ACCESS CONTROL

Nazmi
Rusman
Akmal
definition
Access: The flow of information between subject
and object

Subject: An active entity that requests access to an
object

Object: A passive entity that contains information

A way of limiting access
Three factors
Identification
Establishing identity

Authorization
function of specifying access rights

Authentication
the act of confirming the truth
include passwords, biometric scans, physical
keys, electronic keys and devices
Access control list
a list of permissions attached to an object.

ACL specifies which users or system processes are
granted access

For instance, if a file has an ACL that contains
(Alice, delete)

operating system first checks the ACL for an
applicable entry to decide whether the requested
operation is authorized
Problems in controlling access to
assets
Different levels of users with different
levels of access

Resources may be classified differently

Diverse identity data

Corporate environments keep changing

Threats to access control
Insiders
Countermeasures include good policies and procedures,
separation of duties, job rotation
Dictionary Attacks
Countermeasures include strong password policies, strong
authentication, intrusion detection and prevention
Brute Force Attacks
Countermeasures include penetration testing, minimum
necessary information provided, monitoring, intrusion
detection, clipping levels
Spoofing at Logon
Countermeasures include a guaranteed trusted path,
security awareness to be aware of phishing scams, SSL
connection

ISSUES
Weak access control mechanisms in the cloud lead to
major data breaches.

Massive data breach took place on the servers of
Utah Department Technology Services (DTS).

A hacker group from Eastern Europe succeeded in
accessing the servers.

A configuration error occurred while entering the
password into the system.

The hacker got access to the password of the system
administrator.