Data security authorization and access control
-
Upload
leo-mark-villar -
Category
Technology
-
view
164 -
download
1
Transcript of Data security authorization and access control
AUTHORIZATION AND ACCESS CONTROL
DATA SECURITY
identification
Authentication
Authorization
AUTHORIZATION
• Allows to specify where the party should be allowed or denied access• Implemented through the use of access controls• Allowing access means keeping in mind the
PRINCIPLE OF LEAST PRIVELEGE
PRINCIPLE OF LEAST PRIVILEGE
• Dictates that we should only allow the bare minimum of access to a party – this might be a person, user account, or process – to allow it to perform the functionality needed of it.
• Example :• Employee in Sales Dept. should not need access
to data internal to a human resource system in order to do their job
ACCESS CONTROL
• the selective restriction of access to a place or other resource
• BASIC TASKS• Allow access• Deny access• Limit access• Revoke access
ACCESS CONTROL
• ALLOW ACCESS• Giving a particular party, or parties, access to a given
resource
• DENY ACCESS• Preventing access by a given party to the resource in
question
ACCESS CONTROL
• LIMIT ACCESS• Allowing some access to a resource but only up to a
certain point
• REVOKE ACCESS• Taking away access to a resource
ACCESS CONTROL METHODS OF IMPLEMENTATION
• Access Control List ( ACL )• Capability-Based Security
ACCESS CONTROL METHODS USE FOR IMPLEMENTATION
• Access Control List ( ACL )• Used to control access in the file systems on which
operating systems run and to control the flow of traffic in the networks to which a system is attached.
• typically built specifically to a certain resource containing identifiers of the party allowed to access a resource and what the party is allowed to do in relation to a resource.
Alice AllowBob Deny
FILE SYSTEM ACL
• Normally seen in file systems in operating systems to provide access to some files and folders.
• PERMISSIONS• Read• Write• Execute
• ACCESS PERMISSION GIVEN TO• User• Group• Others
FILE SYSTEM ACL
NETWORK ACL
• IP address• MAC address• Ports• FTP uses port 20 and 21 to transfer file• Internet Message Access Protocol (IMAP) uses port 143 for
managing email
CAPABILITY-BASED SECURITY
• Oriented around the use of a token that controls an access• Based entirely on the possession of the token and
not who possesses it
ACCESS CONTROL MODELS
• Discretionary Access Control• Mandatory Access Control• Role-Based Access Control• Attribute-Based Access Control• Multi-level Access Control
DISCRETIONARY ACCESS CONTROL
• Model of access control based on access determined by the owner of the resource.• The owner can decide who does and does not
have access and what access they are allowed to have
MANDATORY ACCESS CONTROL
• Model of access control which the owner of the resource does not get to decide who gets to access it but instead access is decided by a group or individual who has the authority to set access on resources.• Example :• Government organizations where access to a resource is
dictated by the sensitivity label applied to it (secret, top secret etc)
ROLE-BASED ACCESS CONTROL
• Model of access control where functions of access control is set by an authority responsible for doing so and the basis for providing access is based on the role the individual has to be granted access.
ATTRIBUTE-BASED ACCESS CONTROL
• Model of access control based on attributes of a person, a resource or the environment
• SUBJECT ATTRIBUTE• Attributes that a person possess• Example :• “You must be this tall to ride”• Captcha – Completely Automated Public Turing Test to Tell
Humans and Computers Apart
ATTRIBUTE-BASED ACCESS CONTROL
• Model of access control based on attributes of a person, a resource or the environment
• RESOURCE ATTRIBUTE• Attributes that is related to a particular resource like OS or
application• Example• Software running on a particular OS• Web site that works on a certain browser
ATTRIBUTE-BASED ACCESS CONTROL
• Model of access control based on attributes of a person, a resource or the environment
• ENVIRONMENT ATTRIBUTE• Attributes used to enable access controls that operate
based on environmental conditions• Example• Time attribute
MULTI-LEVEL ACCESS CONTROL
• Model of access control that uses two or more methods to improve security of a resource
• Bell-LaPadula Model• Biba Model• Brewer and Nash
PHYSICAL ACCESS CONTROL
• Concerned with controlling the access of individuals and vehicles
• Access of individuals such as in and out of a building or facility.
• TAILGATING occurs when we authenticate to the physical control measure such as a badge and then another person follows directly behind us without authenticating themselves.
PHYSICAL ACCESS CONTROL
• For vehicles, simple barriers, one-way spike strips, fences, rising barriers, automated gates or doors