SlideShare a Scribd company logo

Data security authorization and access control

Download as PPTX, PDF
L
Leo Mark Villar

This document discusses various methods of authorization and access control for data security. It describes identification, authentication, authorization, and the principle of least privilege. Access control methods like access control lists and capability-based security are explained. Different access control models such as discretionary access control, mandatory access control, role-based access control and attribute-based access control are also summarized. Finally, it briefly discusses multi-level access control and physical access control.

1 of 23
AUTHORIZATION AND ACCESS CONTROL
DATA SECURITY identification Authentication Authorization
AUTHORIZATION • Allows to specify where the party should be allowed or denied access • Implemented through the use of access controls • Allowing access means keeping in mind the PRINCIPLE OF LEAST PRIVELEGE
PRINCIPLE OF LEAST PRIVILEGE • Dictates that we should only allow the bare minimum of access to a party – this might be a person, user account, or process – to allow it to perform the functionality needed of it. • Example : • Employee in Sales Dept. should not need access to data internal to a human resource system in order to do their job
ACCESS CONTROL • the selective restriction of access to a place or other resource • BASIC TASKS • Allow access • Deny access • Limit access • Revoke access
ACCESS CONTROL • ALLOW ACCESS • Giving a particular party, or parties, access to a given resource • DENY ACCESS • Preventing access by a given party to the resource in question
ACCESS CONTROL • LIMIT ACCESS • Allowing some access to a resource but only up to a certain point • REVOKE ACCESS • Taking away access to a resource
ACCESS CONTROL METHODS OF IMPLEMENTATION • Access Control List ( ACL ) • Capability-Based Security
ACCESS CONTROL METHODS USE FOR IMPLEMENTATION • Access Control List ( ACL ) • Used to control access in the file systems on which operating systems run and to control the flow of traffic in the networks to which a system is attached. • typically built specifically to a certain resource containing identifiers of the party allowed to access a resource and what the party is allowed to do in relation to a resource. Alice Allow Bob Deny
FILE SYSTEM ACL • Normally seen in file systems in operating systems to provide access to some files and folders. • PERMISSIONS • Read • Write • Execute • ACCESS PERMISSION GIVEN TO • User • Group • Others
FILE SYSTEM ACL
NETWORK ACL • IP address • MAC address • Ports • FTP uses port 20 and 21 to transfer file • Internet Message Access Protocol (IMAP) uses port 143 for managing email
CAPABILITY-BASED SECURITY • Oriented around the use of a token that controls an access • Based entirely on the possession of the token and not who possesses it
ACCESS CONTROL MODELS • Discretionary Access Control • Mandatory Access Control • Role-Based Access Control • Attribute-Based Access Control • Multi-level Access Control
DISCRETIONARY ACCESS CONTROL • Model of access control based on access determined by the owner of the resource. • The owner can decide who does and does not have access and what access they are allowed to have
MANDATORY ACCESS CONTROL • Model of access control which the owner of the resource does not get to decide who gets to access it but instead access is decided by a group or individual who has the authority to set access on resources. • Example : • Government organizations where access to a resource is dictated by the sensitivity label applied to it (secret, top secret etc)
ROLE-BASED ACCESS CONTROL • Model of access control where functions of access control is set by an authority responsible for doing so and the basis for providing access is based on the role the individual has to be granted access.
ATTRIBUTE-BASED ACCESS CONTROL • Model of access control based on attributes of a person, a resource or the environment • SUBJECT ATTRIBUTE • Attributes that a person possess • Example : • “You must be this tall to ride” • Captcha – Completely Automated Public Turing Test to Tell Humans and Computers Apart
ATTRIBUTE-BASED ACCESS CONTROL • Model of access control based on attributes of a person, a resource or the environment • RESOURCE ATTRIBUTE • Attributes that is related to a particular resource like OS or application • Example • Software running on a particular OS • Web site that works on a certain browser
ATTRIBUTE-BASED ACCESS CONTROL • Model of access control based on attributes of a person, a resource or the environment • ENVIRONMENT ATTRIBUTE • Attributes used to enable access controls that operate based on environmental conditions • Example • Time attribute
MULTI-LEVEL ACCESS CONTROL • Model of access control that uses two or more methods to improve security of a resource • Bell-LaPadula Model • Biba Model • Brewer and Nash
PHYSICAL ACCESS CONTROL • Concerned with controlling the access of individuals and vehicles • Access of individuals such as in and out of a building or facility. • TAILGATING occurs when we authenticate to the physical control measure such as a badge and then another person follows directly behind us without authenticating themselves.
PHYSICAL ACCESS CONTROL • For vehicles, simple barriers, one-way spike strips, fences, rising barriers, automated gates or doors

More Related Content

Data security authorization and access control

  • 3. AUTHORIZATION • Allows to specify where the party should be allowed or denied access • Implemented through the use of access controls • Allowing access means keeping in mind the PRINCIPLE OF LEAST PRIVELEGE
  • 4. PRINCIPLE OF LEAST PRIVILEGE • Dictates that we should only allow the bare minimum of access to a party – this might be a person, user account, or process – to allow it to perform the functionality needed of it. • Example : • Employee in Sales Dept. should not need access to data internal to a human resource system in order to do their job
  • 5. ACCESS CONTROL • the selective restriction of access to a place or other resource • BASIC TASKS • Allow access • Deny access • Limit access • Revoke access
  • 6. ACCESS CONTROL • ALLOW ACCESS • Giving a particular party, or parties, access to a given resource • DENY ACCESS • Preventing access by a given party to the resource in question
  • 7. ACCESS CONTROL • LIMIT ACCESS • Allowing some access to a resource but only up to a certain point • REVOKE ACCESS • Taking away access to a resource
  • 8. ACCESS CONTROL METHODS OF IMPLEMENTATION • Access Control List ( ACL ) • Capability-Based Security
  • 9. ACCESS CONTROL METHODS USE FOR IMPLEMENTATION • Access Control List ( ACL ) • Used to control access in the file systems on which operating systems run and to control the flow of traffic in the networks to which a system is attached. • typically built specifically to a certain resource containing identifiers of the party allowed to access a resource and what the party is allowed to do in relation to a resource. Alice Allow Bob Deny
  • 10. FILE SYSTEM ACL • Normally seen in file systems in operating systems to provide access to some files and folders. • PERMISSIONS • Read • Write • Execute • ACCESS PERMISSION GIVEN TO • User • Group • Others
  • 12. NETWORK ACL • IP address • MAC address • Ports • FTP uses port 20 and 21 to transfer file • Internet Message Access Protocol (IMAP) uses port 143 for managing email
  • 13. CAPABILITY-BASED SECURITY • Oriented around the use of a token that controls an access • Based entirely on the possession of the token and not who possesses it
  • 14. ACCESS CONTROL MODELS • Discretionary Access Control • Mandatory Access Control • Role-Based Access Control • Attribute-Based Access Control • Multi-level Access Control
  • 15. DISCRETIONARY ACCESS CONTROL • Model of access control based on access determined by the owner of the resource. • The owner can decide who does and does not have access and what access they are allowed to have
  • 16. MANDATORY ACCESS CONTROL • Model of access control which the owner of the resource does not get to decide who gets to access it but instead access is decided by a group or individual who has the authority to set access on resources. • Example : • Government organizations where access to a resource is dictated by the sensitivity label applied to it (secret, top secret etc)
  • 17. ROLE-BASED ACCESS CONTROL • Model of access control where functions of access control is set by an authority responsible for doing so and the basis for providing access is based on the role the individual has to be granted access.
  • 18. ATTRIBUTE-BASED ACCESS CONTROL • Model of access control based on attributes of a person, a resource or the environment • SUBJECT ATTRIBUTE • Attributes that a person possess • Example : • “You must be this tall to ride” • Captcha – Completely Automated Public Turing Test to Tell Humans and Computers Apart
  • 19. ATTRIBUTE-BASED ACCESS CONTROL • Model of access control based on attributes of a person, a resource or the environment • RESOURCE ATTRIBUTE • Attributes that is related to a particular resource like OS or application • Example • Software running on a particular OS • Web site that works on a certain browser
  • 20. ATTRIBUTE-BASED ACCESS CONTROL • Model of access control based on attributes of a person, a resource or the environment • ENVIRONMENT ATTRIBUTE • Attributes used to enable access controls that operate based on environmental conditions • Example • Time attribute
  • 21. MULTI-LEVEL ACCESS CONTROL • Model of access control that uses two or more methods to improve security of a resource • Bell-LaPadula Model • Biba Model • Brewer and Nash
  • 22. PHYSICAL ACCESS CONTROL • Concerned with controlling the access of individuals and vehicles • Access of individuals such as in and out of a building or facility. • TAILGATING occurs when we authenticate to the physical control measure such as a badge and then another person follows directly behind us without authenticating themselves.
  • 23. PHYSICAL ACCESS CONTROL • For vehicles, simple barriers, one-way spike strips, fences, rising barriers, automated gates or doors