Chapter 4 - 01 - Discuss Access Control Principles, Terminologies, and Models - 02_ocred_fax_ocred.pdf

Full Transcript

Certified Cybersecurity Technician
Exam 212-82
Identification, Authentication, and Authorization
Access Control Principles
Separation of Duties (SoD)
»
Involves a breakdown of the authorization process into various steps
»
Different privileges are assigned at each step to the individual subjects requesting for a resource
i Q%
»
This ensures that no single individual has the authorization rights to perform all functions and simultaneously
denies access of all the objects to a single individual
4.
r
f
Need-to-know
»
Under the need-to-know access control principle, access is provided only to the information that is required
for performing a specific task
H
E
0
Principle of Least Privilege (POLP)
»
Principle of least privilege extends the need-to-know principle in providing access to a system
»
POLP believes in providing employees a need-to-know access, i.e., not more, not less;
@
g
»
It helps an organization by protecting it from malicious behavior, achieving better system stability, and system security
cllL Al
ANl Rights Reserved.
Reserved. Reproduction
Reproduction
is Strictly Prohibited
Access Control Principles
The principles of access control describe the access permission levels of users in detail. By
enabling the access control process, the security of the processes and resources can be
ensured. The process of access control should be based on the following principles:
=
Separation of Duties (SoD)
This involves a breakdown of the authorization process into various steps. Different
privileges are assigned at each step to the individual subjects requesting for a resource.
This ensures that no single individual has the authorization rights to perform all
functions and simultaneously denies access of all the objects to a single individual. This
division ensures that a single person is not responsible for a larger process. For example,
granting web server administrator rights to only configure a web server without
granting administrative rights to other servers.
=
Need-to-know
Under the need-to-know access control principle, access
information that is required for performing a specific task.
=
is provided
only
to the
Principle of Least Privilege (POLP)
The principle of least privilege (POLP) extends the need-to-know principle in providing
access to a system. In other words, POLP is based on providing employees exactly the
need-to-know level of access i.e., not more and not less. It helps an organization by
protecting it from malicious behavior as well as improving system stability and system
security.
Module 04 Page 455
Certified Cybersecurity Technician Copyright © by EG-Council
EG-Gouncil
All Rights Reserved. Reproduction is Strictly Prohibited.
Certified Cybersecurity Technician
Exam 212-82
Identification, Authentication, and Authorization
Least privilege provides access permissions to only those users who really need the
access and resources. The permissions granted depend on the roles and responsibilities
of the user requesting the access. There are two underlying principles involved in the
least privilege method: low rights and low risks. On the basis of these principles, a user
needs to complete a task using the limited number of resources in a limited amount of
time provided to them. This approach reduces the probability of unauthorized access to
the system resources.
Module 04 Page 456
Certified Cybersecurity Technician Copyright © by EC-Gouncil
All Rights Reserved. Reproduction is Strictly Prohibited.
Certified Cybersecurity Technician
Exam 212-82
Identification, Authentication, and Authorization
Q
Access control models are the standards which provide a predefined framework
for implementing the necessary level of access control
Mandatory Access Control (MAC)
¥"¥ Only the administrator/system owner has the rights to assign privileges
¥
It does not permit the end user to decide who can access the information
Discretionary Access Control (DAC)
A
v¥
End user has complete access to the information they own
Role-based Access Control (RBAC)
v
Permission are assigned based on user roles
Rule-based Access Control (RB-RBAC)
v
Permissions are assigned to a user role dynamically based on aa set of rules defined
by the administrator
Copyright © by EC-C
cIL1L All Rights
Rights Reserved. Reproductionis Strictly Prohibited
Access Control Models
Access control models are the standards
implementing the necessary level of access
subject can access an object.
=
which provide a predefined framework for
control. Access control models specify how a
Mandatory Access Control
The mandatory access control (MAC) determines the usage and access policies for the
users. A user can access a resource only if they have the access rights to that resource.
MAC is applied in the case of data that has been marked as highly confidential. The
administrators impose MAC depending on the operating system and the security kernel.
It does not permit the end-user to decide who can access the information.
The following are the advantages and disadvantages of MAC:
o
It provides a high level of security since the network defenders determine the access
controls.
o
The MAC policies minimize the chances of errors.
o
Depending on the MAC, an operating system marks and labels the incoming data,
thereby creating an external application control policy.
Examples of MAC include Security-Enhanced Linux (SELinux) and Trusted Solaris.
=
Discretionary Access Control
Discretionary access control (DAC) determines the access control taken by any possessor
of an object in order to decide the access control of a subject on that object. DAC is
Module 04 Page 457
Certified Cybersecurity Technician Copyright © by EG-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
Certified Cybersecurity Technician
Exam 212-82
Identification, Authentication, and Authorization
alternatively named as a need-to-know access model. The decision taken by the owner
depends on the following measures:
o
File and data ownership: Determines the access policies of the user
o
Access rights and permissions: Involves the possessor setting the access privileges
to other subjects
An owner can provide or deny access to any particular user or a group of users. The
attributes of a DAC include the following:
o
The owner of an object can transfer the ownership to another user.
o
The access control prevents multiple unauthorized attempts to access an object.
o
The DAC prevents unauthorized
filename, directory path, etc.
o
The DAC uses access control lists in order to identify and authorize users.
Disadvantage:
A DAC
requires
from
maintenance
permissions for the users. Examples
control.
=
users
viewing
of the
details
access
like
control
the
file size,
list and
access
of DAC include UNIX, Linux, and Windows
access
Role-Based Access Control
In a role-based access control (RBAC), the access permissions are available based on the
access policies determined by the system. The access permissions are beyond the user
control which implies that users cannot amend the access policies created by the
system. The rules for determining the role-based access controls are as follows:
o
Role assignment: A certain role is required to be assigned to a user which enables
them to perform a transaction.
o
Role authorization: A user needs to perform a role authorization in order to achieve
a particular role.
o
Transaction
authorization:
Transaction
authorization
allows the
users to execute
only those transactions for which they have been authorized.
*
Rule-based Access Control (RB-RBAC)
Permissions are assigned to a user role dynamically based on a set of rules defined by
the administrator.
Module 04 Page 458
Certified Cybersecurity Technician Copyright © by EG-Council
All Rights Reserved. Reproduction is Strictly Prohibited.