Thanks to visit codestin.com
Credit goes to www.scribd.com

Scribd
Upload
19 views12 pages

Access Control - Lect 1 - Introduction

Access control is a critical aspect of information security that restricts access to resources to prevent unauthorized modifications or disclosures. It involves identification, authentication, authorization, and accountability, utilizing various models and techniques such as Discretionary Access Control (DAC) and Role-Based Access Control (RBAC). Additionally, access control monitoring and awareness of potential threats like dictionary attacks and identity theft are essential for maintaining security.

Uploaded by

aditi.pandey
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
19 views12 pages

Access Control - Lect 1 - Introduction

Access control is a critical aspect of information security that restricts access to resources to prevent unauthorized modifications or disclosures. It involves identification, authentication, authorization, and accountability, utilizing various models and techniques such as Discretionary Access Control (DAC) and Role-Based Access Control (RBAC). Additionally, access control monitoring and awareness of potential threats like dictionary attacks and identity theft are essential for maintaining security.

Uploaded by

aditi.pandey
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 12

UNIT 1

ACCESS CONTROL - INTRODUCTION


ACCESS CONTROL

Important aspect of information security in controlling how


resources are accessed so that they can be protected from
unauthorized modifications or disclosure.

It is a selective restriction of access to resources.

Controls can be physical , technical or administrative in


nature.

Remember how access control and concurrent access is


maintained in database system.

Access control concepts are now revolving from host centric


to network centric; basic read/write to higher levels.
Terminologies
Subject
•Active entity that requires access to an object
•It can be a running process or program in execution.

Object
•Passive entity contains information.
•Eg : File, record in a database, network printer etc.

Access
•Flow of information between subject and object

Reference monitor

•Checks the access control rule for specific access.


User
•Human being or some programmable agent .
•User information is encapsulated in an account referred to as profile,
which contains attributes describing name, serial no etc.
•They will be unique in the underlying namespace.
Access control can be implemented at different levels
✓ Application level Hardware
✓ Middleware (DB) Policy
✓ OS Protect OS from applications
✓ Hardware Protect one application from others
Prevent one application hogging the system
Mechanisms
Paging Unit
Privilege rings
Operating System Interrupts
Policy and Mechanisms
Only authorized users should be able to use the system (User Authentication)
One user file should be protected from other users (Access Control)
A process should be protected from others (Paging)
Fair allocation of resources without starvation (Scheduling/Deadlock prevention)

Most Operating systems uses DAC . Selinux uses MAC


Access control involves
Identification

•Describes the method of ensuring a subject is the entity it claims to be.


•User name, Account number etc

Authentication

•Authenticate the identification and requires a second information as


password, key , PIN etc.

Authorization

•The security system will look for the privileges and rights the entity has
with the help of some access control techniques and authorizes the
subject.

Accountability

•After authorization the subject is accountable for the actions it takes.


•It is done by uniquely identifying the subject and recording his actions.
IDENTIFICATION AND AUTHENTICATION
What ?

• Establishing a user’s identity.

How?

• Users are assigned identities from the naming space of authentication system.
• User produces a secret to computing system, who verifies it by
• Authentication by ownership- What he has?
• Tokens like credit card, smart card
• Authentication by knowledge – What he knows?
• PIN, password
• Authentication by characteristics – What he is?
• Fingerprint, face recognition

Multiple factor authentication

• Uses more than one factor(from above) for authentication.


• ATM --- card(token) and PIN(Secret information)
• Use one factor multiple times
• Password and OTP(secret information)
• Profile password and transaction password.
AUTHORIZATION
Authorization

•By authentication individual must prove to the system that he is who he claims to be. Now the
system must establish whether the user is authorized to access a particular resource.

Access criteria

•Can be enforced by roles, groups, location , time and transaction types.

Access control models

•Framework that dictates how subjects access object.


•Discretionary Access Control (DAC)
•Mandatory Access Control (MAC)
•Role based Access Control(RBAC)

Access control Techniques

• Access control matrix • Content based access


• Access control list • Context based access
• Capability Table • Restricted interface
• Rule based access
ACCOUNTABILITY

Accountability

• After authorization the subject is accountable for the actions it takes.


• It is done by uniquely identifying the subject and recording his actions.

Auditing

• Analyzing the security events for potential breaches.

Techniques

• SIEM
• Log Management
• Keystroke monitoring
TRUST

https://pbs.twimg.com/media/DECbOiNVwAASwk8?format=jpg&name=4096x4096

POCESSION

PROOF
Trust paradigm in computing

Trust and Assurance

•Trusting an entity means having a prior knowledge of that entities expected


behavior.
•Level of assurance is the level of confidence in confirming the expected
behavior.

Proof Of Possession(POP)

•The entity while performing the authentication presents information that


only the entity is able to provide . By verifying it the entity establishes trust.

Identity trust establishment mechanisms are….

•A third party approach like Kerberos.


•Public key infrastructure.
•Web-of-Trust model
•If entity A trusts entity B, it also trusts entities presented to it by B.
•Modeled as a directed graph
Access control Monitoring

• Keeping track of who attempt access to specific resources.


• Uses
• Intrusion Detection System (IDS)
• Intrusion Prevention System (IPS)

Threats to Access Control

• Dictionary attacks
• Brute force attacks
• Phishing & Pharming
• Identity Theft (Masquerading)
• Entity assumes other entities identity without the consent.
• Delegation
• Presence of two entities but both are aware of the presence of
another(With consent of other).
• E.g. Kerberos delegation

You might also like