Jin Hong

5. Access Control [email protected]

2
6
https://en.wikipedia.org/wiki/Saltzer_and_Schroeder%27s_design_principles
13
14
 Objects

A B C D
alice 0 0 1 0
subjects
bob 1 1 0 1
charlie 0 0 1 0
dave 1 1 0 1
 Objects

A B C D
alice r r/w r -
subjects
bob r r - r/w
charlie - - w -
dave r/w - w
user group other

Owner group name

29
35
36
 <Top Secret, {Nuclear,Biowar}>

<Top Secret, Nuclear> <Top Secret, Biowar>

<Top Secret>

<Secret, Nuclear> <Secret, biowar>

<Secret>

<confidential>
41
42
43
44
45
46
47
48
49
Never Trust. Always verify.
 Control Plane

Industry Proponents

Overall Effect

Applicability/Scope

Differentiation

Common Components
Modern Approach to Access Organization Policy

Security Policy
Integrated Threat Intelligence Engine(s)
Continuous Risk
Evaluation
 Intrusion Forward/Reverse
Firewall Intranet Resources
Detection/Prevention Proxy

Actions:
• Allow
• Block

Source: IP Address/Port Signatures Allow List

Destination: IP Address/Port Analytics Authentication

User Device
High

Medium

Actions:
Role Health/Integrity Low • Allow
Group Client • Allow Restricted
Device Config • Require MFA
Config Last seen • Block
Location Conditional • Force Remediation
Last Sign-in access risk
 Office resource
User Device High

Medium

Low Block access Sensitivity: Medium

Role: Sales Account Representative Health: Device compromised
Group: London Users Client: Browser Force threat
Device: Windows Config: Anonymous remediation
Config: Corp Proxy Last seen: Asia Conditional
Location: London, UK access risk
Last Sign-in: 5 hrs ago

Malicious activity detected on device

Anonymous IP

Unfamiliar sign-in location for this user

55
57