Chapter 4 - 01 - Discuss Access Control Principles, Terminologies, and Models - 01_ocred_fax_ocred.pdf

Full Transcript

Certified Cybersecurity Technician
Identification, Authentication, and Authorization
Exam 212-82
Module
Flow
0O
Discuss Access Control Principles,
Terminologies, and Models
! 0,0
020 l
\
WL
o R
Discuss Identity and Access
Management (IAM)
(IAIM)
Copyright ©© byby
EC-{
EC-Council
L All Rights Reserved.
Reserved. Reproduction
Reproduction
is Strictly Prohibited
Prohibited
Discuss Access Control Principles, Terminologies, and Models
The objective of this section is to explain the concept of access control by introducing the
principles of access control, the terminologies used, and the different models that describe how
access control helps in controlling the access of users to specific resources in a network.
Module 04 Page 450
Certified Cybersecurity Technician Copyright © by EG-GCouncil
EG-Gouncil
All Rights Reserved. Reproduction is Strictly Prohibited.
Certified Cybersecurity Technician
Exam 212-82
Identification, Authentication, and Authorization
Access
Control
O
Access control is the selective restriction of access to an asset or a system/network resource
O
It protects the information assets by determining who can access what
O
Access control mechanism uses user identification, authentication, and authorization to restrict or grant access to
a specific asset/resource
Grrrraassassssnsannrnninn -
Authorization
Database
Administrator
‘
Authentication
:.
Authentication
Function
|..... aeeenap
5
Access Control
v
iz
Control
emction
Sesscsnansvnnsl »
A
A
System Resources
Copyright
© by
EC
L All Rights Reserved,
Reproduction
is Strictly Prohibited
Access Control
Access control is a method of limiting the access of an organization’s resources for the users. A
crucial aspect of implementing an access control is to maintain the integrity, confidentiality,
and availability of the information.
An access control function uses identification, authentication, and mechanisms to identify,
authenticate, and authorize the user requesting access to a specific resource. The access
permissions determine the approvals or permissions provided to a user for accessing a system
and other resources.
The general steps involved in the access control mechanism are as follows:
=
Step 1: A user provides their credentials/identification while logging into the system.
=
Step 2: The system validates the user with the database on the basis of the provided
credentials/identification such as a password, fingerprint, etc.
=
Step 3: Once the identification is successful, the system provides the user access to use
the system.
=
Step 4: The system then allows the user to perform only those operations or access only
those resources for which the user has been authorized.
Module 04 Page 451
Certified Cybersecurity Technician Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
Certified Cybersecurity Technician
Exam 212-82
Identification, Authentication, and Authorization
,‘.
s
gpessssssssssnsnnsssssssssnnd
gpessssssssssnssnsssssssssnad
Authorization
Database
A.H
s.
Administrator
_5
Access Control
j
)
ment'non
Aut'hentition
Function
Function
'
'......:......’:
i..---;---l-".
r
r
,Amss
Contl’ol
|
mntl’ol
Fction
Function
User
:.’"""':’""I’
'--2----..’
9""
SE=s
—
=
=
A
3
‘.‘.....'."
‘.can---a-’w
[
[ENMERR
ip
Authentication
—_—
‘
System Resources
Figure 4.1: Access Control Mechanism
Module 04 Page 452
Certified Cybersecurity Technician Copyright © by EG-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
Certified Cybersecurity Technician
Identification, Authentication, and Authorization
Exam 212-82
Access Control Terminologies
This refers to a particular user or process that wants to access a resource
This refers to a specific resource that the user wants to access such as aa file
or a hardware device
It checks the access control rule for specific restrictions
It represents an action taken by a subject on an object.... A)I
Authentication
Reference
Monitor
|
Authorization
Copyright © by EC
cllIL Al
All Rights Reserved. Reproduction
is Strictly Prohibited
Access Control Terminologies
The following terminologies are used to define the access control on specific resources:
Subject
A subject can be defined as a user or a process that attempts to access the objects. The
subjects are those entities that perform certain actions on the system.
Object
An object is an explicit resource on which an access restriction is imposed. The access
controls implemented on the objects further control the actions performed by the user.
Examples of an object are a file or a hardware device.
Reference Monitor
A reference monitor monitors the restrictions imposed on the basis of certain access
control rules. It implements a set of rules on the ability of the subject to perform certain
actions on the object.
Operation
An operation is an action performed by a subject on an object. A user trying to delete a
file is an example of an operation. Here, the user is the subject, the action of deleting
refers to the operation, and the file is the object.
Module 04 Page 453
Certified Cybersecurity Technician Copyright © by EG-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
Certified Cybersecurity Technician
Identification, Authentication, and Authorization
m
Access
Request
Exam 212-82
A
R
ce
Monitor
[eeeeeeeninasd
Authentication
focoss
goquest
A
e
Authorization
Figure 4.2: Access Control Terminologies
Module 04 Page 454
Certified Cybersecurity Technician Copyright © by EG-Council
All Rights Reserved. Reproduction is Strictly Prohibited.