Access Control - PowerPoint PPT Presentation

1 / 23
About This Presentation
Title:

Access Control

Description:

Access control is not a stand alone component of a security system ... exclusive roles e.g., accountant writes check and manger signs the check) ... – PowerPoint PPT presentation

Number of Views:1811
Avg rating:3.0/5.0
Slides: 24
Provided by: lakshmisr
Category:
Tags: access | control | manger

less

Transcript and Presenter's Notes

Title: Access Control


1
Access Control
2
Access Control
  • Access control principles
  • Mandatory Access Control (MAC)
  • Discretionary Access Control (DAC)
  • Role-based Access Control
  • Matrix model

3
Access Control Principles
  • Access control is not a stand alone component of
    a security system
  • Access control coexists with other security
    services
  • Access control works closely with audit control
  • Access matrix is a good tool to specify
    permissions
  • Access Control List (ACL) details are placed in
    Access Matrix

4
Access Control Example
5
Access Control Example
6
Access Control
  • Reference Access Control Principles and
    Practice by R. S. Sandhu and P.Samarati, IEEE
    Communications Magazine, Vol. 32, Sept. 1994, 40
    48.

7
Mandatory Access Control
  • Why MAC is needed?
  • Enhances security of database
  • Gives consistent view of operations
  • General rule is all allowed accesses are provided
    by MAC
  • Access that is not part of MAC is discretionary
  • MAC adds to complexity

8
Mandatory Access Control
  • MAC is used for type enforcement (TE) as is done
    in programming languages
  • MAC protects organizational data
  • MAC deals with database queries, reports and
    statistical studies
  • Data protection for a class is determined by its
    label
  • Relabel privileges follow a set of rules since
    label makes a difference in access

9
Mandatory Access Control
  • Relabels are used for declassification of
    existing objects or for approvability
  • Relabels do not allow changing or observing the
    content
  • Information flow is specified between MAC labels
  • Information flow restrictions are essential for
    maintaining confidentiality

10
Mandatory Access Control
  • Examples
  • Official reports (DAC permission allows DAC copy)
  • Statistical analysis of medical records
    (providers and researchers have different view of
    same data)
  • Accounting records (updated by structured
    programs and accessed by unstructured programs)

11
Discretionary Access Control
  • DACs provide flexibility in allowing access to
    database
  • DACs protect unstructured work in progress
  • DAC objects contain information protected by MAC
  • DAC also includes privileges associated with
    email
  • DAC labels are derived from MAC labels

12
Discretionary Access Control
  • Access decisions in DAC do not take into account
    the users role or programs functionality
  • Linux has benefited from DAC

13
Role-based Access Control
  • Reference Role-based Access Control Models by
    R. S. Sandhu et al, IEEE Computer, Vol. 29, Feb.
    1996, 38-47.
  • Databases are used by multiple users for multiple
    applications
  • Role-based access control (RBAC) is one way to
    handle security for the users and applications

14
Role-based Access Control
  • Role of the user in the organization determines
    the access level for the database
  • DBAs create roles and assign permissions to roles
  • DBAs and others can place users in appropriate
    roles
  • Roles can define specific individuals allowed
    access or extent of access to resources for
    multiple individuals

15
Role-based Access Control
  • SQL3 standard (NIST) recognizes the importance of
    RBAC
  • Oracle 7 is the first commercial system to
    implement RBAC
  • Roles can be mutually exclusive
  • Role-role relations enforce security policies
  • Permissions assigned to roles change less
    frequently than permissions assigned to
    individuals

16
Role-based Access Control
  • RBAC is policy-neutral
  • RBAC supports the following security principles
  • Least privilege (only the needed permissions are
    assigned to roles)
  • Separation of duties (use of mutually exclusive
    roles e.g., accountant writes check and manger
    signs the check)
  • Data Abstraction (instead of read/write/execute
    permissions such as credit/debit are established)

17
Role-based Access Control
  • RBAC is independent of MAC and DAC
  • RBAC can support MAC and DAC separately

18
RBAC Example
19
RBAC Example
20
RBAC Example
  • RBAC0 denotes the minimum requirements for an
    RBAC system
  • RBAC1 adds role hierarchies and includes RBAC0
  • RBAC2 adds constraints and includes RBAC0
  • RBAC3 includes RBAC1 and RBAC2 and transitively
    RBAC0

21
RBAC Example
22
Matrix Model
  • Matrix model consists of
  • Objects (data)
  • Subjects (user processes like queries)
  • Rights (permissions for read, etc)
  • Rows of the matrix are objects and columns are
    subjects and the content of each cell is the
    rights
  • Protection domain consists of a collection of
    access rights

23
Matrix Model
  • Matrix model consists of
  • Access lists
  • Capability lists
  • Access list identifies people who have access to
    a particular object
  • Capability list identifies each object and its
    operations
Write a Comment
User Comments (0)
About PowerShow.com