Chapter 4 - 01 - Discuss Access Control Principles, Terminologies, and Models - 02_ocred.pdf

Full Transcript

Certified Cybersecurity Technician Exam 212-82 Identification, Authentication, and Authorization Access Control Principles Separation of Duties (SoD) » Involves a breakdown of the authorization process into various steps » Different privileges are assigned at each step to the individual subjects req...

Certified Cybersecurity Technician Exam 212-82 Identification, Authentication, and Authorization Access Control Principles Separation of Duties (SoD) » Involves a breakdown of the authorization process into various steps » Different privileges are assigned at each step to the individual subjects requesting for a resource iQ » This ensures that no single individual has the authorization rights to perform all functions and simultaneously denies access of all the objects to a single individual 4 r Need-to-know » Under the need-to-know access control principle, access is provided only to the information that is required for performing a specific task H 0 Principle of Least Privilege (POLP) » Principle of least privilege extends the need-to-know principle in providing access to a system » POLP believes in providing employees a need-to-know access, i.e., not more, not less; @ » It helps an organization by protecting it from malicious behavior, achieving better system stability, and system security cll ANl Rights Reserved. Reproduction is Strictly Prohibited Access Control Principles The principles of access control describe the access permission levels of users in detail. By enabling the access control process, the security of the processes and resources can be ensured. The process of access control should be based on the following principles: = Separation of Duties (SoD) This involves a breakdown of the authorization process into various steps. Different privileges are assigned at each step to the individual subjects requesting for a resource. This ensures that no single individual has the authorization rights to perform all functions and simultaneously denies access of all the objects to a single individual. This division ensures that a single person is not responsible for a larger process. For example, granting web server administrator rights to only configure a web server without granting administrative rights to other servers. = Need-to-know Under the need-to-know access control principle, access information that is required for performing a specific task. = is provided only to the Principle of Least Privilege (POLP) The principle of least privilege (POLP) extends the need-to-know principle in providing access to a system. In other words, POLP is based on providing employees exactly the need-to-know level of access i.e., not more and not less. It helps an organization by protecting it from malicious behavior as well as improving system stability and system security. Module 04 Page 455 Certified Cybersecurity Technician Copyright © by EG-Gouncil All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Exam 212-82 Identification, Authentication, and Authorization Least privilege provides access permissions to only those users who really need the access and resources. The permissions granted depend on the roles and responsibilities of the user requesting the access. There are two underlying principles involved in the least privilege method: low rights and low risks. On the basis of these principles, a user needs to complete a task using the limited number of resources in a limited amount of time provided to them. This approach reduces the probability of unauthorized access to the system resources. Module 04 Page 456 Certified Cybersecurity Technician Copyright © by EC-Gouncil All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Exam 212-82 Identification, Authentication, and Authorization Q Access control models are the standards which provide a predefined framework for implementing the necessary level of access control Mandatory Access Control (MAC) ¥ Only the administrator/system owner has the rights to assign privileges ¥ It does not permit the end user to decide who can access the information Discretionary Access Control (DAC) A ¥ End user has complete access to the information they own Role-based Access Control (RBAC) v Permission are assigned based on user roles Rule-based Access Control (RB-RBAC) v Permissions are assigned to a user role dynamically based on a set of rules defined by the administrator Copyright © by EC-C cIL All Rights Reserved. Reproductionis Strictly Prohibited Access Control Models Access control models are the standards implementing the necessary level of access subject can access an object. = which provide a predefined framework for control. Access control models specify how a Mandatory Access Control The mandatory access control (MAC) determines the usage and access policies for the users. A user can access a resource only if they have the access rights to that resource. MAC is applied in the case of data that has been marked as highly confidential. The administrators impose MAC depending on the operating system and the security kernel. It does not permit the end-user to decide who can access the information. The following are the advantages and disadvantages of MAC: o It provides a high level of security since the network defenders determine the access controls. o The MAC policies minimize the chances of errors. o Depending on the MAC, an operating system marks and labels the incoming data, thereby creating an external application control policy. Examples of MAC include Security-Enhanced Linux (SELinux) and Trusted Solaris. = Discretionary Access Control Discretionary access control (DAC) determines the access control taken by any possessor of an object in order to decide the access control of a subject on that object. DAC is Module 04 Page 457 Certified Cybersecurity Technician Copyright © by EG-Council All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Exam 212-82 Identification, Authentication, and Authorization alternatively named as a need-to-know access model. The decision taken by the owner depends on the following measures: o File and data ownership: Determines the access policies of the user o Access rights and permissions: Involves the possessor setting the access privileges to other subjects An owner can provide or deny access to any particular user or a group of users. The attributes of a DAC include the following: o The owner of an object can transfer the ownership to another user. o The access control prevents multiple unauthorized attempts to access an object. o The DAC prevents unauthorized filename, directory path, etc. o The DAC uses access control lists in order to identify and authorize users. Disadvantage: A DAC requires from maintenance permissions for the users. Examples control. = users viewing of the details access like control the file size, list and access of DAC include UNIX, Linux, and Windows access Role-Based Access Control In a role-based access control (RBAC), the access permissions are available based on the access policies determined by the system. The access permissions are beyond the user control which implies that users cannot amend the access policies created by the system. The rules for determining the role-based access controls are as follows: o Role assignment: A certain role is required to be assigned to a user which enables them to perform a transaction. o Role authorization: A user needs to perform a role authorization in order to achieve a particular role. o Transaction authorization: Transaction authorization allows the users to execute only those transactions for which they have been authorized. * Rule-based Access Control (RB-RBAC) Permissions are assigned to a user role dynamically based on a set of rules defined by the administrator. Module 04 Page 458 Certified Cybersecurity Technician Copyright © by EG-Council All Rights Reserved. Reproduction is Strictly Prohibited.

Use Quizgecko on...
Browser
Browser