Scribd
Upload
2 views

Access Control FIN

Access control is a critical aspect of computer security that prevents unauthorized use of resources by managing user access rights. It involves mechanisms that dictate how users and systems interact, specifying what actions they can perform on various resources. Different models like Discretionary, Mandatory, and Role-Based Access Control are employed to implement these controls at administrative, physical, and technical levels.

Uploaded by

Sameer Javed
Copyright
© © All Rights Reserved
Available Formats
Download as PPT, PDF, TXT or read online on Scribd
2 views

Access Control FIN

Access control is a critical aspect of computer security that prevents unauthorized use of resources by managing user access rights. It involves mechanisms that dictate how users and systems interact, specifying what actions they can perform on various resources. Different models like Discretionary, Mandatory, and Role-Based Access Control are employed to implement these controls at administrative, physical, and technical levels.

Uploaded by

Sameer Javed
Copyright
© © All Rights Reserved
Available Formats
Download as PPT, PDF, TXT or read online on Scribd
You are on page 1/ 12

Presented by

Engr. Farooq Iqba

Access Control 1
Access Control

• The prevention of unauthorized use of a


resource, including the prevention of use of a
resource in an unauthorized manner“
• central element of computer security
• assume have users and groups
– authenticate to system
– assigned access rights to certain resources on system

Access Control 2
Access Control

• Access control is the collection of mechanisms


that permits managers of a system to exercise a
directing or restraining influence over the
behavior, use, and content of a system
• It permits management to specify what users can
do, which resources they can access, and what
operations they can perform on a system

Access Control 3
Access Control Components

• Access Controls: The security features that


control how users and systems communicate
and interact with one another
• Access: The flow of information between
subject and object
• Subject: An active entity that requests access to
an object or the data in an object
• Object: A passive entity that contains
information

Access Control 4
Access Control Principles

Access Control 5
Access Control Policies

Access Control 6
Access Control Requirements

• reliable input: a mechanism to authenticate


• fine and coarse specifications: regulate access at varying
levels (e.g., an attribute or entire DB)
• least privilege: min authorization to do its work
• separation of duty: divide steps among different
individuals
• open and closed policies: accesses specifically
authorized or all accesses except those prohibited
• administrative policies: who can add, delete, modify rules

Access Control 7
Access Control Elements

• subject - entity that can access objects


– a process representing user/application
– often have 3 classes: owner, group, world
• object - access controlled resource
– e.g. files, directories, records, programs etc.
– number/type depend on environment
• access right - way in which subject accesses an
object
– e.g. read, write, execute, delete, create, search

Access Control 8
Discretionary Access Control

– A system that uses discretionary access control allows


the owner of the resource to specify which subjects
can access which resources
– Access control is at the discretion of the owner

Access Control 9
Mandatory Access Control

• Access control is based on a security labeling


system
– Users have security clearances and resources have
security labels that contain data classifications
• Used in environments where information
classification and confidentiality is very important
(e.g., the military)

Access Control 10
Role-Based Access Control

• Role Based Access Control (RBAC) uses a


centrally administered set of controls to
determine how subjects and objects interact
• Best system for an organization that has high
turnover

Access Control 11
Access Control Implementation

• Access controls can be implemented at various


layers of an organization, network, and individual
systems
• Three broad categories:
– Administrative (e.g., separation of duties, rotation of
duties)
– Physical (e.g., network segregation, physical access)
– Technical (aka logical, e.g., auditing, network access)

Access Control 12

You might also like