Access Control
Defined as a series of mechanisms to specify what users do, which resources they can access, and what operations they can perform on a system, as well as identifying users by verifying various login credentials
It also allows managers of a system to direct or restrain the behaviour, use and content of a system
Three Main Access Control Functions
Identification
A method of establishing the subject's identity (ex: usernames, user IDs, etc.)
The method usually should be non-descriptive of the user's position or task
Authentication
A method of providing the claimed identity of an entity that has previously identified itself
Authorization
A process that determines what level of clearance and access the authenticated user has within the system and the data that they requested to log into or gain access
Types of Access Control
Discretionary Access Control (DAC)
A system that uses discretionary access control allows the owner of the resource to specify which subjects can access which resources (Access control is at the discretionary of the owner of the resource)
Mandatory Access Control (MAC)
Access is based on a security labelling system, meaning users have security clearances and resources have security labels that contain data classifications
This model is used in environments where information classification and confidentiality are very important
Non-Discretionary Role-Based Access Control (RBAC)
Uses a centrally administered set of controls to determine how subjects and objects interact
It is the best know system for an organization that has a high turnover
Access Control Mechanisms
Takes as input security policies and attempted actions, and outputs an accept or reject response on that action
The security policy that goes into an access control mechanism defines what a subject (An entity that's requesting access) is allowed to do, and/or what may be with an object (ex: data files, software, hardware, device, etc. that may contain important data, etc.)
Role Based Access Control (RBAC)
RBAC uses a centrally administered set of controls to make access control decisions
In a given organization, subjects can have one or more roles, as well as share roles with other subjects, and these roles come with tasks that they must perform
A subject in a given role requires access to certain objects in order to complete their tasks
Therefore, in this access control method, the role or roles that a subject is assigned matters more in access control decisions than their identity
RBAC is ideal for institutions that experience a lot of churn and internal movements since roles can provide a way to reassign authorization to objects very quickly
Content Dependent Access Control (CDAC)
A method of performing access control based on the type of content contained in an object
Access control decisions are content dependent
Control Based Access Control (CBAC)
An access control method based on the context of a subject's request to an object
This method requires more information in order to make a decision (ex: the subject's identity, the object that they're requesting access to, the object's content type, etc.)
Constrained User Interfaces (CUI)
A method of enforcing access control by constraining the user interface used to get access
This can be done by not allowing certain types of access on the interface, or not including the ability to request certain types of access or objects
Three major types of constrained UIs
Menus and shells
Database views
Physically constrained interfaces
Access Control Matrix (ACM)
A method used to represent permissions and privileges within a system through a table of subjects and objects
Every row represents different subjects
Every column represents different objects
Subjects in a system can also be accessed as an object and in order to do this, subjects that can be accessed by other subjects must also be listed as an object
Every other individual cell specifies what the access rights are (read, write, execute, append and own)
Cons
ACMs can grow very large very quickly (Solution: ACLs)
Access Control
Defined as a series of mechanisms to specify what users do, which resources they can access, and what operations they can perform on a system, as well as identifying users by verifying various login credentials
It also allows managers of a system to direct or restrain the behaviour, use and content of a system
Three Main Access Control Functions
Identification
A method of establishing the subject's identity (ex: usernames, user IDs, etc.)
The method usually should be non-descriptive of the user's position or task
Authentication
A method of providing the claimed identity of an entity that has previously identified itself
Authorization
A process that determines what level of clearance and access the authenticated user has within the system and the data that they requested to log into or gain access
Types of Access Control
Discretionary Access Control (DAC)
A system that uses discretionary access control allows the owner of the resource to specify which subjects can access which resources (Access control is at the discretionary of the owner of the resource)
Mandatory Access Control (MAC)
Access is based on a security labelling system, meaning users have security clearances and resources have security labels that contain data classifications
This model is used in environments where information classification and confidentiality are very important
Non-Discretionary Role-Based Access Control (RBAC)
Uses a centrally administered set of controls to determine how subjects and objects interact
It is the best know system for an organization that has a high turnover
Access Control Mechanisms
Takes as input security policies and attempted actions, and outputs an accept or reject response on that action
The security policy that goes into an access control mechanism defines what a subject (An entity that's requesting access) is allowed to do, and/or what may be with an object (ex: data files, software, hardware, device, etc. that may contain important data, etc.)
Role Based Access Control (RBAC)
RBAC uses a centrally administered set of controls to make access control decisions
In a given organization, subjects can have one or more roles, as well as share roles with other subjects, and these roles come with tasks that they must perform
A subject in a given role requires access to certain objects in order to complete their tasks
Therefore, in this access control method, the role or roles that a subject is assigned matters more in access control decisions than their identity
RBAC is ideal for institutions that experience a lot of churn and internal movements since roles can provide a way to reassign authorization to objects very quickly
Content Dependent Access Control (CDAC)
A method of performing access control based on the type of content contained in an object
Access control decisions are content dependent
Control Based Access Control (CBAC)
An access control method based on the context of a subject's request to an object
This method requires more information in order to make a decision (ex: the subject's identity, the object that they're requesting access to, the object's content type, etc.)
Constrained User Interfaces (CUI)
A method of enforcing access control by constraining the user interface used to get access
This can be done by not allowing certain types of access on the interface, or not including the ability to request certain types of access or objects
Three major types of constrained UIs
Menus and shells
Database views
Physically constrained interfaces
Access Control Matrix (ACM)
A method used to represent permissions and privileges within a system through a table of subjects and objects
Every row represents different subjects
Every column represents different objects
Subjects in a system can also be accessed as an object and in order to do this, subjects that can be accessed by other subjects must also be listed as an object
Every other individual cell specifies what the access rights are (read, write, execute, append and own)
Cons
ACMs can grow very large very quickly (Solution: ACLs)