Chapter 6: Access Controls PDF

Summary

This document outlines the fundamentals of access controls in information systems. It covers concepts, technologies, and models for regulating access to resources. It discusses different aspects, including formal models of access control and threats, as well as offering an overview of centralized and decentralized access control.

Full Transcript

CHAPTER 6

Access Controls

Copyright © 2023 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com.
Learning Objective(s) and Key Concepts

Learning Objective(s) Key Concepts

Copyright © 2023 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com
 Explain the role of access controls  Access control concepts and
in an IT infrastructure. technologies
 Identification, authentication, and
authorization
 Formal models of access control
 Threats to access controls and
control violations
 Centralized and decentralized
access controls
Defining Access Control

 The process of protecting a resource so that it is used only by those allowed to
use it

Copyright © 2023 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com
 Prevents unauthorized use
 Mitigations put in place to protect a resource from a threat
Four-Part Access Control

Access Control
Description

Copyright © 2023 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com
Component

Identification Who is asking to access the asset?

Authentication Can their identities be verified?

Authorization What, exactly, can the requestor access? And what can they do?

How are actions traced to an individual to ensure the person
Accountability
who makes data or system changes can be identified?
Policy Definition and Policy Enforcement Phases

 Policy definition phase
 Who has access and what systems or resources can they use?

Copyright © 2023 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com
 Tied to the authorization phase

 Policy enforcement phase
 Grants or rejects requests for access based on the authorizations defined in the first
phase
 Tied to identification, authentication, and accountability phases
Two Types of Access Controls

 Physical
 Controls entry into buildings, parking lots, and protected areas

Copyright © 2023 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com
 Logical
 Controls access to a computer system or network
Physical Access Control

 Example: Smart cards
 Programmed with ID number

Copyright © 2023 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com
 Used at parking lots, elevators, office doors
 Shared office buildings may require an additional after-hours card
 Cards control access to physical resources
Logical Access Control

 Deciding which users can get into a system

Copyright © 2023 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com
 Monitoring what each user does on that system
 Restraining or influencing a user’s behavior on that system
The Security Kernel

 Enforces access control for computer systems

Copyright © 2023 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com
 Central point of access control
 Implements the reference monitor concept
 Mediates all access requests
 Permits access only when appropriate rules or conditions are met
 Copyright © 2023 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com
Enforcing Access Control
Access Control Policies

Four central components of access control:

Copyright © 2023 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com
 Users
 People who use the system or processes (subjects)
 Resources
 Protected objects in the system
 Actions
 Activities that authorized users can perform on resources
 Relationships
 Optional conditions that exist between users and resources
Authorization Policies

 Authorization
 The process of deciding who has access to which resources

Copyright © 2023 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com
 In most organizations, authorization is based on job roles, background
screening, and government requirements
 Conditions or policies are decided by:
 Individual users (user is assigned privileges; most detailed and difficult to maintain)
 Group membership policy
 Authority-level policy
Methods and Guidelines for Identification

 Methods
 Username

Copyright © 2023 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com
 Smart card
 Biometrics

 Guidelines
 Nonrepudiation
 Accounting
Processes and Requirements for Authentication

 Knowledge  Behavior
 Something you know  Some observable trait or behavior

Copyright © 2023 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com
that is unique to you
 Ownership
 Something you have  Location
 Somewhere you are
 Characteristics
 Something unique to you  Relationship
(something you are)  A trusted individual with whom you
have a relationship/someone you
 Action/performance know
 Something you do/how you do it
Authentication by Knowledge

 Password
 Weak passwords easily cracked by brute-force or dictionary attack

Copyright © 2023 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com
 Password best practices

 Password account policies
 Passphrase
 Stronger than a password

 Account lockout policies
 Audit logon events
Authentication by Ownership

 Synchronous token
 Calculates a number at both the authentication server and the device

Copyright © 2023 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com
 Time-based synchronization system
 Event-based synchronization system
 Continuous authentication

 Asynchronous token
 Uses challenge-response technology
 Key-fob sized device
 Token software installed on a validated mobile device
 USB token
 Smart card
 Copyright © 2023 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com
Asynchronous Token Challenge–Response
Authentication by Characteristics/Biometrics

 Static (physiological) measures
 What you are

Copyright © 2023 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com
 Examples: Fingerprint patterns, iris granularity, retina blood vessels

 Dynamic (behavioral) measures
 What you do
 Examples: Voice inflections, keyboard strokes, signature motions
 Copyright © 2023 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com
Concerns Surrounding Biometrics

 Reaction time
 Acceptability
 Accuracy
Types of Biometrics

 Fingerprint  Facial recognition

Copyright © 2023 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com
 Palm print  Voice pattern
 Hand geometry  Keystroke dynamics
 Vein analysis  Signature dynamics
 Retina scan  Gait analysis
 Iris scan
Advantages and Disadvantages of Biometrics

 Advantages
 Person must be physically present to authenticate

Copyright © 2023 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com
 There is nothing to remember
 Biometrics are difficult to fake
 Lost IDs or forgotten passwords are not problems

 Disadvantages
 Physical characteristics might change
 Physically disabled users might have difficulties
 Not all techniques are equally effective
 Response time may be too slow
 Required devices can be expensive
 Privacy issues
Authentication by Location and Action

 Location
 Strong indicator of authenticity

Copyright © 2023 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com
 Additional information to suggest granting or denying access to a resource

 Action
 Stores the patterns or nuances of how you do something
 Record typing patterns
Single Sign-On (SSO)

 Sign on to a computer or network once and then be allowed into all computers
and systems where authorized

Copyright © 2023 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com
 Reduces human error
 Difficult to put in place
Advantages and Disadvantages of SSO

 Advantages
 Logon process is efficient

Copyright © 2023 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com
 Users are generally willing to use stronger passwords
 Provides continuous, clear reauthentication
 Provides failed logon attempt thresholds and lockouts
 Provides centralized administration

 Disadvantages
 Compromised passwords grants access to an intruder
 Static passwords provide very limited security
 Difficulty adding SSO to unique computers or legacy systems
 Scripts can expose data and do not provide two-factor authentication
 Authentication server can become a single point of failure
SSO Processes

 Kerberos

Copyright © 2023 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com
 Secure European System for Applications in a Multi-vendor Environment
(SESAME)
 Lightweight Directory Access Protocol (LDAP)
Policies and Procedures for Accountability

 Log files

Copyright © 2023 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com
 Monitoring and reviews
 Data retention
 Media disposal
 Compliance requirements
Formal Models of Access Control

 Discretionary access control (DAC)

Copyright © 2023 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com
 Mandatory access control (MAC)
 Nondiscretionary access control
 Rule-based access control
DAC

 Operating systems-based DAC policy considerations
 Access control method

Copyright © 2023 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com
 New user registration
 Periodic review

 Application-based DAC
 Denies access based on context or content through the application by presenting
only options that are authorized for the current user

 Permission levels
 User based
 Job-based, group-based, or role-based access control (RBAC)
 Project based
 Task based
MAC

 Determine level of restriction by sensitivity of resource (classification label)

Copyright © 2023 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com
 Individuals then formally authorized (i.e., obtain clearance) to access sensitive
information
 System and owner make the decision to allow access
 Temporal isolation/time-of-day restrictions
 MAC is stronger than DAC
Nondiscretionary Access Control

 Access rules are closely managed by security administrator, not system owner
or ordinary users

Copyright © 2023 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com
 Sensitive files are write-protected for integrity and readable only by authorized
users
 More secure than DAC
 Ensures that system security is enforced and tamperproof
 Copyright © 2023 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com
Rule-Based Access Control
Access Control Lists (1 of 2)

 Linux and macOS
 Permissions

Copyright © 2023 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com
 Read, write, execute
 Applied to
 File owners, groups, global users
Access Control Lists (2 of 2)

 Windows
 Share permissions

Copyright © 2023 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com
 Full, change, read, deny
 Security permissions
 Full, modify, list folder contents, read-execute, read, write, special, deny
 Copyright © 2023 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com
An Access Control List
 Copyright © 2023 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com
Role-Based Access Control
 Copyright © 2023 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com
Content-Dependent Access Control
Constrained User Interface

 Methods of constraining users
 Menus

Copyright © 2023 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com
 Database views
 Physically constrained user interfaces
 Encryption
Other Access Control Models

 Bell–LaPadula model

Copyright © 2023 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com
 Biba integrity model
 Clark–Wilson integrity model
 Brewer–Nash integrity model
 Copyright © 2023 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com
Brewer–Nash Integrity Model
Effects of Breaches in Access Control

 Disclosure of private information

Copyright © 2023 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com
 Corruption of data
 Loss of business intelligence
 Danger to facilities, staff, and systems
 Damage to equipment
 Failure of systems and business processes
Threats to Access Controls

 Gaining physical access

Copyright © 2023 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com
 Eavesdropping by observation
 Bypassing security
 Exploiting hardware and software
 Reusing or discarding media
 Electronic eavesdropping
 Intercepting communication
 Accessing networks
 Exploiting applications
Effects of Access Control Violations

 Loss of customer confidence

Copyright © 2023 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com
 Loss of business opportunities
 New legislation and regulations imposed on the organization
 Bad publicity
 More oversight
 Financial penalties
Credential and Permissions Management

 Systems that provide the ability to collect, manage, and use the information
associated with access control

Copyright © 2023 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com
 Microsoft offers Group Policy and Group Policy Objects (GPOs) to help
administrators manage access controls
Centralized and Decentralized Access Controls

 Centralized authentication, authorization, and accounting (AAA) servers
 RADIUS: Most popular; two configuration files

Copyright © 2023 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com
 TACACS+: Internet Engineering Task Force (IETF) standard; one configuration file
 DIAMETER: Base protocol and extensions; uses User Datagram Protocol (UDP) in
peer-to-peer (P2P) mode rather than client/server mode
 SAML: Open standard based on XML for exchanging both authentication and
authorization data
 Copyright © 2023 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com
P2P Mode and Client/Server Mode
Decentralized Access Control

 Handles access control decisions and administration locally; access control is in
hands of the people closest to the system users

Copyright © 2023 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com
 Common decentralized access control protocols:
 Password Authentication Protocol (PAP)
 Challenge-Handshake Authentication Protocol (CHAP)

 Mobile device authentication, Initiative for Open Authentication (OATH)
 HMAC-based one-time password (HOTP)
 Time-based one-time password (TOTP)

 Identity and access management (IAM) and Privileged Access Management
(PAM) can work together to provide controlled access to an organization’s
services, resources, and data
Privacy

 Communicate expectations for privacy in acceptable use policies (AUPs) and
logon banners

Copyright © 2023 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com
 Monitoring in the workplace includes:
 Opening mail or email
 Using automated software to check email
 Monitoring keystrokes and time spent at the keyboard
 Checking logs of websites visited
 Getting information from credit-reference agencies
 Collecting information through point-of-sale (PoS) terminals
 Recording activities on closed-circuit television (CCTV)
Cloud Computing

Category Description

Copyright © 2023 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com
All components are managed for a single organization; may
Private
be managed by the organization or by a third-party provider
Components are shared by several organizations and
Community managed by one of the participating organizations or by a
third party

Public Available for public use and managed by third-party providers

Contains components of more than one type of cloud,
Hybrid
including private, community, and public clouds
Cloud Service Provider (CSP)

 Common cloud services
 Infrastructure as a Service (IaaS)

Copyright © 2023 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com
 Platform as a Service (PaaS)
 Software as a Service (SaaS)
Advantages and Disadvantages of Cloud Computing

 Advantages
 No need to maintain a data center

Copyright © 2023 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com
 No need to maintain a disaster recovery site
 Outsourced responsibility for performance and connectivity
 On-demand provisioning

 Disadvantages
 More difficult to keep private data secure
 Greater danger of private data leakage
 Greater demand for constant network access
 Greater need for clients to trust outside vendors
Summary

 Access control concepts and technologies

Copyright © 2023 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com
 Identification, authentication, and authorization
 Formal models of access control
 Threats to access controls and control violations
 Centralized and decentralized access controls