Presentation is loading. Please wait.

Presentation is loading. Please wait.

Information Security Access Control.

Published byJeffrey Lawson Modified over 7 years ago

Similar presentations

Presentation on theme: "Information Security Access Control."— Presentation transcript:

1 Information Security Access Control

2 Two parts to access control Authentication: Who goes there?
Determine whether access is allowed Authenticate human to machine Authenticate machine to machine Authorization: Are you allowed to do that? Once you have access, what can you do? Enforces limits on actions Note: Access control often used as synonym for authorization 7/14/2015

3 How to authenticate a human to a machine? Can be based on…
Something you know For example, a password Something you have For example, a smartcard Something you are For example, your fingerprint 7/14/2015

4 Lots of things act as passwords!
Common Methods Passwords Lots of things act as passwords! PIN Social security number Mother’s maiden name Date of birth Name of your pet, etc. 7/14/2015

5 Cost: passwords are free
Why Password ? Why is “something you know” more popular than “something you have” and “something you are”? Cost: passwords are free Convenience: easier for SA to reset pwd than to issue user a new thumb 7/14/2015

6 Then attacker must try about 263 keys
Keys vs Password Crypto keys Spse key is 64 bits Then 264 keys Choose key at random Then attacker must try about 263 keys Passwords passwords are 8 characters, and 256 different characters Then 2568 = 264 passwords Users do not select passwords at random Attacker has far less than 263 passwords to try (dictionary attack) 7/14/2015

7 Bad passwords Good Passwords? frank Fido password 4444 Pikachu 102560
Good and Bad Password Bad passwords frank Fido password 4444 Pikachu 102560 AustinStamp Good Passwords? jfIej,43j-EmmL+y P0kem0N FSa7Yago 0nceuP0nAt1m8 PokeGCTall150 7/14/2015

8 Three groups of users  each group advised to select passwords as follows
Group A: At least 6 chars, 1 non-letter Group B: Password based on passphrase Group C: 8 random characters Results Group A: About 30% of pwds easy to crack Group B: About 10% cracked Passwords easy to remember Group C: About 10% cracked Passwords hard to remember 7/14/2015

9 Biometrics seen as desirable replacement for passwords
Cheap and reliable biometrics needed Today, a very active area of research Biometrics are used in security today Thumbprint mouse Palm print for secure entry Fingerprint to unlock car door, etc. But biometrics not too popular Has not lived up to its promise (yet) 7/14/2015

10 Universal  applies to (almost) everyone
Ideal Biometric Universal  applies to (almost) everyone In reality, no biometric applies to everyone Distinguishing  distinguish with certainty In reality, cannot hope for 100% certainty Permanent  physical characteristic being measured never changes In reality, want it to remain valid for a long time Collectable  easy to collect required data Depends on whether subjects are cooperative Safe, easy to use, etc., etc. 7/14/2015

11 Identification  Who goes there?
Biometric Modes Identification  Who goes there? Compare one to many Example: The FBI fingerprint database Authentication  Is that really you? Compare one to one Example: Thumbprint mouse Identification problem more difficult More “random” matches since more comparisons We are interested in authentication 7/14/2015

12 Requires 2 out of 3 of Examples Something you know Something you have
2 – Factor Authentication Requires 2 out of 3 of Something you know Something you have Something you are Examples ATM: Card and PIN Credit card: Card and signature Password generator: Device and PIN Smartcard with password/PIN 7/14/2015

13 Authentication  Who goes there?
Authorization Authentication  Who goes there? Restrictions on who (or what) can access system Authorization  Are you allowed to do that? Restrictions on actions of authenticated users Authorization is a form of access control Authorization enforced by Access Control Lists Capabilities 7/14/2015

14 Subjects (users) index the rows Objects (resources) index the columns
Access Control Matrix Subjects (users) index the rows Objects (resources) index the columns Accounting program Accounting data Insurance data Payroll data OS rx r --- rw rwx Bob Alice Sam Accounting program r- Read x – Execute w-Write 7/14/2015

15 Access Control Models: Three Main Types
Discretionary Mandatory Non-Discretionary (Role Based) 7/14/2015

16 Discretionary Access Control (DAC)
A system that uses discretionary access control allows the owner of the resource to specify which subjects can access which resources. Access control is at the discretion of the owner. All references are from All in One Book (Shon Harris, 2005) A system that uses discretionary access control (DAC) enables the owner of the resource to specify which subjects can access specific resources. This model is called discretionary because the control of access is based on the discretion of the owner. (162) Data owners decide who has access to resources and ACLs are used to enforce the security policy. (166) DAC systems grant or deny access based on the identity of the subject. The identity can be a user identity or group membership. (163) The most common implementation of DAC is through ACLs, which are dictated and set by the owners and enforced by the operating system. (162) This does not lend itself to a centrally controlled environment and can make a user’s ability to access information dynamic versus the more static role of mandatory access control. (162) When you look at the properties of a file or directory and you see the choices that allow you to control which users can have access to this resource and to what degree, you are witnessing an instance of ACLs enforcing a DAC model. (162) DACs can be applied to both the directory tree structure and the files it contains. (162) 7/14/2015

17 Mandatory Access Control (MAC)
Access control is based on a security labeling system. Users have security clearances and resources have security labels that contain data classifications. This model is used in environments where information classification and confidentiality is very important (e.g., the military). All references are from All in One Book (Shon Harris, 2005) In a mandatory access control (MAC) model, users and data owners do not have as much freedom to determine who can access files. (163) Operating systems enforce the system’s security policy through the use of security labels. (166) In MAC implementations, the system makes access decisions by comparing the subject’s clearance and need-to-know level to that of the security label. (165) This type of model is used in environments where information classification and confidentiality is of utmost importance, such as a military installation. (163) The operating system makes the final decision and can override the user’s wishes. (163) MAC uses a security label system. Users have clearances and resources have security labels that contain data classifications. MAC compares these two attributes to determine access control capabilities. (218) Users are given a security clearance and data is classified the same way. Users have access to data classified equal and lesser than their own status. (163) Security labels are attached to all objects; thus, every file, directory, and device has its own security label with its classification information. (163) The terms “security labels” and “sensitivity labels” can be used interchangeably. (163) When a MAC model is being used, every subject and object must have a sensitivity label. (164) The sensitivity label contains a classification and different categories. (164) The classification indicates the sensitivity label, and the categories enforce need-to-know rules. (164) Classifications are hierarchical, categories are not. (164) 7/14/2015

18 Non-Discretionary (Role Based) Access Control Models
Role Based Access Control (RBAC) uses a centrally administered set of controls to determine how subjects and objects interact. Is the best system for an organization that has high turnover. All references are from All in One Book (Shon Harris, 2005) A role-based access control (RBAC) model, also called nondiscretionary access control, uses a centrally administered set of controls to determine how subjects and objects interact. (165) This type of model allows access to resources to be based on the role the user holds within the company. (165) It is referred to as nondiscretionary because assigning a user to a role is unavoidably imposed. (165) The RBAC approach simplifies access control administration by allowing permissions to be managed in terms of user job roles. (165) A role is defined in terms of the operations and tasks that the role will need to carry out. (165) Introducing roles also introduces the difference between rights being assigned explicitly and implicitly. If rights and permissions are assigned explicitly, it indicates that they are assigned to a specific individual. (165) If rights are assigned implicitly, it indicates that they are assigned to a role or group and the user inherits those attributes. (165) An RBAC is the best system for a company that has high employee turnover. (165) 7/14/2015

19 Access Control Techniques
There are a number of different access controls and technologies available to support the different models. Rule Based Access Control Constrained User Interfaces Access Control Matrix Content Dependent Access Control Context Dependent Access Control 7/14/2015

20 Rule Based Access Control Uses specific rules that indicate
what can and cannot happen between a subject and an object. Not necessarily identity based. Traditionally, rule based access control has been used in MAC systems as an enforcement mechanism. All references are from All in One Book (Shon Harris, 2005) Rule based access control uses specific rules that indicate what can and cannot happen between a subject and an object. (167) Before a subject can access an object in a certain circumstance, it must meet a set of predefined rules. (167) Rule based access control is not necessarily identity based—rules apply to all users across the board, no matter what their identity is. (The DAC model is identity based). (167) Traditionally, rule based access control has been used in MAC systems as an enforcement mechanism of the complex rules of access that MAC systems provide; today, rule based access is used in other types of systems and applications as well (e.g., routers and firewalls). (167) 7/14/2015

21 Constrained User Interfaces
Restrict user’s access abilities by not allowing them certain types of access or the ability to request certain functions or information Three major types Menus and Shells – The screen only displays the menu options that the subject is allowed to access Database Views – The system only allows the subject to view the database which is allowed to see Physically Constrained Interfaces – The system only provides certain key on a keypad or certain touch buttons on a screen that the subject is allowed to access All references are from All in One Book (Shon Harris, 2005) Constrained user interfaces restrict users’ access abilities by not allowing them to request certain functions or information, or to have access to specific system resources. (168) Limits the user’s environment within the system, thus limiting access to objects. (172) There are three major types of restricted interfaces: (168) Menus and shells The options that a user is given are the commands that they can execute. (168) A shell is a type of virtual environment within a system; it is the user’s interface to the operating system and works as a command interpreter. (168) Database views Are mechanisms used to restrict user access to data that is contained in the database. (168) Physically constrained interfaces Can be implemented by providing only certain keys on a keypad or certain touch buttons on a screen. (e.g., atm machine views). (169) 7/14/2015

22 Access Control Matrix Two types
Is a table of subjects and objects indicating what actions individual subjects can take upon individual objects. Two types Capability Table (bound to a subject) Access Control List (bound to an object) All references are from All in One Book (Shon Harris, 2005) An access control matrix is a table of subjects and objects indicating what actions individual subjects can take upon individual objects. (169) Matrices are data structures that programmers implement as table lookups that will be used and enforced by the operating system. (169) Capability table: Specifies the access rights a certain subject possess pertaining to certain objects. (169) Bounded to a subject and indicates what objects that subject can access. (172) Is different from an ACL because the subject is bound to the capability table, whereas the object is bound to the ACL. (169) The capability corresponds to the subject’s row in the access control matrix. (169) A capability can be in the form of a token, ticket, or key. (169) A capability component is a data structure that contains a unique object identifier and access rights the subject has to that object. (169) See Table 4-1, pg. 169 Access Control List (ACL): Lists of subjects that are authorized to access a specific object and they define what level of authorization is granted. Authorization can be specified to an individual or group. (170) ACLs map values from the access control matrix to the object. (170) Capability = row in matrix ACL = column in matrix. 7/14/2015

23 Access Control Lists (ACLs)
ACL: store access control matrix by column Example: ACL for insurance data is in blue Accounting program Accounting data Insurance data Payroll data OS rx r --- rw rwx Bob Alice Sam Accounting program 7/14/2015

24 Capabilities (or C-Lists)
Store access control matrix by row Example: Capability for Alice is in red Accounting program Accounting data Insurance data Payroll data OS rx r --- rw rwx Bob Alice Sam Accounting program 7/14/2015

25 ACLs vs Capabilities Note that arrows point in opposite directions!
--- r w rw Alice file1 Alice file1 w r --- --- r Bob file2 Bob file2 rw r r --- Fred file3 Fred file3 Access Control List Capability Note that arrows point in opposite directions! With ACLs, still need to associate users to filess 7/14/2015

26 Content Dependent Access Control: Access to an object is determined by the content within the object. For Example, a manager has access to a payroll database, but it will only allow to access to the records that pertain to his/her own employees, not others All references are from All in One Book (Shon Harris, 2005) Content Dependent Access Control (170) With content based access control, access to objects is determined by the content within the object. (170) Bases access decisions on the sensitivity of the data, not solely on subject’s identity. (172) This is often used in databases. E.g., the content of the database fields dictates which users can see specific information within the database tables. (170) Content dependent filtering is used when corporations employ filters that look for specific strings, such as “confidential,” “SSN,” “top secret,” etc. (170) Context based access control differs from content dependent access control in that it makes access decisions based on the context of a collection of information rather than on the sensitivity of the data. (171) Bases access decisions on the state of the situation, not solely on identity or content sensitivity. (172) A system that is using context dependent access control “reviews the situation” and then makes a decision. (171) For example, firewalls make context based decisions when they collect state information on a packet before allowing it into the network. (171) A stateful firewall understands the necessary steps of communication for specific protocols. (171) Stateful: Something that understands the necessary steps of a dialog session. Is an example of context dependent access control. (171) 7/14/2015

27 Context Based Access Control: Makes access decision based on the context of a collection of information rather than content within an object. Context-based access control (CBAC) is a feature of firewall software, which intelligently filters TCP and UDP packets based on application layer protocol session information. It can be used for intranets, extranets and internets. All references are from All in One Book (Shon Harris, 2005) Content Dependent Access Control (170) With content based access control, access to objects is determined by the content within the object. (170) Bases access decisions on the sensitivity of the data, not solely on subject’s identity. (172) This is often used in databases. E.g., the content of the database fields dictates which users can see specific information within the database tables. (170) Content dependent filtering is used when corporations employ filters that look for specific strings, such as “confidential,” “SSN,” “top secret,” etc. (170) Context based access control differs from content dependent access control in that it makes access decisions based on the context of a collection of information rather than on the sensitivity of the data. (171) Bases access decisions on the state of the situation, not solely on identity or content sensitivity. (172) A system that is using context dependent access control “reviews the situation” and then makes a decision. (171) For example, firewalls make context based decisions when they collect state information on a packet before allowing it into the network. (171) A stateful firewall understands the necessary steps of communication for specific protocols. (171) Stateful: Something that understands the necessary steps of a dialog session. Is an example of context dependent access control. (171) 7/14/2015

Download ppt "Information Security Access Control."

Similar presentations

Access Control Chapter 3 Part 3 Pages 209 to 227.

Access Control Chapter 3 Part 3 Pages 209 to 227.
Access Control Methodologies

Access Control Methodologies
CS 483 – SD SECTION BY DR. DANIYAL ALGHAZZAWI (7) AUTHENTICATION.

CS 483 – SD SECTION BY DR. DANIYAL ALGHAZZAWI (7) AUTHENTICATION.
Database Security - Farkas 1 Database Security and Privacy.

Database Security - Farkas 1 Database Security and Privacy.
Security+ Guide to Network Security Fundamentals, Fourth Edition

Security+ Guide to Network Security Fundamentals, Fourth Edition
Access Control Intro, DAC and MAC System Security.

Access Control Intro, DAC and MAC System Security.
Chapter 2.  CIA Model  Host Security VS Network Security  Least Privileges  Layered Security  Access Controls Prepared by Mohammed Saher2.

Chapter 2.  CIA Model  Host Security VS Network Security  Least Privileges  Layered Security  Access Controls Prepared by Mohammed Saher2.
CS 483 – SD SECTION (8) AUTHORIZATION. INTRODUCTION The authorization (or access control) process is used to decide if person, program or device X is.

CS 483 – SD SECTION (8) AUTHORIZATION. INTRODUCTION The authorization (or access control) process is used to decide if person, program or device X is.
Security Fall 2009McFadyen ACS-49021 How do we protect the database from unauthorized access? Who can see employee salaries, student grades, … ? Who can.

Security Fall 2009McFadyen ACS How do we protect the database from unauthorized access? Who can see employee salaries, student grades, … ? Who can.
Security Fall 2006McFadyen ACS-49021 How do we protect the database from unauthorized access? Who can see employee salaries, student grades, … ? Who can.

Security Fall 2006McFadyen ACS How do we protect the database from unauthorized access? Who can see employee salaries, student grades, … ? Who can.
Chapter 10 Boundary Controls. Cryptographic Controls Cryptology is the science of secret codes Cryptography deals with systems for transforming data into.

Chapter 10 Boundary Controls. Cryptographic Controls Cryptology is the science of secret codes Cryptography deals with systems for transforming data into.
CMSC 414 Computer and Network Security Lecture 10 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 10 Jonathan Katz.
Principles of Computer Security: CompTIA Security + ® and Beyond, Third Edition © 2012 Principles of Computer Security: CompTIA Security+ ® and Beyond,

Principles of Computer Security: CompTIA Security + ® and Beyond, Third Edition © 2012 Principles of Computer Security: CompTIA Security+ ® and Beyond,
Computer Security: Principles and Practice EECS710: Information Security Professor Hossein Saiedian Fall 2014 Chapter 4: Access Control.

Computer Security: Principles and Practice EECS710: Information Security Professor Hossein Saiedian Fall 2014 Chapter 4: Access Control.
2  A system can protect itself in two ways: It can limit who can access the system. This requires the system to implement a two-step process of identification.

2  A system can protect itself in two ways: It can limit who can access the system. This requires the system to implement a two-step process of identification.
Lecture 7 Access Control

Lecture 7 Access Control
Present by Napasakorn Sukjay Poom Samaharn

Present by Napasakorn Sukjay Poom Samaharn
Lecture slides prepared for “Computer Security: Principles and Practice”, 2/e, by William Stallings and Lawrie Brown, Chapter 4 “Overview”.

Lecture slides prepared for “Computer Security: Principles and Practice”, 2/e, by William Stallings and Lawrie Brown, Chapter 4 “Overview”.
7-Access Control Fundamentals Dr. John P. Abraham Professor UTPA.

7-Access Control Fundamentals Dr. John P. Abraham Professor UTPA.
Li Xiong CS573 Data Privacy and Security Access Control.

Li Xiong CS573 Data Privacy and Security Access Control.

Similar presentations

Ads by Google