Premium Essay

Access Control Models

In: Computers and Technology

Submitted By darryl8710
Words 281
Pages 2
Fundamentals of Information System Security
November 18, 2012

Controlling access to resources is one of the most important protection goals for Web-based services in practice. In general, access control requires identification of subjects that intend to use resources. Today, there are several identification mechanisms for subjects, providing different security levels. However, some of them are only suitable to be used in specific environments. In this paper we consider access control to Web-based services that also depends on the strength of identification mechanisms as a context-dependent parameter. Furthermore, we show how to model this context-dependent access control by using role-based concepts.
One can argue that anti-virus software is a content-based access control system - as it allows access only to files that do not contain viruses. Resource attributes may also be viewed as part of its content - though usually they are not regarded as part of it.
For example, each file in an operating system of the Windows™ family has a "Read
Only" attribute. “Write” access to such a file is denied regardless of what the permissions for this file are, if the flag is On. If the attribute is considered to be part of the file, then this would in theory be a content-dependent access control system, but it's not considered as such.
Content Dependent Access Control involves a lot of overhead resulting from the need to scan the resource when access is to be determined (in some implementations it may really slow down the users, even if the security policy doesn't utilize the content - dependent capabilities). High levels of granularity are only achievable with extremely labor-intensive permissions configuration and continuous

Similar Documents

Premium Essay

Access Control Models

...ACCESS CONTROL MODELS An access control model is a framework that dictates how subjects access objects. There are three main types of access control model mandatory access control, discretionary access control and role-based access control. Discretionary (DAC) The creator of a file is the ‘owner’ and can grant ownership to others. Access control is at the discretion of the owner. Most common implementation is through access control lists. Discretionary access control is required for the Orange Book “C” Level. Mandatory (MAC) Much more structured. Is based on security labels and classifications. Access decisions are based on clearance level of the data and clearance level of the user, and, classification of the object. Rules are made by management, configured by the administrators and enforced by the operating system. Mandatory access control is required for the Orange Book “B” Level. Role-Based (RBAC) Continually administered set of controls by role within organization. Access rights assigned to roles – not directly to users. Roles are tighter controlled than groups - a user can only have one role. Can use different types of RBAC Role-based Role within organization. Task-based Specific task assigned to the user. Lattice-based Upper and Lower bounds Access Control Techniques and Technologies Once a company decides on the access control model to use, the technologies and techniques to implement that model need to be determined Role-based Can be used with...

Words: 1719 - Pages: 7

Premium Essay

Unit 3 Discussion 1: Access Control Models

...Discussion 1: Access Control Models Scenario 1: (DAC) Discretionary Access Control. Being that the business is small and not in need of higher security measures, it would be the easiest to maintain and monitor for a small business. Scenario 2: (MAC) Mandatory Access Control. The employees primarily communicate using smartphones; which proves as a possible security risk. MAC is stronger than DAC but, still easily monitored for a small business; which makes this the top choice for Top Ads. Scenario 3: (RBAC) Role Based Access Control. With the company being as large as it is and the employees traveling and/or working from home, the roles set by a Security Administrator would be the most secure and efficient way of providing different levels of clearance to individual users. It would take time to start from nothing but, once the security measures are in place it would be easy to monitor and to manage. Scenario 4: Content-Dependent Access Control. Since everything that the company does depends on the individual material being manufactured the above Access Control type should be apparent. Giving permissions by what is contained in each individual file is more costly but, a lot more secure. It also allows the company to monitor the data sent less as each document is given its own set of roles. Scenario 5: (RBAC) Role Based Access Control. With RBAC in place the security measures would be assigned to each user and monitored by the security administrator(s). Using this Access control method...

Words: 295 - Pages: 2

Premium Essay

Unit 3 Discussion 1: Access Control Models

...that have internet access. Discretionary Access Controls should be used in this scenario because the company is small and not in need of high security environment. This solution is the simplest to maintain and monitor for a small business. 2. Top Ads is a small advertising company consisting of 12 computers that have internet access. All employees communicate using smart phones. Mandatory Access Controls should be used in this scenario because the employees primarily communicate using smart phones, which opens up a security risk. Mandatory Access Controls are a step up stronger than Discretionary Access Controls, but are still relatively simple to monitor for a small business. 3. NetSecIT is a multinational IT services company consisting of 120,000 computers that have internet access and 45,000 servers. All employees communicate using smart phones and e-mail. Many employees work from home and travel extensively. Role Based Access Control should be used in this scenario because this is a large company with employees who travel and work from home. The roles should be controlled by a Security Administrator who could provide different levels of security to individual users. There would be some overhead in startup to get up and running but once in place this should be easy to manage. 4. Backordered Parts is a defense contractor that builds communication parts for the military. All employees communicate using smart phones and e-mail. Content-Dependent Access Controls should be used...

Words: 407 - Pages: 2

Premium Essay

Layered Security in Plant Control Environments

...Layered Security in Plant Control Environments Ken Miller Senior Consultant Ensuren Corporation KEYWORDS Plant Controls, Layered Security, Access Control, Computing Environment, Examination, Detection, Prevention, Encryption, Compartmentalization ABSTRACT Process control vendors are migrating their plant control technologies to more open network and operating environments such as Unix, Linux, Windows, Ethernet, and the Internet Protocol. Migrating plant controls to open network and operating environments exposes all layers of the computing environment to unauthorized access. Layered security can be used to enhance the level of security for any computing environment. Layered security incorporates multiple security technologies in each computing layer to provide resistance to unauthorized intrusion, while reducing the risk of failure from a single technology. Layered security requires acceptance of a model, development of an access control plan, compartmentalization of the network, and implementation of core security products that address examination, detection, prevention, and encryption. Layered security is considered a “best practice” in any computing environment, and should be widely used in critical control environments. INTRODUCTION Plant control environments have traditionally been built on proprietary technology. This proprietary technology provided a reasonable level of security from unauthorized access due to its “closed” nature, and lack of connection...

Words: 2711 - Pages: 11

Premium Essay

Week 5 Nt 2580

... Unit 3: Appropriate Access Controls for Systems, Applications, and Data Access Learning Objective Explain the role of access controls in implementing security policy. Key Concepts The authorization policies applying access control to systems, application, and data The role of identification in granting access to information systems The role of authentication in granting access to information systems The authentication factor types and the need for two- or three-factor authentication The pros and cons of the formal models used for access controls Reading Kim and Solomon, Chapter 5: Access Controls. GROUP ACTIVITY Discuss and complete the following worksheet: ------------------------------------------------- IT2580: Unit 3 Types of Authentication Instructions: In the following table, identify the type of authentication for the given authentication methods. Authentication Method | Authentication Type (Knowledge, Ownership, or Characteristic) | Password | | Smart card | | Fingerprint | | Personal identification number (PIN) | | Token | | Badge | | Signature | | ------------------------------------------------- DISCUSSION ------------------------------------------------- IT2580: Unit 3 Access Controls Discussion: Access controls can be applied in various forms, levels of restriction, and at different places within a computing system. A combination of access controls can provide a system...

Words: 716 - Pages: 3

Premium Essay

Nt2580

...VPN access control model for a large scale company. * This policy will support remote access control for systems, applications, and data access. Remote access Defined Remote access for employees is deployed by using remote access VPN connections across the Internet based on the settings configured for the VPN Server, and the following additional settings. The following diagram shows the VPN server that provides remote access VPN connections. Domain/Network Config: For each employee that is allowed VPN access: * The network access permission on the dial-in properties of the user account is set to Control access through NPS Network Policy. * The user account is added to the VPN_Users group in Active Directory. To define the authentication and encryption settings for remote access VPN clients, the following remote access network policy is created in Network Policy Server (NPS): * Policy name: Remote Access VPN Clients * Conditions: * NAS Port Type is set to Virtual (VPN) * Windows Groups is set to VPN_Users * Calling Station ID is set to 207.209.68.1 * Permission is set to Grant access. NPS policy settings: * On the Constraints tab, under Authentication Methods, for EAP Types select Microsoft: Smart Card or other certificate. Also enable Microsoft Encrypted Authentication version 2 (MS-CHAP v2). * Or SSTP, L2tp/IPsec, PPTP, IKEv2 Access control model/ policy: This model would support Role based access controls and allow mandatory access control to be...

Words: 339 - Pages: 2

Premium Essay

Cryptography Methods

...Unit 3 Discussion 1: Access Control Models 1. Select an access control model that best prevents unauthorized access for each of the five scenarios given in the worksheet 2. Which types of logical access controls should be used in each scenario? Justify your recommendations. Scenario 1. - Discretionary access controls I s a small company consisting of 12 computers only DAC allows each user to control access to their own data and is typically the default access control mechanism for most desktop operating systems. Scenario 2.-Role-based access control Because RBAC is based on a user's job function within the organization to which the computer system belongs. Scenario 3.-Mandatory access controls Because how big is the company MAC takes a hierarchical approach to controlling access to resources. Under a MAC enforced environment access to all resource objects (such as data files) is controlled by settings defined by the system administrator. As such, all access to resource objects is strictly controlled by the operating system based on system administrator configured settings. Mandatory Access Control the operating system checks the user's classification and categories and compares them to the properties of the object's security label. Scenario 4.- Mandatory access control The design of MAC was defined, and is primarily used by the government. Scenario 5.- Mandatory access control Because all access to resource objects is strictly controlled by the operating...

Words: 452 - Pages: 2

Premium Essay

Toward an Abstract Language on Top of Xacml for Web Services Security

...6th International Conference on Internet Technology and Secured Transactions, 11-14 December 2011, Abu Dhabi, United Arab Emirates Toward an Abstract Language on Top of XACML for Web Services Security aDepartment of Computer Science and Mathematics, Lebanese American University, Beirut, Lebanon b Department of Computer Engineering, Khalifa University of Science, Technology & Research, Abu Dhabi, UAE CDepartment of Computer Science, Kuwait University, Kuwait b Azzam Mourada, Hadi Otrok , Hamdi YahyaouiC and Lama Baajoura Abstract-We introduce in this paper an abstract language on top of XACML (eXtensible Access Control Markup Language) for web services security. It is based on the automatic generation of XACML security policies from abstract XACML profile(s). Our proposed approach allows first to specify the XACML profiles, which are then translated using our intended compiler into XACML security policies. The main contributions of our approach are: (1) Describing dynamic security policies using an abstract and user friendly profile language on top of XACML, (2) generating automatically the the XACML policies and (3) separating the business and security concerns of composite web services, and hence developing them separately. Our solution address the problems related to the complexity and difficulty of specifying security policies in XACML and other standard languages. We tested the feasibility of our approach by developing the library system (LB) that...

Words: 2085 - Pages: 9

Premium Essay

Directions for Web and E-Commerce Application Security

...This paper provides directions for web and e-commerce applications security. In particular, access control policies, workflow security, XML security and federated database security issues pertaining to the web and e-commerce applications are discussed. These security measures must be implemented so that they do not inhibit or dissuade the intended e-commerce operation. This paper will discuss pertinent network and computer security issues and will present some of the threats to e-commerce and customer privacy. These threats originate from both hackers as well as the e-commerce site itself. Another threat may originate at ostensibly friendly companies such as DoubleClick, MemberWorks and similar firms that collect customer information and route it to other firms. Much of this transaction information is able to be associated with a specific person making these seemingly friendly actions potential threats to consumer privacy. Many of the issues and countermeasure discussed here come from experiences derived with consulting with clients on how to maintain secure e-commerce facilities. These methods and techniques can be useful in a variety of client and server environments, also serving to alert e-commerce users of potential threats. 1. Introduction For the effective operation of the web and e-commerce applications, security is a key issue. The security threats include access control violations, integrity violations, sabotage, fraud, privacy violations, as well as denial of service...

Words: 3283 - Pages: 14

Premium Essay

Building an Access Control System

...Building an Access Control System Strayer University CIS 210 Systems Analysis and Development 4/28/13 Scope The scope of this project is to install an access control system (ACS) into a college dormitory. This ACS will automatically unlock the dormitory doors via an electronic proximity reader and integrate with an existing security camera system. The cameras are designed to face and rotate to record a person as they use their identification card to unlock the door. To complete this project we will start with the analysis and design stage. The creation of various design documents will be performed during this stage. The next stage will be the development stage. During this stage we will either create a new database or use the school’s existing database. The 3rd stage will be the integration stage. During this stage, the physical installation of the system will occur. The 4th stage will be the testing stage. The final stage will be the maintenance phase. The maintenance phase is on-going. Major Tasks 1. Analysis and Design a) Design Documentation i. With this task, documentation is written up to describe the work that needs to be completed. This documentation is reviewed by all stake holders to ensure that the requirements are have been accurately conveyed and understood. b) Design Models i. With this task, flow charts and/or use case are created to describe the functionality. These...

Words: 508 - Pages: 3

Premium Essay

Comptia a+

...portability and accountability act(HIPAA) * Children’s internet protection (CIPA) * Family educational rights and privacy act (FERPA) 3. Parts of layered security that supports confidentiality * Defining organization wide policies, standard, procedures, and guidelines to protect confidential data. * Adopting a data classification standard that defines how to treat data throughout AT. * Limiting access to systems and application that house confidential data to only those authorized to use it * Using cryptography techniques to hide confidential data to keep it invisible to unauthorized user * Encrypting data that crosses the public internet. * Encrypting data that is stored within databases and storage devices 4. Definition of policy, standard, guide, procedure * Policy: is written statement that the people in charge of an organization have set as a course of action or direction. Come from upper management-apply to whole organize * Standard: detail information for hardware and software, how it use-ensure consistent security controls are used throughout IT system * Procedure: instruction for how to use policies and standards: plan of action, install, test, auditing * Guidelines: suggest course of action for using the policy, standard or procedure. 5. Definition of classification of data * Goal and objective of DCS is to provide a consistent definition for how an organization should handle and secure different types of data:...

Words: 963 - Pages: 4

Premium Essay

Sscp Study Notes

...SSCP Study Notes 1. Access Controls 2. Administration 3. Audit and Monitoring 4. Risk, Response, and Recovery 5. Cryptography 6. Data Communications 7. Malicious Code Modified version of original study guide by Vijayanand Banahatti (SSCP) Table of Content 1.0 ACCESS CONTROLS…………………………………………………………...... 03 2.0 ADMINISTRATION ……………………………………………………………... 07 3.0 AUDIT AND MONITORING…………………………………………………...... 13 4.0 RISK, RESPONSE, AND RECOVERY………………………………………....... 18 5.0 CRYPTOGRAPHY……………………………………………………………....... 21 6.0 DATA COMMUNICATIONS…………………………………………………...... 25 7.0 MALICIOUS CODE……………………………………………………………..... 31 REFERENCES………………………………………………………………………........ 33 1.0 ACCESS CONTROLS Access control objects: Any objects that need controlled access can be considered an access control object. Access control subjects: Any users, programs, and processes that request permission to objects are access control subjects. It is these access control subjects that must be identified, authenticated and authorized. Access control systems: Interface between access control objects and access control subjects. 1.1 Identification, Authentication, Authorization, Accounting 1.1.1 Identification and Authentication Techniques Identification works with authentication, and is defined as a process through which the identity of an object is ascertained. Identification takes place by using some form of authentication. Authentication Types Example Something you know...

Words: 17808 - Pages: 72

Premium Essay

Assign

...computer and information security ■ Identify the basic approaches to computer and information security ■ Distinguish among various methods to implement access controls ■ Describe methods used to verify the identity and authenticity of an individual ■ Describe methods used to conduct social engineering ■ Recognize some of the basic models used to implement security in operating systems 20 P:\010Comp\BaseTech\619-8\ch02.vp Wednesday, November 09, 2011 2:01:20 PM I n Chapter 1, you learned about some of the various threats that we, as security professionals, face on a daily basis. In this chapter, you start exploring the field of computer security. Color profile: Disabled Composite Default screen BaseTech / Principles of Computer Security: CompTIA Security+™ and Beyond / Wm. Arthur Conklin / 619-8 / Chapter 2 ■ Basic Security Terminology The term hacking has been used frequently in the media. A hacker was once considered an individual who understood the technical aspects of computer operating systems and networks. Hackers were individuals you turned to when you had a problem and needed extreme technical expertise. Today, primarily as a result of the media, the term is used more often to refer to individuals who attempt to gain unauthorized access to computer systems or networks. While some would prefer to use the terms cracker and cracking when referring to this nefarious type of...

Words: 16889 - Pages: 68

Premium Essay

Asd Rtg

...Appropriate Access Controls for Systems, Applications, and Data Access Learning Objective  Explain the role of access controls in implementing security policy. Key Concepts  The authorization policies applying access control to systems, application, and data  The role of identification in granting access to information systems  The role of authentication in granting access to information systems  The authentication factor types and the need for two- or three-factor authentication  The pros and cons of the formal models used for access controls Reading  Kim and Solomon, Chapter 5: Access Controls. Keywords Use the following keywords to search for additional materials to support your work:  Biometrics  Content Dependent Access Control  Decentralized Access Control  Discretionary Access Control  Kerberos  Mandatory Access Control  Remote Authentication Dial In User Service (Radius)  Role-Based Access Control  Security Controls  Secure European System for Applications in a Multi-Vendor Environment (SESAME)  Single Sign-on  Terminal Access Controller Access-Control System (TACACS) ------------------------------------------------- Week 3 Discussion * Access Control Models * Unit 3 Access Control Models (lT255.U3.TS2) Lab * Enable Windows Active Directory and User Access Controls Assignment * Remote Access Control Policy Definition ...

Words: 542 - Pages: 3

Free Essay

Smash: Secure Cross-Domain Mashups on Unmodified Browsers

...SMash: Secure Component Model for Cross-Domain Mashups on Unmodified Browsers Frederik De Keukelaere, Sumeer Bhola, Michael Steiner, Suresh Chari, Sachiko Yoshihama {eb41704, sachikoy}@jp.ibm.com, {sbhola, msteiner, schari}@us.ibm.com IBM Tokyo Research Laboratory, Kanagawa, Japan; IBM T.J. Watson Research Center, New York, USA ABSTRACT Mashup applications mix and merge content (data and code) from multiple content providers in a user’s browser, to provide high-value web applications that can rival the user experience provided by desktop applications. Current browser security models were not designed to support such applications and they are therefore implemented with insecure workarounds. In this paper, we present a secure component model, where components are provided by different trust domains, and can interact using a communication abstraction that allows ease of specification of a security policy. We have developed an implementation of this model that works currently in all major browsers, and addresses challenges of communication integrity and frame-phishing. An evaluation of the performance of our implementation shows that this approach is not just feasible but also practical. The technology discussed in this paper allows mutually mistrusting client-side components to communicate safely without any modifications to current browsers, and hence has the potential to achieve immediate and widespread adoption. Categories and Subject Descriptors: D.2.0 [General]: Protection...

Words: 10150 - Pages: 41