Access Control

Topic 3, with other topic also covered

Introduction
• Users first must be identified as authorized user, such as by logging in
with user name and password to laptop computer
• Because laptop connects to corporate network that contains critical
data, important also to restrict user access to only software,
hardware, and other resources for which user has been approved
• These two acts—authenticating only approved users and controlling
their access to resources—are important foundations in information
security
ACCESS CONTROL?-Access control is a security technique that
regulates who or what can view or use resources in a computing environment. It is a fundamental
concept in security that minimizes risk to the business or organization.

• Access Control - Granting Or Denying Approval To Use Specific Resources;

It Is Controlling Access

• Physical Access Control - Fencing, Hardware Door

• Locks, And Mantraps That Limit Contact With Devices

• Technical Access Control - Technology Restrictions That Limit Users On

Computers From Accessing Data
Access Control Principles
 Access Control Terminology
• Identification - presenting credentials (example: delivery driver
presenting employee badge)
• Authentication - checking credentials (example: examining the
delivery driver’s badge)
• Authorization - granting permission to take action
• (Example: allowing delivery driver to pick up package)
 Access Control Models/Policies
• Access control model - hardware and software
predefined framework that custodian can use for
controlling access
• Access control models used by custodians for access
control are neither created nor installed by custodians or
users; instead, these models are already part of software
and hardware.
• Access control models
• DAC - least restrictive model
• MAC - opposite of dac and is most restrictive
access control model
• UAC user/admin level model that notifies or requires
authentication prior to granting access
• Discretionary Access Control (DAC) - least restrictive model
• Every object has owner, who has total control over that object
• Owners can create and access their objects freely
• Owner can give permissions to other subjects over these objects
• DAC used on operating systems like unix and microsoft windows
• DAC has two significant weaknesses:
• Dac relies on decisions by end-user to set proper level of security; incorrect permissions might be granted to subject or permissions might be
given to unauthorized subject
• Subject’s permissions will be “inherited” by any programs that subject executes; attackers often take advantage of this inheritance because end-
users
• Mandatory Access Control (MAC) - Opposite of DAC and is most restrictive access
control model
• MAC assigns users’ access controls strictly
• According to custodian’s desires and user has no freedom to set any controls
• Two key elements to mac:
• Labels - every entity is an object (laptops, files, projects, and so on) and assigned classification label
(confidential, secret, and top secret) while subjects assigned privilege label (a clearance)
• Levels - hierarchy based on labels is also used, both for objects and subjects (top secret higher level
than secret)
Mandatory Access Control (MAC): MAJOR
IMPLEMENTATIONS
• LATTICE MODEL - Subjects and objects are assigned
• “Rung” on lattice and multiple lattices can be placed beside each other
• BELL-LAPADULA - Similar to lattice model but subjects may not create
new object or perform specific functions on lower level objects
• BIBA INTEGRITY MODEL - Goes beyond BLP model and adds
protecting data integrity and confidentiality
• MANDATORY INTEGRITY CONTROL (MIC) - Based on BIBA
model, mic ensures data integrity by controlling access to securable objects
Windows User Account Control
• ROLE BASED ACCESS CONTROL (RBAC) - Considered more “real-
world” access control than other models because access based on
user’s job function within organization
• Instead of setting permissions for each user or group assigns permissions
to particular roles in organization and then assigns users to those roles
• Objects are set to be a certain type, to which subjects with that particular
role have access
• Subjects may have multiple roles assigned to them
• RULE BASED ACCESS CONTROL (RBAC) - Dynamically
assign roles to subjects based on set of rules defined by custodian
• Each resource object contains set of access properties
based on rules
• When user attempts to access that resource, system checks rules
contained in object to determine if access is permissible
Best practices for Access Control
• A FEW BEST PRACTICES:
• Separation of duties - not to give one person total control
• Job rotation - individuals periodically moved between job responsibilities
• Least privilege - limiting access to information based on what is needed to
perform a job function
• Implicit deny - if condition is not explicitly met, access request is rejected
• Mandatory vacations - limits fraud, because perpetrator must be present daily to
hide fraudulent actions
Implementing Access Control
• NOW THAT WE HAVE DISCUSSED THE MODELS THAT CAN BE IMPLEMENTED IT IS
TIME TO EXAMINE THE TECHNOLOGIES USED TO IMPLEMENT ACCESS CONTROL:
• ACCESS CONTROL LISTS
• GROUP POLICY
• ACCOUNT RESTRICTIONS
• ACCESS CONTROL LIST (ACL) - SET OF PERMISSIONS
ATTACHED TO AN OBJECT
• Group policy - microsoft windows feature that provides centralized management and
configuration of computers and remote users using active directory (ad)

• Usually used in enterprise environments

• Settings stored in group policy objects (gpos)

• Local group policy has fewer options than a group policy and used to configure settings for
systems not part of ad
• Time of day restrictions
• Time of day restrictions - limits the time of day a user may log onto a system
• Time blocks for permitted access are chosen
• Can be set on individual systems
•Account expiration RESTRICTIONS
• Orphaned accounts - accounts that remain active after employee has left organization
• Dormant accounts – accounts not Accessed for lengthy period of time Both can be security risks
• Account expiration - process of setting a user’s account to expire
Account expiration can be explicit (account expires on a set date) or based on specific number of
days of inactivity