Chapter Two

Access Control Systems and Security

 Contents

Types of Access Control

The process of Accountability

Identification and Authentication Techniques

 1. Types of Access Control
Access control is identifying a person/ a computer doing a specific job,
authenticating them by looking at their identification, then giving that person
only the key to the door or computer that they need access to and nothing more.

In the world of information security, one would look at this as granting an
individual permission to get onto a network via a username and password,
allowing them access to files, computers, or other hardware or software the
person requires, and ensuring they have the right level of permission (i.e., read-
only) to do their job.
 …cont

Access control includes authentication, authorization and audit. It also includes

measures such as physical devices, including biometric scans and metal locks,
hidden paths, digital signatures, encryption, social barriers, and monitoring by
humans and automated systems.

Access control systems provide the essential services of identification and

authentication (I&A), authorization, and accountability where accountability
identifies what a subject (or all subjects associated with a user) did.
 … cont
Access control models:

Access control models are methods which enables one to grant the right level of
permission to an individual so that they can perform their duties based on the rated
permission. Access control models have four flavors:

Mandatory Access Control (MAC),

Discretionary Access Control (DAC), and

Rule-Based Access Control (RBAC or RB-RBAC).

Role-Based Access Control (RBAC),

 … cont
Mandatory Access Control (MAC):

Is a method of limiting access to resources based on the sensitivity of the information
that the resource contains and the authorization of the user to access information with
that level of sensitivity.

MAC criteria are defined by the system administrator, strictly enforced by the
operating system or security kernel, and are unable to be altered by end users.

When a person or device tries to access a specific resource, the OS or security kernel
will check the entity's credentials to determine whether access will be granted.

Classifications include confidential, secret and top secret.

 …cont
Discretionary access control (DAC):

 Unlike Mandatory Access Control (MAC) where access to system resources is

controlled by the operating system (under the control of a system administrator).

Discretionary Access Control (DAC) allows each user to control access to their
own data.

DAC is typically the default access control mechanism for most desktop
operating systems.
 …cont

Instead of a security label in the case of MAC, each resource object on a DAC
based system has an Access Control List (ACL) associated with it.

 An ACL contains a list of users and groups to which the user has permitted
access together with the level of access for each user or group.

For example, User A may provide read-only access on one of her files to User
B, read and write access on the same file to User C and full control to any user
belonging to Group 1.
 … cont

Discretionary Access Control provides a much more flexible environment than

Mandatory Access Control but also increases the risk that data will be made
accessible to users that should not necessarily be given access.

Example is the Unix file mode which represent write, read, and execute in each of
the 3 bits for each of User.
 …cont
Rule-Based Access Control (RBAC or RB-RBAC):

As with MAC, access control cannot be changed by users. All access permissions
are controlled solely by the system administrator.

As with DAC, access properties are stored in Access Control Lists (ACL)
associated with each resource object. When a particular group attempts to access a
resource, the OS checks the rules contained in the ACL for that object.

Rule-based models set rules that apply, regardless of job roles.

Rule-based access controls are preventative – they don’t determine access levels
for employees. Instead, they work to prevent unauthorized access.
 …cont

• This model is set and managed by security administrators, employees cannot

change their permissions or control access.

• Role-based models are proactive – they provide employees with a set of

circumstances in which they can gain authorized access.

• Role-based models apply to employees on a case-by-case basis, determined by

their role. Roles differ from groups in that while users may belong to multiple
groups, a user under RBAC may only be assigned a single role in an organization.

• For instance, the accountant gets the same permissions as all other accountants,
nothing more and nothing less.
 2. The Process of Accountability
As the auditor, you are responsible for checking Resource Access
Control Facility (RACF) that is meeting the installation's needs for
access control and accountability.
The auditor needs to verify that an installation has a way to
maintain accountability.
Accountability means that you can trace activities on the protected
system to a particular person.
People should not share a user ID, RACF allows user IDs to be
shared without losing accountability.
 … cont
 To help you to audit access control and accountability, RACF provides:
• Logging routines that record the information you require
• Audit control functions that enable you to specify the information RACF is to record (or log)
• The RACF SMF data unload utility, which converts SMF records into a format which can be used by a relational database manager
• The RACF report writer, which generates tailored reports based on the information you have directed RACF to log
• The data security monitor (DSMON), which generates reports containing information about the security environment

 To specify the audit control functions, use either the RACF ISPF panels or the RACF commands to direct RACF to log any
events relevant to your installation's data security program. You can:
• Load the records produced by the RACF SMF data unload utility into a relational database manager for analysis.
• Invoke the RACF report writer to print out the data RACF has logged and use the reports to identify possible security violations or weaknesses in
the security mechanism

 The data security monitor (DSMON) generates a set of reports that lets you audit the current status of the data
security environment for an installation.
 You can use the information in the reports to compare the actual system characteristics and resource protection levels
with the installation's requirements. A user must have the AUDITOR attribute or the ROAUDIT attribute to run
DSMON.
 3. Identification and Authentication Techniques

AAA server:
AAA (Authentication, Authorization and Accounting) is a standard-
based framework used to control who is permitted to use network
resources (through authentication), what they are authorized to do
(through authorization), and capture the actions performed while
accessing the network (through accounting).
 …cont
Authentication: Authenticators are based on at least one of the following 4
factors:
• Something you know: password or a personal identification number (PIN).
This assumes that only the owner of the account knows the password or PIN.

• Something you have: smart card or security token. The owner is assumed to
have the smart card needed to unlock the account.
• Something you are: fingerprint, voice, or retina.
• Where you are: inside or outside a company.
 … cont
Authorization-determines what a subject can do, means to grant access to the system.

It is a process by which a server determines if the client has permission to use a resource or
access a file.

The type of it required for authorization may vary; what does it mean ?

Passwords may be required in some cases but not in others. ( E.g., SIMS, ATM card, Credit
card, web page)In some cases, there is no authorization; any user may be use a resource or
access a file simply by asking for it.

Most of the web pages on the Internet require no authentication or authorization

Authentication use a trusted third party, such as a bank, key distribution center (KDC), Authentication
Server (AS) ,Ticket Granting Server (TGS) , etc
 …cont
Authentication-is the process by which you verify that someone is who he claims to be.

• It is a step you announce who you are.

Authentication does not determine what tasks the individual can do or what files
the individual can see.

Authentication merely identifies and verifies who the person or system is.

Generally, Authentication means to confirm your own identity.

Most systems use identification and authentication through user name and
password.
 …cont

 Authentication technology provides access control for systems by checking to

see if a user's credentials match the credentials in a database of authorized
users or in a data authentication server.
Password:
 it is a word, phrase, or string of characters intended to differentiate an
authorized user or process (for the purpose of permitting access) from an
unauthorized user, or put another way, a password is used to prove one’s
identity, or authorize access to a resource.
 …cont
 Most systems use identification and authentication through user name and password. You
should:
• Set password
• Change default password
• Increase password length
• Improve password format
• Avoid obvious passwords
• Use password checkers
• Password ageing should be set
• Limit login attempt
• Inform user
 …cont
Smart cards and memory cards:
 How Smart cards can provide authentication and access control ?
 Smart cards is a physical card that contains a microprocessor and memory.
 The microprocessor can be used to process data, and the memory can be used to store
data.
 It used to control access to a resource. For example, a cardholder can use a PIN code or
biometric data for authentication.
 They also provide a way to securely store data on the card and protect communications
with encryption.
 …cont

Biometrics:
• The term biometrics is derived from the Greek words bio, meaning life,
and metric, meaning to measure.
• Biometrics is the measurement and statistical analysis of people's unique
characteristics.
• The technology is mainly used for identification and access control or for
identifying individuals who are under surveillance.
• The basic premise of biometric authentication is that every person can be
accurately identified by intrinsic physical or behavioral traits.
 …cont
Biometrics are largely used because of two major benefits:
• The convenience of use: Biometrics are always with you and cannot be
lost or forgotten.
• Difficult to steal or impersonate: Biometrics can’t be stolen like a
password or key can.
• Two main types of biometrics: Biometric recognition is the individual's
presentation of his unique biometric parameter and the process of
comparing it with the entire database of available data.
 Physical identification
 Behavioral identification
 …cont

Physical Behavioral
• Face shape • Signature recognition
• The shape and structure of the skull
• Voice recognition
• Retina (rarely used as an identifier)
• The iris of the eye • Gait recognition
• Palm, hand, or finger geometry • Keystroke dynamics
• Fingerprint
• Drawing of veins on the palm or finger
• DNA
• Ear Shape
Thank You!