Presentation is loading. Please wait.

Presentation is loading. Please wait.

22 feb 2012 1 2 What is Access Control? Access control is the heart of security Definitions: * The ability to allow only authorized users, programs or.

Published byBertha Parks Modified over 8 years ago

Similar presentations

Presentation on theme: "22 feb 2012 1 2 What is Access Control? Access control is the heart of security Definitions: * The ability to allow only authorized users, programs or."— Presentation transcript:

1

2 22 feb 2012 1

3 2 What is Access Control? Access control is the heart of security Definitions: * The ability to allow only authorized users, programs or processes system or resource access * The granting or denying, according to a particular security model, of certain permissions to access a resource * An entire set of procedures performed by hardware, software and administrators, to monitor access, identify users requesting access, record access attempts, and grant or deny access based on pre-established rules.

4 3 What does AC hope to protect? Data - Unauthorized viewing, modification or copying System - Unauthorized use, modification or denial of service It should be noted that nearly every network operating system (NT, Unix, Vines, NetWare) is based on a secure physical infrastructure

5 4 How can AC be implemented? Hardware Software Application Protocol (Kerberos, IPSec) Physical Logical (policies)

6 Access Control Models Access control models are created to enforce the rules and objectives of an established security policy and to dictate how subjects can access objects. There are three models that will be covered in this section: discretionary access control (DAC), mandatory access control (MAC), and role-based access control (RBAC). 5

7 discretionary access control (DAC) A discretionary access control (DAC) model allows the owners of objects (resources) to control who accesses them and what operations can be performed on the objects. For example, if Dan creates a share on his system containing documents and WAV files, he can control and dictate who can access this share and the items within it. This is typically done through access control lists (ACLs), where permission is granted on a need-to-know basis. 6

8 DAC systems are used in environments that do not require the structure and higher level of protection that mandatory access control (MAC)models provide and enforce. Operating systems must be built differently depending upon whether they are going to provide DAC or MAC functionality. For example, Windows-based platforms provide a DAC access structure instead of MAC. Specially developed operating systems, usually created for government agencies and the military, provide a MAC access structure and the controls and mechanisms necessary to enforce this level of control. 7

9 Some characteristics of DAC systems are the following: Access is based entirely on the identity of the user or role that user plays within the company. Data owners determine who can access their resources. No security labels are used. Usually implemented through access control lists (ACLs). 8

10 mandatory access control (MAC) Mandatory access control (MAC) models do not leave access decisions up to the data owner, instead systems compare the subjects’ clearances and need-to-know to the objects’ classification to either grant or disallow access. Every object has a security label assigned to it, which includes classification information (top secret, secret, etc.). In order to access an object, the subject’s clearance level must be equal to or greater than the object’s classification. 9

11 For example, if Dave has a “top secret” clearance, and an object has a “secret” classification, Dave’s clearance dominates the objects classification. But Dave cannot access all top-secret information within his military branch, his access is also based on his need-to-know. The second piece of a security label is referred to as categories, as shown in Figure 2-5.Categories outline the groups that a subject must have a need-to-know of before access to the object can be granted. If Dave has a need-to-know for one of these categories, and his clearance is equal to or dominates the object’s classification, he can access it. 10

12 Security labels contain the resource’s classification and need-to-know categories. 11

13 Security labels are the core decision-making component in MAC environments; they are assigned by system administrators or security officers and should be changed only in a well-defined manner so the security policy is supported and enforced. Systems that implement MAC models are used in highly secured environments, such as military or government organizations. 12

14 Role-based access control (RBAC) Role-based access control (RBAC) models, also called nondiscretionary models, make access decisions based on the rights and permissions assigned to a role or group, not an individual user. Administrators create roles, or groups, which act as containers for users. The administrators assign access rights and permissions to the role instead of directly to the user. The user that is placed into a role or group inherits the permissions and access rights from the role, thus is implicitly assigned access rights. 13

15 This kind of model is effective in large companies that have high turnover rates because it allows the administrator to simply place new employees into roles instead of creating new permissions for each and every person who joins the company. Roles usually map to specific roles outlined in the company’s organization chart. For example, if a company has an accounting department, the administrator can create an accounting group with access rights to the resources anyone within the department would need. Users can be assigned to one or more roles and each role can have limited or many The upper and lower bounds of access are referred to as a lattice of access rights, which is illustrated in Figure 2-6. access rights and permissions assigned to it. 14

16 15

Download ppt "22 feb 2012 1 2 What is Access Control? Access control is the heart of security Definitions: * The ability to allow only authorized users, programs or."

Similar presentations

RBAC and HIPAA Security Uday O. Ali Pabrai, CHSS, SCNA Chief Executive, HIPAA Academy.

RBAC and HIPAA Security Uday O. Ali Pabrai, CHSS, SCNA Chief Executive, HIPAA Academy.
Operating System Security

Operating System Security
1 cs691 chow C. Edward Chow Confidentiality Policy CS691 – Chapter 5 of Matt Bishop.

1 cs691 chow C. Edward Chow Confidentiality Policy CS691 – Chapter 5 of Matt Bishop.
Jan. 2014Dr. Yangjun Chen ACS-49021 Database security and authorization (Ch. 22, 3 rd ed. – Ch. 23, 4 th ed. – Ch. 24, 6 th )

Jan. 2014Dr. Yangjun Chen ACS Database security and authorization (Ch. 22, 3 rd ed. – Ch. 23, 4 th ed. – Ch. 24, 6 th )
CSE331: Introduction to Networks and Security Lecture 34 Fall 2002.

CSE331: Introduction to Networks and Security Lecture 34 Fall 2002.
Access Control Chapter 3 Part 3 Pages 209 to 227.

Access Control Chapter 3 Part 3 Pages 209 to 227.
Access Control Methodologies

Access Control Methodologies
ITIS 3200: Introduction to Information Security and Privacy Dr. Weichao Wang.

ITIS 3200: Introduction to Information Security and Privacy Dr. Weichao Wang.
Slide #5-1 Chapter 5: Confidentiality Policies Overview –What is a confidentiality model Bell-LaPadula Model –General idea –Informal description of rules.

Slide #5-1 Chapter 5: Confidentiality Policies Overview –What is a confidentiality model Bell-LaPadula Model –General idea –Informal description of rules.
Database Security - Farkas 1 Database Security and Privacy.

Database Security - Farkas 1 Database Security and Privacy.
Security+ Guide to Network Security Fundamentals, Fourth Edition

Security+ Guide to Network Security Fundamentals, Fourth Edition
Access Control Intro, DAC and MAC System Security.

Access Control Intro, DAC and MAC System Security.
Chapter 2.  CIA Model  Host Security VS Network Security  Least Privileges  Layered Security  Access Controls Prepared by Mohammed Saher2.

Chapter 2.  CIA Model  Host Security VS Network Security  Least Privileges  Layered Security  Access Controls Prepared by Mohammed Saher2.
Secure Systems Research Group - FAU Patterns for access control E.B. Fernandez.

Secure Systems Research Group - FAU Patterns for access control E.B. Fernandez.
Role Based Access Control Venkata Marella. Access Control System Access control is the ability to permit or deny the use of a particular resource by a.

Role Based Access Control Venkata Marella. Access Control System Access control is the ability to permit or deny the use of a particular resource by a.
Security Fall 2009McFadyen ACS-49021 How do we protect the database from unauthorized access? Who can see employee salaries, student grades, … ? Who can.

Security Fall 2009McFadyen ACS How do we protect the database from unauthorized access? Who can see employee salaries, student grades, … ? Who can.
Security Fall 2006McFadyen ACS-49021 How do we protect the database from unauthorized access? Who can see employee salaries, student grades, … ? Who can.

Security Fall 2006McFadyen ACS How do we protect the database from unauthorized access? Who can see employee salaries, student grades, … ? Who can.
Chapter 2 Access Control Fundamentals. Chapter Overview Protection Systems Mandatory Protection Systems Reference Monitors Definition of a Secure Operating.

Chapter 2 Access Control Fundamentals. Chapter Overview Protection Systems Mandatory Protection Systems Reference Monitors Definition of a Secure Operating.
User Domain Policies.

User Domain Policies.
Role Based Access control By Ganesh Godavari. Outline of the talk Motivation Terms and Definitions Current Access Control Mechanism Role Based Access.

Role Based Access control By Ganesh Godavari. Outline of the talk Motivation Terms and Definitions Current Access Control Mechanism Role Based Access.

Similar presentations

Ads by Google