Post on 06-Jul-2015
description
General Issues in Access Control
By :
Fadzilawati Binti Kaini
MN131048
General model of controlling access to objects
SubjectReference Monitor
Object
Request for operation Authorized Request
The figure presents a simple model of how access control is granted.
General model of controlling access to objects
• The subject is the entity that requests access to an object.
• The object is the entity or resource being accessed, although the authors emphasize that this is an object in the object-oriented sense of the word.
• The reference monitor is the entity controlling access to the protected object. It grants access and controls the degree of access, as well as possibly managing objects (creation, deletion, etc.).
General model of controlling access to objects
“what will we control access to?”
secure access to both data and functionality,
Example access control issues
• Infiltration/exfiltration of physical property: activities such as bringing removable media in and out of a facility
• Improper termination of an employee’s physical access or access badge• Unauthorized access to facility: employees entering facilities during
unusual hours or unauthorized employees walking through an open door behind an authorized employee (known as "piggybacking")
• Generally poor physical security: general issues such as insufficient guard oversight or insufficient separation of duties for physical access controls
• Employee used an unauthorized workstation: employees who are able to physically enter another employee’s office/workspace and access their workstation
• Breaking and entering/physical destruction: employees breaking into secure spaces or stealing physical equipment
• Janitorial staff issues: janitorial staff who steal sensitive information or are socially engineered into violating physical security
• Improper disposal or destruction of organization information