data security authorization and access control

AUTHORIZATION AND ACCESS CONTROL

DATA SECURITY

identification

Authentication

Authorization

AUTHORIZATION

• Allows to specify where the party should be allowed or denied access• Implemented through the use of access controls• Allowing access means keeping in mind the

PRINCIPLE OF LEAST PRIVELEGE

PRINCIPLE OF LEAST PRIVILEGE

• Dictates that we should only allow the bare minimum of access to a party – this might be a person, user account, or process – to allow it to perform the functionality needed of it.

• Example :• Employee in Sales Dept. should not need access

to data internal to a human resource system in order to do their job

ACCESS CONTROL

• the selective restriction of access to a place or other resource

• BASIC TASKS• Allow access• Deny access• Limit access• Revoke access

ACCESS CONTROL

• ALLOW ACCESS• Giving a particular party, or parties, access to a given

resource

• DENY ACCESS• Preventing access by a given party to the resource in

question

ACCESS CONTROL

• LIMIT ACCESS• Allowing some access to a resource but only up to a

certain point

• REVOKE ACCESS• Taking away access to a resource

ACCESS CONTROL METHODS OF IMPLEMENTATION

• Access Control List ( ACL )• Capability-Based Security

ACCESS CONTROL METHODS USE FOR IMPLEMENTATION

• Access Control List ( ACL )• Used to control access in the file systems on which

operating systems run and to control the flow of traffic in the networks to which a system is attached.

• typically built specifically to a certain resource containing identifiers of the party allowed to access a resource and what the party is allowed to do in relation to a resource.

Alice AllowBob Deny

FILE SYSTEM ACL

• Normally seen in file systems in operating systems to provide access to some files and folders.

• PERMISSIONS• Read• Write• Execute

• ACCESS PERMISSION GIVEN TO• User• Group• Others

FILE SYSTEM ACL

NETWORK ACL

• IP address• MAC address• Ports• FTP uses port 20 and 21 to transfer file• Internet Message Access Protocol (IMAP) uses port 143 for

managing email

CAPABILITY-BASED SECURITY

• Oriented around the use of a token that controls an access• Based entirely on the possession of the token and

not who possesses it

ACCESS CONTROL MODELS

• Discretionary Access Control• Mandatory Access Control• Role-Based Access Control• Attribute-Based Access Control• Multi-level Access Control

DISCRETIONARY ACCESS CONTROL

• Model of access control based on access determined by the owner of the resource.• The owner can decide who does and does not

have access and what access they are allowed to have

MANDATORY ACCESS CONTROL

• Model of access control which the owner of the resource does not get to decide who gets to access it but instead access is decided by a group or individual who has the authority to set access on resources.• Example :• Government organizations where access to a resource is

dictated by the sensitivity label applied to it (secret, top secret etc)

ROLE-BASED ACCESS CONTROL

• Model of access control where functions of access control is set by an authority responsible for doing so and the basis for providing access is based on the role the individual has to be granted access.

ATTRIBUTE-BASED ACCESS CONTROL

• Model of access control based on attributes of a person, a resource or the environment

• SUBJECT ATTRIBUTE• Attributes that a person possess• Example :• “You must be this tall to ride”• Captcha – Completely Automated Public Turing Test to Tell

Humans and Computers Apart



• RESOURCE ATTRIBUTE• Attributes that is related to a particular resource like OS or

application• Example• Software running on a particular OS• Web site that works on a certain browser



• ENVIRONMENT ATTRIBUTE• Attributes used to enable access controls that operate

based on environmental conditions• Example• Time attribute

MULTI-LEVEL ACCESS CONTROL

• Model of access control that uses two or more methods to improve security of a resource

• Bell-LaPadula Model• Biba Model• Brewer and Nash

PHYSICAL ACCESS CONTROL

• Concerned with controlling the access of individuals and vehicles

• Access of individuals such as in and out of a building or facility.

• TAILGATING occurs when we authenticate to the physical control measure such as a badge and then another person follows directly behind us without authenticating themselves.

PHYSICAL ACCESS CONTROL

• For vehicles, simple barriers, one-way spike strips, fences, rising barriers, automated gates or doors

data security authorization and access control

Technology