Information Security

Protection Model
Access Control Model
 Protection Models
• In information security, protection models refer to the various
methods and techniques used to protect systems and data from
unauthorized access, use, disclosure, disruption, modification, or
destruction.

• Here are some common protection models:

Protection Models cont…
1. Access Control Model
2. Confidentiality Model
3. Integrity Model
4. Availability Model
5. Defense in Depth Model
6. Least Privilege Model

7. Principle of Least Astonishment (POLA) Model

Protection Models cont… Access Control Model
• The Access Control Model is a security model that governs how users are
granted access to system resources and data.

• It determines the mechanisms and rules for authentication, authorization,

and accounting (AAA) in order to enforce proper access controls.

• The goal of the Access Control Model is to ensure that only authorized
individuals or processes are allowed to access specific resources or
perform certain actions within a system.
Protection Models cont… Access Control Model
• There are several types of Access Control Models, including:

1. Mandatory Access Control (MAC)

2. Discretionary Access Control (DAC)

3. Role-Based Access Control (RBAC)

4. Attribute-Based Access Control (ABAC)

5. Rule-Based Access Control (RBAC)

 Protection Models cont…
Access Control Model: Mandatory Access Control (MAC)
• This model assigns security labels (e.g., security classifications or
levels) to both users and system resources.

• Access decisions are based on the labels and predefined access rules,
which are typically enforced by the operating system or security
software.
 Protection Models cont…
Access Control Model: Mandatory Access Control (MAC)
 Protection Models cont…
Access Control Model: Discretionary Access Control (DAC)

• In this model, access control decisions are left to the discretion of the
resource owner.

• Each resource has an associated Access Control List (ACL) that

specifies the permissions granted to individual users or groups.
 Protection Models cont…
Access Control Model: Discretionary Access Control (DAC)
 Protection Models cont…
Access Control Model: Discretionary Access Control (DAC)
 Protection Models cont…
Access Control Model: Role-Based Access Control (RBAC)
• RBAC is based on the concept of roles.
• Users are assigned specific roles, and permissions are assigned to
these roles rather than to individual users.

• This simplifies administration and enables more efficient

management of access controls.
 Protection Models cont…
Access Control Model: Role-Based Access Control (RBAC)
 Protection Models cont…
Access Control Model: Role-Based Access Control (RBAC)
 Protection Models cont…
Access Control Model: Attribute-Based Access Control (ABAC)

• ABAC takes into account various attributes or characteristics of

users, resources, and the environment to make access control
decisions.

• Attributes such as user roles, time of access, location, and data

classification can be considered when determining access
permissions.
 Protection Models cont…
Access Control Model: Attribute-Based Access Control (ABAC)
 Protection Models cont…
Access Control Model: Rule-Based Access Control (RBAC)
• RBAC uses a set of predefined rules to determine access permissions.
• These rules are based on conditions or criteria specified in policies
and are evaluated to determine whether access should be granted or
denied.
Protection Models cont… Access Control Model
• Each Access Control Model has its own advantages and is suitable for
different security requirements and environments.

• Organizations may choose to implement one or a combination of

these models based on their specific needs and risk tolerance.