Overview � Basic Principles Access Control Methodologies � Controls � Access Control Designs � Access Control Administration � Accountability Chapter 2 � Access Control Models � Identification and Authentication Methods Lecturer: Pei-yih Ting � Single Sign-On Systems � File and Data Ownership � Attacks 1 2 Access Control Basics (cont ’ d) Basics of Access Control � Access control is a collection of methods and � Subject components � The entity that requests access to a resource � Supports confidentiality (protects information from � Active unauthorized disclosure) � Object � Supports integrity (protects information from unauthorized modification) � The resource a subject attempts to access � Goal: to allow only authorized subjects to access � Passive permitted objects How do we partition subjects / objects for efficient management? 3 4
Access Control Basics (cont ’ d) Controls � Least secure philosophy (permissive policy) � Mechanisms put into place to allow or disallow object access � Any object access not prohibited is granted by default. � Any potential barrier to unauthorized access � Ineffective maintenance leads to authorization creep � Locks, guards, passwords … � Least privilege philosophy (prohibitive policy) � Controls organized into different categories � A subject is granted permissions needed to accomplish � Common categories required tasks and nothing more � Administrative (enforce security rules through policies, ex. procedures, usage monitoring, security training) � Logical/Technical (implement object access restrictions, ex. identification / authentication / segregated network) � Physical (limit physical access to hardware) 5 6 Access Control Techniques Access Control Designs � Choose techniques that fit the organization ’ s � Access control designs define rules for users needs accessing files or devices � Considerations include � Level of security required � Environmental impact of security measures � Three common access control designs � User convenience � Mandatory access control (MAC) � Techniques differ in � Discretionary access control (DAC) � The way objects and subjects are identified � Non-discretionary access control � How decisions are made to approve or deny access 7 8
Mandatory Access Control MAC (cont ’ d) � A unified (mandatory) way to assign a security � Common military data classifications label to each subject and object in a system. � Unclassified � Matches label of subject to label of object to � Sensitive but Unclassified (SBU) determine when access should be granted � Confidential � A common implementation is rule-based access � Secret control � Top Secret � Often requires a subject to have a need to know in � Common commercial data classifications addition to proper security clearance � Public � Need to know indicates that a subject requires access � Sensitive to object to complete a particular task � Private � Example rule: � Confidential subject ’ s security clearance > object ’ s security label 9 10 Discretionary Access Control Non-discretionary Access Control � Access to an object is defined by the object owner. � Uses a subject ’ s role or a task assigned to subject to grant or deny object access � Uses identity of subject to decide when to grant an � Also called role-based or task-based access control access request � Works well in environments with high turnover of � Most common design in commercial operating subjects since access is not tied directly to subject systems � Lattice-based control is a variation of non- � Generally less secure than mandatory control discretionary control � Generally easier to implement and more flexible � Relationship between subject and object has a set of � Includes access boundaries that define rules and conditions for � Identity-based access control: ex. UNIX file permission access � Access control lists (ACLs): ex. WINNT allows group of objects / subjects to be controlled together 11 12
Access Control Administration Access Control Administration (cont ’ d) � Can be implemented as centralized, decentralized, � Decentralized access control administration or hybrid � Object access is controlled locally rather than centrally � Centralized access control administration � More difficult administration � All requests go through a central authority � Objects may need to be secured at multiple locations � Administration is relatively simple � More stable and robust � Single point of failure, sometimes performance bottlenecks � Not a single point of failure � Common packages include Remote Authentication Dial-In � Usually implemented using security domains User Service (RADIUS), Challenge Handshake Authentication Protocol (CHAP), Terminal Access A security domain is a sphere of trust , including Controller Access Control System (TACACS) a collection of subjects and objects with defined access rules or permissions 13 14 Accountability Access Control Models � System auditing used by administrators to � Provide conceptual view of security policies monitor � Map goals and directives to specific system � Who is using the system events � What users are doing � Provide a formal definition and specification of � Logs can trace events back to originating users required security controls � Process of auditing can have a negative effect on system performance � Usually many different models and � Must limit data collected in logs combinations of models are used in a secure � Clipping levels set thresholds for when to start system collecting data 15 16
State Machine Model (cont ’ d) State Machine Model � A collection of defined states and transitions � Modifications change objects from one state to Transitions State another B � A state represents the characteristics of an object State at a point in time A � Transitions represent the modifications that can be made to objects to change from one state to State another C Subject B request access � Ex. Opened Closed Figure 2.1 Simple state machine A particular Object A 17 18 Bell-LaPadula Model Biba Model 1. Top Secret � After Bell-LaPadula 2. Secret � 1970s by US military � Focuses on integrity controls 3. Confidential � Focus on confidentiality 4. Sensitive but Unclassified � A state machine model that uses integrity labels � A state machine model that 5. Unclassified � Each object or subject is given an integrity level uses security labels � Two basic properties to evaluate access requests � Each object is given a security level and each � Simple integrity property: no read down subject is given a security clearance � *-property: no write up � Two basic properties to evaluate access requests � Popular with businesses because its main focus is � Simple security rule: no read up to ensure that unauthorized subjects cannot � *-property: no write down change objects 19 20
Clark-Wilson Model Non-interference Model � Developed after the Biba model � Not a state machine model � Often an addition to other models � Restricts all accesses to a small number of tightly � Ensures that changes at one security level do controlled access programs not bleed over into other levels � Integrity verification procedure (IVP): verifies the � Maintains both data integrity and integrity of a data item confidentiality � Transformation procedure (TP): makes authorized changes to a data item � After subject is properly authenticated and cleared to access the object, all modifications are first validated by the IVP, and then the modification takes place by the TP. � Works well in commercial applications 21 22 Identification and Identification and Authentication Methods (cont ’ d) Authentication Methods � Security practices often require input from � Two-factor authentication uses two phases multiple categories of authentication techniques � Identification : a subject claims to be a specific entity by presenting identifying credentials � What you know: � Authentication : verifies that the subject really is who � Password, passphrase, PIN, lock combination she claims to be � What you have: � Usually there will be an authorization phase � Smartcard, token device followed by successful authentication where � What you are: Biometrics system evaluates the specific rights or � fingerprint, palm print, hand geometry, retina / iris permissions for the subject pattern, voice pattern, signature, keyboard dynamics 23 24
Recommend
More recommend
