Computer Security Management(ISYS20261)Lecture 12 – Access Control

Module Leader: Dr Xiaoqi Ma

School of Science and Technology

Computer Security ManagementPage 2

Last time …

• Protection (defence) against harm:– Prevent it by blocking attack or closing vulnerabilities

– Deter it by making the attack harder (but not impossible!)

– Deflect it by making another target more attractive

– Detect it either as it happens or some time after

– Recover from effects

– Using any combination of the above

• Using countermeasures (controls)

• Methods of defence – Software controls

– Encryption

– Physical and hardware controls

Computer Security ManagementPage 3

Today

• Access control

• Authentication

• authorisation

Computer Security ManagementPage 4

Access control

• Permit or deny the use of a particular resource by a particular entity

• Two dimensions: authentication and authorisation

• Authentication– User to system

– System to user

• Authorisation– Discretionary access control

– Mandatory access control

– Role-based access control

Computer Security ManagementPage 5

User to system authentication

• Something you know– Password, PIN, challenge-response

• Something you have– Key, smart card, code book, etc.

• Something you are– Biometrics: fingerprints, retina scan, etc.

• Somewhere you are– Secure terminals, subnets, etc.

• Any combination of the above (Two-factor authentication)

Computer Security ManagementPage 6

System to user authentication

• Secure paths– Mechanism that ensures that user communicates with the system he intents to

communicate with

– Cannot be intercepted by attacker

– Example: Windows ctrl+alt+del

• Browser clues

• Etc.

Computer Security ManagementPage 7

Authorisation

• Discretionary access control– Based on identity of user

– Sometimes organised in groups

• Mandatory access control– Based on security clearance of user

• Role-based access control– Based on user’s function, authority and responsibilities

Computer Security ManagementPage 8

Discretionary access control (DAC)

• Restricting access to objects based on the identity of users and/or groups to which they belong

• Access: read, write, execute, etc.

• Often every object has an owner that controls the permissions to access the object

• Discretionary: a subject with a certain access permission is capable of passing that permission on to other subjects

• Permissions are stored in Access Control Lists (ACLs)

• System first checks the list for an applicable entry in order to decide whether to proceed with the operation

Computer Security ManagementPage 9

Access control lists (ACLs)

• Specifies who is allowed to access the object and what operations are allowed to be performed on the object

• List of users and associated permissions attached to an object

• Usually implemented as a table

• Every user needs to have an entry: – ACL can grow easily

– Maintaining ACLs can be cumbersome

Computer Security ManagementPage 10

Mandatory access control (MAC)

• Assigns security labels (classifications) to system resources– Examples: RESTRICTED, CLASSIFIED, SECRET, TOP SECRET, …

• Ordered (not necessarily in linear order!)

• Allows access only to entities (people, processes, devices) with appropriate levels of authorisation (clearance)

• Only administrators, not owners, make changes to a resource's security label

• Assigned security level reflects the relative sensitivity, confidentiality, and protection value, of data

Computer Security ManagementPage 11

Bell and La Padula

• Model that focuses on data confidentiality and access to classified information

• Information must not flow from high to low classification:– No read up: lowly classified entities may not read more highly classified data

– No write down: highly classified entities may not write to more lowly classified files

• Limitations– Restricted to confidentiality

– intended for systems with static security levels - no policies for changing access rights

– Sometimes, it is not sufficient to hide only the contents of objects. Their existence may have to be hidden as well, BUT a low subject can detect the existence of high objects when it is denied access

Computer Security ManagementPage 12

Role-based access control (RBAC)

• Approach to restricting system access to authorised users that reduces the costs

• User has access to an object based on his or her assigned role– Users change frequently, roles don’t

• Operations on an object are invoked based on permissions

• An object is concerned with the user’s role and not the user

• Roles are– a collection of users and a collection of permissions

– Arranged in hierarchies

Roles Permissions

user-role assignment role-permissionassignment

users

Computer Security ManagementPage 13

Summary

Today we learned:

• Access control permits or denies the use of a particular resource by a particular entity

• To dimensions: authentication and authorisation

• Authentication– User to system

– System to user

• Authorisation– Discretional access control

– Mandatory access control

– Role-based access control