Access control permits or denies access to resources based on authentication and authorization. Authentication verifies the identity of users and systems, while authorization determines the resources a user can access based on discretionary access control using access control lists, mandatory access control using security labels, or role-based access control assigning roles and permissions.
Access Control: Principles and PracticeNabeel Yoosuf
Slides prepared based on the paper Access Control: Principles and Practice by Ravi S. Sandhu and Pierangela Samarati, IEEE Communications Magazine, 1994
Security+ Guide to Network Security Fundamentals, 3rd Edition, by Mark Ciampa
Knowledge and skills required for Network Administrators and Information Technology professionals to be aware of security vulnerabilities, to implement security measures, to analyze an existing network environment in consideration of known security threats or risks, to defend against attacks or viruses, and to ensure data privacy and integrity. Terminology and procedures for implementation and configuration of security, including access control, authorization, encryption, packet filters, firewalls, and Virtual Private Networks (VPNs).
CNIT 120: Network Security
http://samsclass.info/120/120_S09.shtml#lecture
Policy: http://samsclass.info/policy_use.htm
Many thanks to Sam Bowne for allowing to publish these presentations.
Access Control: Principles and PracticeNabeel Yoosuf
Slides prepared based on the paper Access Control: Principles and Practice by Ravi S. Sandhu and Pierangela Samarati, IEEE Communications Magazine, 1994
Security+ Guide to Network Security Fundamentals, 3rd Edition, by Mark Ciampa
Knowledge and skills required for Network Administrators and Information Technology professionals to be aware of security vulnerabilities, to implement security measures, to analyze an existing network environment in consideration of known security threats or risks, to defend against attacks or viruses, and to ensure data privacy and integrity. Terminology and procedures for implementation and configuration of security, including access control, authorization, encryption, packet filters, firewalls, and Virtual Private Networks (VPNs).
CNIT 120: Network Security
http://samsclass.info/120/120_S09.shtml#lecture
Policy: http://samsclass.info/policy_use.htm
Many thanks to Sam Bowne for allowing to publish these presentations.
To Support Digital India, We are trying to enforce the security on the web and digital Information. This Slides provide you basic as well as advance knowledge of security model. Model covered in this slides are Chinese Wall, Clark-Wilson, Biba, Harrison-Ruzzo-Ullman Model, Bell-LaPadula Model etc.
Types of Access Control.
To Support Digital India, We are trying to enforce the security on the web and digital Information. This Slides provide you basic as well as advance knowledge of security model. Model covered in this slides are Chinese Wall, Clark-Wilson, Biba, Harrison-Ruzzo-Ullman Model, Bell-LaPadula Model etc.
Types of Access Control.
efreAccess control is the heart of security
• Protecting what needs to be protected with
the available technologies!
• Definitions:
– The ability to allow only authorized
users, programs or processes system or
resource access
– The granting or denying, according to a
particular security model, of certain
permissions to access a resource
– An entire set of procedures performed
by hardware, software and
administrators, to monitor access,
identify users requesting access, record
access attempts, and grant or deny
access based on pre-established rules
Information security involves protecting information from unauthorized access, use, disclosure, disruption, modification, or destruction. It encompasses a range of strategies and practices, including encryption, access control, and network security, aimed at ensuring the confidentiality, integrity, and availability of information. This field is crucial in today's digital age to safeguard sensitive data and systems from cyber threats and attacks.
Complete coverage of CISSP 7th Chapter - Security Operations. I have made sure to cover all topics from three books in this presentation. For corrections, clarifications, please feel free to reach me.
Slides present data and information system. In any information system security and integrity is the prime concern. How we can make sure stored data is more secure and generated information should be accurate, reliable and consistent.
2. Last time …
• Protection (defence) against harm:
– Prevent it by blocking attack or closing vulnerabilities
– Deter it by making the attack harder (but not impossible!)
– Deflect it by making another target more attractive
– Detect it either as it happens or some time after
– Recover from effects
– Using any combination of the above
• Using countermeasures (controls)
• Methods of defence
– Software controls
– Encryption
– Physical and hardware controls
Computer Security Management
Page 2
4. Access control
• Permit or deny the use of a particular resource by a particular entity
• Two dimensions: authentication and authorisation
• Authentication
– User to system
– System to user
• Authorisation
– Discretionary access control
– Mandatory access control
– Role-based access control
Computer Security Management
Page 4
5. User to system authentication
• Something you know
– Password, PIN, challenge-response
• Something you have
– Key, smart card, code book, etc.
• Something you are
– Biometrics: fingerprints, retina scan, etc.
• Somewhere you are
– Secure terminals, subnets, etc.
• Any combination of the above (Two-factor authentication)
Computer Security Management
Page 5
6. System to user authentication
• Secure paths
– Mechanism that ensures that user communicates with the system he intents to
communicate with
– Cannot be intercepted by attacker
– Example: Windows ctrl+alt+del
• Browser clues
• Etc.
Computer Security Management
Page 6
7. Authorisation
• Discretionary access control
– Based on identity of user
– Sometimes organised in groups
• Mandatory access control
– Based on security clearance of user
• Role-based access control
– Based on user’s function, authority and responsibilities
Computer Security Management
Page 7
8. Discretionary access control (DAC)
• Restricting access to objects based on the identity of users and/or
groups to which they belong
• Access: read, write, execute, etc.
• Often every object has an owner that controls the permissions to
access the object
• Discretionary: a subject with a certain access permission is capable
of passing that permission on to other subjects
• Permissions are stored in Access Control Lists (ACLs)
• System first checks the list for an applicable entry in order to decide
whether to proceed with the operation
Computer Security Management
Page 8
9. Access control lists (ACLs)
• Specifies who is allowed to access the object and what operations
are allowed to be performed on the object
• List of users and associated permissions attached to an object
• Usually implemented as a table
• Every user needs to have an entry:
– ACL can grow easily
– Maintaining ACLs can be cumbersome
Computer Security Management
Page 9
10. Mandatory access control (MAC)
• Assigns security labels (classifications) to system resources
– Examples: RESTRICTED, CLASSIFIED, SECRET, TOP SECRET, …
• Ordered (not necessarily in linear order!)
• Allows access only to entities (people, processes, devices) with
appropriate levels of authorisation (clearance)
• Only administrators, not owners, make changes to a resource's
security label
• Assigned security level reflects the relative sensitivity,
confidentiality, and protection value, of data
Computer Security Management
Page 10
11. Bell and La Padula
• Model that focuses on data confidentiality and access to classified
information
• Information must not flow from high to low classification:
– No read up: lowly classified entities may not read more highly classified data
– No write down: highly classified entities may not write to more lowly classified
files
• Limitations
– Restricted to confidentiality
– intended for systems with static security levels - no policies for changing access
rights
– Sometimes, it is not sufficient to hide only the contents of objects. Their
existence may have to be hidden as well, BUT a low subject can detect the
existence of high objects when it is denied access
Computer Security Management
Page 11
12. Role-based access control (RBAC)
• Approach to restricting system access to authorised users that
reduces the costs
• User has access to an object based on his or her assigned role
– Users change frequently, roles don’t
• Operations on an object are invoked based on permissions
• An object is concerned with the user’s role and not the user
• Roles are
– a collection of users and a collection of permissions
– Arranged in hierarchies
user-role assignment role-permission
assignment
Roles Permissions
users
Computer Security Management
Page 12
13. Summary
Today we learned:
• Access control permits or denies the use of a particular resource by
a particular entity
• To dimensions: authentication and authorisation
• Authentication
– User to system
– System to user
• Authorisation
– Discretional access control
– Mandatory access control
– Role-based access control
Computer Security Management
Page 13