3. AUTHORIZATION
• Allows to specify where the party should be allowed or
denied access
• Implemented through the use of access controls
• Allowing access means keeping in mind the PRINCIPLE
OF LEAST PRIVELEGE
4. PRINCIPLE OF LEAST PRIVILEGE
• Dictates that we should only allow the bare minimum of
access to a party – this might be a person, user account,
or process – to allow it to perform the functionality
needed of it.
• Example :
• Employee in Sales Dept. should not need access to data
internal to a human resource system in order to do their
job
5. ACCESS CONTROL
• the selective restriction of access to a place or other
resource
• BASIC TASKS
• Allow access
• Deny access
• Limit access
• Revoke access
6. ACCESS CONTROL
• ALLOW ACCESS
• Giving a particular party, or parties, access to a given resource
• DENY ACCESS
• Preventing access by a given party to the resource in question
7. ACCESS CONTROL
• LIMIT ACCESS
• Allowing some access to a resource but only up to a certain point
• REVOKE ACCESS
• Taking away access to a resource
8. ACCESS CONTROL METHODS OF
IMPLEMENTATION
• Access Control List ( ACL )
• Capability-Based Security
9. ACCESS CONTROL METHODS USE FOR
IMPLEMENTATION
• Access Control List ( ACL )
• Used to control access in the file systems on which operating
systems run and to control the flow of traffic in the networks to
which a system is attached.
• typically built specifically to a certain resource containing
identifiers of the party allowed to access a resource and what the
party is allowed to do in relation to a resource.
Alice Allow
Bob Deny
10. FILE SYSTEM ACL
• Normally seen in file systems in operating systems to
provide access to some files and folders.
• PERMISSIONS
• Read
• Write
• Execute
• ACCESS PERMISSION GIVEN TO
• User
• Group
• Others
12. NETWORK ACL
• IP address
• MAC address
• Ports
• FTP uses port 20 and 21 to transfer file
• Internet Message Access Protocol (IMAP) uses port 143 for
managing email
13. CAPABILITY-BASED SECURITY
• Oriented around the use of a token that controls an
access
• Based entirely on the possession of the token and not
who possesses it
14. ACCESS CONTROL MODELS
• Discretionary Access Control
• Mandatory Access Control
• Role-Based Access Control
• Attribute-Based Access Control
• Multi-level Access Control
15. DISCRETIONARY ACCESS CONTROL
• Model of access control based on access determined by
the owner of the resource.
• The owner can decide who does and does not have
access and what access they are allowed to have
16. MANDATORY ACCESS CONTROL
• Model of access control which the owner of the resource
does not get to decide who gets to access it but instead
access is decided by a group or individual who has the
authority to set access on resources.
• Example :
• Government organizations where access to a resource is dictated
by the sensitivity label applied to it (secret, top secret etc)
17. ROLE-BASED ACCESS CONTROL
• Model of access control where functions of access
control is set by an authority responsible for doing so and
the basis for providing access is based on the role the
individual has to be granted access.
18. ATTRIBUTE-BASED ACCESS CONTROL
• Model of access control based on attributes of a person,
a resource or the environment
• SUBJECT ATTRIBUTE
• Attributes that a person possess
• Example :
• “You must be this tall to ride”
• Captcha – Completely Automated Public Turing Test to Tell Humans
and Computers Apart
19. ATTRIBUTE-BASED ACCESS CONTROL
• Model of access control based on attributes of a person,
a resource or the environment
• RESOURCE ATTRIBUTE
• Attributes that is related to a particular resource like OS or
application
• Example
• Software running on a particular OS
• Web site that works on a certain browser
20. ATTRIBUTE-BASED ACCESS CONTROL
• Model of access control based on attributes of a person,
a resource or the environment
• ENVIRONMENT ATTRIBUTE
• Attributes used to enable access controls that operate based on
environmental conditions
• Example
• Time attribute
21. MULTI-LEVEL ACCESS CONTROL
• Model of access control that uses two or more methods
to improve security of a resource
• Bell-LaPadula Model
• Biba Model
• Brewer and Nash
22. PHYSICAL ACCESS CONTROL
• Concerned with controlling the access of individuals and
vehicles
• Access of individuals such as in and out of a building or
facility.
• TAILGATING occurs when we authenticate to the
physical control measure such as a badge and then
another person follows directly behind us without
authenticating themselves.
23. PHYSICAL ACCESS CONTROL
• For vehicles, simple barriers, one-way spike strips,
fences, rising barriers, automated gates or doors