Week 11
Access Control
“The prevention of unauthorized use of a resource, including the prevention of use of a resource in an unauthorized manner“
central element of computer security assume have users and groups
◦ authenticate to system
◦ assigned access rights to certain resources on system
Access Control
Access control is a process to determine “Who does what to what,” based on a policy.
It is controlling access of who gets in and out of the system and who uses what resources, when, and in what amounts.
Access control is restricting access to a system or system resources based on something other than the identity of the user
Kizza - Guide to Computer Network
Security 3
Access Control and Authorization
Access Control Principles
Access Control Policies
Discretionary access control (DAC)
◦ Individual user may, at his own discretion, determine who is authorized to access the objects he creates
● Example: Unix files
Mandatory access control (MAC)
◦ Creator of an object does not necessarily have the ability to determine who has authorized access to it
◦ Policy typically governed by a central authority
◦ Policy on an object depends on what object or information was used to create it
slid e 6
DAC vs. MAC
reliable input
fine and coarse specifications least privilege
separation of duty
open and closed policies
policy combinations, conflict resolution administrative policies
Access Control Requirements
subject - entity that can access objects
◦ a process representing user/application
◦ often have 3 classes: owner, group, world
object - access controlled resource
◦ e.g. files, directories, records, programs etc
◦ number/type depend on environment
access right - way in which subject accesses an object
◦ e.g. read, write, execute, delete, create, search
Access Control Elements
often provided using an access matrix
◦ lists subjects in one dimension (rows)
◦ lists objects in the other dimension (columns)
◦ each entry specifies access rights of the specified subject to that object
access matrix is often sparse
can decompose by either row or column
Discretionary Access Control
Access Control Structures
Kizza - Guide to Computer Network
Security 11
Access Control Matrix
All the information needed for access control administration can be put into a matrix with rows representing the subjects or groups of subjects and columns representing the objects.
The access that the subject or a group of subjects is permitted to the object is shown in the body of the matrix.
One feature of the access control matrix is its
sparseness. Because the matrix is so sparse, storage consideration becomes an issue, and it is better to store the matrix as a list.
Access Matrix
Fig.( a)
Kizza - Guide to Computer Network
Security 13
Access Control Lists
In the access control lists (ACLs), groups with access rights to an object are stored in association to the
object. If you look at the access matrix in Figure, each object has a list of access rights associated with it. In this case each object is associated with all the access rights in the column. For example, the ACL for the access matrix a is in fig b.
ACLs are very fitting for operating systems as they manage access to objects.
Access Control List
Kizza - Guide to Computer Network
Security 15
Access Control Capability
A capability specifies that “the subject may do operation O on object X.”
Unlike the ACLs, where the storage of access rights between objects and subjects is based on columns in the access control matrix, capabilities access control storage is based on the
rows. This means that every subject is given a capability, a forgery-proof token that specifies the subject’s access rights.
From the access matrix a, we can construct a capability as shown in Fig c.
Capability Lists
Access Control Model
ACLs vs. capabilities
Given a subject, what objects can it access?
(capabilities)
Given an object, which subjects can access it? (ACLs)
◦ Second question is asked more often than first
For incident response, capabilities may be preferable
◦ “What else did this subject access?”
set of objects with associated access rights
in access matrix view, each row defines a protection domain
◦ but not necessarily just a user
◦ may be a limited subset of user’s rights
◦ applied to a more restricted process
may be static or dynamic
Protection Domains
“Locks and keys”
Combines ACLs and capabilities
◦ “Lock” associated with each object
◦ “Key” associated with each subject authorized to access this object
◦ When subject tries to access object, its set of keys is checked;
if it has a key corresponding to the object’s lock, access allowed
Important distinction
ACLs and capabilities are “static”
◦ Require manual intervention to change
Locks and keys are “dynamic”
◦ May change on their own in response to changes in the system (based on constraints)
Example
Cryptographic key used to encrypt a file
◦ A file cannot be “read” unless the subject has the encryption key
◦ Can also enforce that requests from n users are required in order to read data (and-access), or that any of n users are able to read data (or-access)
Kizza - Guide to Computer Network
Security 24
Role-Based Access Control
The changing size and technology of computer and communication networks are creating complex and challenging problems in the security management of these large networked systems.
The changing technology and large numbers of users joining the networks are making the administration of systems extremely costly and prone to error when it is based solely on access control lists for each user on the system individually.
System security in role-based access control (RBAC) is based on roles assigned to each user in an organization. For example, one can take on a role as a chief executive officer, a chief information officer, or chief security officer.
A user may be assigned one or more roles, and each role is assigned one or more privileges that are permitted to users in that role. Access decisions are then based on the roles individual users have as part of an organization.
The process of defining roles is based on a thorough analysis of how an organization operates and include input from a wide spectrum of users in an organization.
Kizza - Guide to Computer Network
Security 25
Access rights are grouped by role name, and the use of resources is restricted to individuals authorized to assume the associated role.
Users are granted membership into roles based on their competencies and responsibilities in the organization.
The types of operations that a user is permitted to perform in the role he or she assumes are based on that user's role. User roles are constantly
changing as the user changes responsibilities and functions in the organizations, and these roles can be revoked.
Role associations can be established when new operations are instituted, and old operations can be deleted as organizational functions change and evolve.
RBAC is also based on the concept of least privilege that requires identifying the user's job functions, determining the minimum set of privileges required to perform that function, and restricting the user to a domain with those privileges and nothing more.
Role-Base
d Access
Control
Role-Base
d Access
Control
Role-Base
d Access
Control
NIST RBAC Model
RBAC For a Bank
introduced access control principles
◦ subjects, objects, access rights
discretionary access controls
◦ access matrix, access control lists (ACLs), capability tickets
◦ UNIX traditional and ACL mechanisms
role-based access control
Summary
Most Slides from:
Computer Security: Principles and Practice
First Edition by William Stallings and Lawrie Brown Lecture slides by Lawrie Brown
Chapter 4 – Access Control
http://www.cgisecurity.com/owasp/html/ch08.html Book: Guide to Computer Network Security Second Edition, Joseph Migga Kizza chapter 9
