not modify
all the elements of
the model and their
relations
28. Hierarchical RBAC
general role
hierarchies
allow an arbitrary partial ordering of
the role hierarchy
supports multiple inheritance,
in which a role may inherit
permissions from multiple
subordinate roles and
more than one role can inherit from
the same subordinate role
limited role
hierarchies
impose restrictions resulting in a
simpler tree structure
role may have one or more
immediate ascendants
but is restricted to a single
immediate descendant
29. Static Separation of Duty
• enables the definition of a set of mutually exclusive
roles,
– if a user is assigned to one role in the set, the user may not be
assigned to any other role in the set
• can place a cardinality constraint on a set of roles
– defined as a pair (role set, n) where no user is assigned to n or
more roles from the role set
• includes administrative functions for creating and
deleting role sets and adding and deleting role members
• includes review functions for viewing the properties of
existing SSD sets
30. Dynamic Separation of Duty
• limit the permissions available to a user
– places constraints on the roles that can be activated within
or across a user’s sessions
• define constraints as a pair (role set, n) with the
property that no user session may activate n or more
roles from the role set
– where n is a natural number n ≤ 2
• enables the administrator to specify certain
capabilities for a user at different, time spans
• includes administrative and review functions for
defining and viewing DSD relations
31. Task Based Access Control
31
P – Permission
S – Subject
O – Object
A – Actions
U – Usage and Validity Counts
AS – Authorization step
• Active Security Model
• Dynamic authorization gives
flexibility
• No Roles Involved
• Constraints for this model is still
under study
• For each authorization step consumes permission, usage count is
incremented
• Usage Count reaches its limit, the associated permission is
deactivated
Adopted from Source: Task based authorization controls by R.S.Sandhu and R.K.Thomas
Classical subject-object access control P S x O x A
TBAC view of access control P S x O x A x U x AS
TBAC extensions
32. TBAC with Constraints
32
Users
Alice
Bob
Tasks
Check Patient
Do Physical Exam
Non-
Workflow
Workflow
Start
Do Physical
Exam (T1)
Check
Patient
(T2)
Perform Lab
Test (T3)
View Lab
Results
(T4)
Write
Prescription
(T5)
Refer
another
specialist
(T6)
End
Out Patient Workflow
Non-Workflow
View Current
Patient List
34. Constraints
34
Users are not given more permission than is
necessary to perform their duties
Constraints
User Instance
Tasks Permissions
Task constraints – Least Privilege
Achieved through task instances
Alice Check Patient Josh
Access Permissions starts when the instance is initiated
Access Permissions end when the instance is completed or revoked
Fine Grained Access Control
Initiated
Active
Completed Revoked
status
35. Static and Dynamic Separation of Duty
35
No single individual can execute all tasks within the workflow
Do
Physical
Exam (T1)
Check
Patient
(T2)
Perform
Lab Test
(T3)
View Lab
Results
(T4)
Write
Prescription
(T5) End
Start
Alice Check Patient Josh
Task Instance 1
Protects against fraudulent activities of users
Static SOD - Defining the tasks in workflow or non workflow govern the
administration or design-time associations between users and permissions.
Dynamic SOD - permissions or task instances are granted at run-time.
Nurse Physician Technician Physician
36. Delegation of Tasks
36
Initially assigned user is not available to complete the task
Supervisor can delegate task to another junior user in the same hierarchy
Access rights revoked once the task is completed
Alice Check Patient Josh
Task Instance
Physician
(Alice)
Physician
(Bob)
Senior
Physician
(Jan)
Bob Check Patient Josh
Task Instance
Jan can delegate task to Bob
37. Spatial and Temporal Constraints
• Accessed from anywhere and at anytime
– User’s location and time is taken into
consideration for granting access to a task
37
Family Practice
Physician
Nurse
Location
Constraint
(Reno Office)
Time
Constraint
(8 - 5)
Tasks
38. Passive and Active Access Control
38
Start
Do
Physical
Exam (T1)
Check
Patient
(T2)
Perform
Lab Test
(T3)
View Lab
Results
(T4)
Write
Prescription
(T5)
Refer
another
specialist
(T6)
End
Workflow
Physician Write
Prescription
View Current
Patient List
File 2
File 1
Read
Write
Passive Access
Active Access
39. Classification of Tasks
Non-Inheritable Inheritable
Passive Access Control Private Supervision
Active Access control Workflow Approval
39
Class
Private
Class
Supervision
Start
Do
Physical
Exam (T1)
Check
Patient
(T2)
Perform
Lab Test
(T3)
View Lab
Results
(T4)
Write
Prescription
(T5)
Refer
another
specialist
(T6)
End
View Current
Patient List
Family Practice
Physician
(Alice)
Senior
Physician
(Jan)
Workflow
Diagnosis
Details
40. Class Workflow
Class Approval
Classification of Tasks
40
Start
Do
Physical
Exam (T1)
Check
Patient
(T2)
Perform
Lab Test
(T3)
View Lab
Results
(T4)
Write
Prescription
(T5)
Refer
another
specialist
(T6)
End
Workflow
Check Patient
Family Practice
Physician
(Alice)
Senior
Physician
(Jan)
Physician
(Alice)
Physician
(Bob)
Senior
Physician
(Jan) Same Hierarchy
41. Functions and Roles for Banking Example
(a) Functions
and
Official
Positions
45. Summary
• access control
– prevent unauthorized users from gaining access to resources
– prevent legitimate users from accessing resources in an unauthorized
manner
– enable legitimate users to access resources
– subjects, objects, access rights
– authentication, authorization, audit
• discretionary access controls (DAC)
– controls access based on identity
• mandatory access control (MAC)
– controls access based on security labels
• role-based access control (RBAC)
• controls access based on roles