Access ControlsHenry ParksSSAC 2012

Presentation Outline• Purpose of Access Controls• Access Control Models

– Mandatory

– Nondiscretionary/Discretionary

– Role Based

• Access Control Operation Factors– Access Control Lists

– Access Control Matrix

– Identification and Authentication

• Real Time Access Controls– Routers

– Firewalls

– OS

Purpose of Access Controls

• Access Controls– Determines if user is admitted to trusted area

• Access Control Common Terms– Subject- entity that requires access to a system resource– Object- system resource to which access must be controlled– Permissions- list specifying a list of access rights

• Access Control Components– System Access– Network Access & Architecture– Encryption and protocols– Auditing

Access Control ModelsMandatory Access Control

•Characteristics– Extremely secure system

– Sensitivity labels are assigned to both objects and subjects

– All data is assigned security level that reflects its relative sensitivity, confidentiality, and protection value.

– Only administrators, not data owners, make changes to a resource's security label.

•Levels of Authorization– Subjects can read from a lower classification than the one they are granted

– Subjects can write to a higher classification

– Subjects are given read/write access to objects only of the same classification

– Only administrator is allowed to access rights

– Enforced by a centralized organizational policy

Access Control ModelsDiscretionary Access Control

Characteristics– Widely acceptable in commercial environments– Identifies the subjects that are allowed or denied access to a securable object– An object's owner has discretion over who access that object

Levels of Authorization•File and data ownership

– Every object in the system has an owner.

•Access Rights and Permissions– Controls that an owner can assign to other subject for specific

resources

Access Control ModelsNondiscretionary Access Control

Characteristics– Managed by a central authority– Can be role-based or task-based– An object's owner has discretion over who access that object

Levels of Authorization•Role-Based Controls

– Linked to the role subject performs

•Task-Based Controls– Linked to particular assignment or responsibility

Access Control Operation FactorsAccess Control Lists

Defined• List of access control entries(ACE)

• Consist of user access list, matrices, and capability tables

• Capability table: Specifies which subjects and objects users or groups can access resource

• Access control matrix: Includes combination of tables and lists

Access Control Operation FactorsIdentification and Authentication

Multifactor Authentication– Implementing multiple forms of authentication to validate an

identity– Used for systems requiring strong authentication

• Forms of Authentication– What a subject knows:– What a subject has:– What a subject is:– What a subject produces:

Real Time Access ControlsRouters

Cisco Router

Real Time Access ControlsOperating System

Microsoft Active Directory

Real Time Access ControlsFirewall

Cisco PIX Firewall

Conclusion• Purpose of Access Controls• Access Control Models• Access Control Operation Factors• Real Time Access Controls

The End

QUESTIONS?

Resources• Whitman, Michael E., and Herbert J. Mattord. Principles of

Information Security. Boston, MA: Thomson Course Technology, 2005. Print.

• http://www.cisco.com/en/US/docs/ios/11_3/security/configuration/guide/scacls.html