CET324 - More on Access Control

1
 Objectives

• Discuss access control concepts and

technologies.

• Consider formal models of access control.

• Think about how identity is managed by

access control.

2
Terminologies: Subject, Object, and Access Rights

Access
Subject Object
right
Describes the way
An entity capable A resource to
in which a subject
of accessing which access is
may access an
objects controlled
object

Three classes Entity used to Could include:

• Owner contain and/or • Read, Write,
• Group receive Execute, Delete,
information Create, and Search
• World
3
 Parts of Access Control
• Authorisation
– Who is approved for access and what exactly can they
use?
• Identification
– How are users identified?
• Authentication
– Can their identities be verified?
• Accountability
– How are actions traced to an individual to ensure that
the person who makes changes to data or systems can
4
be identified?
 2 Phases
• The 4 parts (Authorisation, Identification,
Authentication and Accountability) are split
into 2 phases:
1. Policy definition phase
• Determines who has access and what systems or
resources they can use. The authorisation process
operates in this phase.

2. •Policy enforcement phase

Grants or rejects requests for access based on the
authorisations defined in the policy definition phase.
Identification, authentication and accountability
processes operate in this phase. 5
 Two Types of Access Control
• Physical Access Controls
• Control entry to buildings, parts of buildings,
protected areas.

• Logical Access Controls

• Control access to computer system or network.

6
Physical
Access
Controls

7
 Logical Access Control
• Deciding which users can access a system
– Take an HR example
– HR employees may be the only employees who are allowed
to reach the sensitive information stored on an HR server.
• Monitoring what a user does on that system
– Certain HR employees may be allowed to edit documents
but others only allowed to view them.
• Restraining or influencing the user’s behaviour on that
system
– HR person who tries to get access to an area they are not
authorised for might be denied access to the whole HR
system. 8
 Enforcing Access Control
Record kept of all transactions
and attempted transactions
Record of accesses
Audit Log Useful in system fails
(what was happening / caused fail)
Can identify internal misuse
Access request External breaches – point of information
comes from
subject for file
Reference object
object
monitor
subject Reference monitor
intercepts request and
access granted (or not) Security kernel provides a central
according to rules in point of access control and
the security kernel implements the reference monitor
Database. Security concept. It mediates all access
Kernel requests and permits access only
Database when the appropriate rules or
conditions are met. 9
 Access Control Policies
• In order to manage access control policies well
there is a need to understand:
1. Users (often referred to as subjects)
2. Resources – protected objects in the system
1. Can only be accessed by authorised subjects
2. Can only be used in authorised manners
3. Actions – activities that authorised users can perform on
resources
4. Relationships – optional conditions that exist between
users and resources (permissions such as read, write,
execute)

10
 Formal Models of Access Control
• Discretionary access • Role-based access control
(RBAC)
control (DAC) – Controls access based on the
– Controls access based roles that users have within the
on the identity of the system and on rules stating what
requestor and on accesses are allowed to users in
given roles
access rules
(authorizations) stating
• Attribute-based access control
what requestors are (or
(ABAC)
are not) allowed to do
– Controls access based on
attributes of the user, the
resource to be accessed, and
current environmental conditions
11
Discretionary Access Control (DAC)
• Scheme in which an entity may be granted access rights that
permit the entity, by its own will, to enable another entity to
access some resource
• Often provided using an access matrix
– One dimension consists of identified subjects that may
attempt data access to the resources
– The other dimension lists the objects that may be
accessed
• Each entry in the matrix indicates the access rights of a
particular subject for a particular object

12
 Role-Based Access Control (RBAC)
• Provide a means of adapting RBAC to the specifics of
administrative and security policies of an organization

• A defined relationship among roles or a condition related to roles

• Types:

Mutually exclusive
Cardinality Prerequisite roles
roles
• A user can only be • Setting a maximum • Dictates that a user
assigned to one role in number with can only be assigned
the set. respect to roles to a particular role if it
is already assigned to
some other specified
role

13
Role-Based Access Control (RBAC)

14
 Attribute-Based Access Control (ABAC)
• A relatively recent development in access control
technology.

• Can define authorizations that express conditions on properties

of both the resource and the subject.

For example
A configuration in which each resource has an attribute that
identifies the subject that created the resource. Then, a
single access rule can specify the ownership privilege for all
the creators of every resource.

15
 Other Access Control Models
• Bell-La Padula Model https://www.youtube.com/watch?v=SfryxGRXoVg (~6 minutes)

– Focusses on confidentiality of data and the control of access to

classified information
– Prevent information from being moved from a level of higher security
level to a level of lower security.
– Access mode is in two type:
• Simple security: prohibits a subject of lower level from reading an object at higher
level, but allows a subject from higher level to read an object at a lower level.
• The * property: prohibits a high-level subject from sending messages to lower-level
objects

16
 Other Access Control Models
• Clark and Wilson Integrity Model
– Focusses on what happens when users allowed
into a system try to do things they are not
permitted to do
– Deals with three integrity goals:
• Authentication: prevent unauthorised users from
making improper modifications on the system
• Controls prevents authorised user from making
improper modifications or other actions
• Maintains internal and external consistency through
the use of well formed transactions 17
Effects of Breach in Access Control
• Failure to control access can give advantage to
people who wish to do harm
– From nation state to competitor business to cyber
criminal
• Typical effects? Any idea?
• Disclosure of private information
• Corruption of data
• Loss of business intelligence
• Danger to facilities, staff and systems
• Damage to equipment
• Failure of systems and business process
• Denial of Service 18
Effects of Access Control Violations
• Loss of customer confidence
• Loss of business opportunities
• Bad publicity
• Financial penalties

19
 Compromise to Access Controls
• Gaining physical access
• Eavesdropping
– by observation
– electronic
• Bypassing security
• Exploiting hardware and / or software
• Intercepting communication
• Accessing networks
• Exploiting applications
20
 Summary
• Access Control has significant impact on cyber
security
• Access control approach will depend on
circumstance and level of security
requirement
• Effect of breach of access control can be
catastrophic from individual through to nation
state level

21
 Lab session – User Access Control
• For this lab session, Expand your previous password strength checker to do the
following features:
• Create a system using your preferred programming language and framework to
implement a basic user access control. One that uses user ID and password as
minimum. Include one of the most appropriate access control models below
for your system design and implementation. Below is a list of possible models:
– Discretionary access control
– Mandatory access control
– Role-based access control
– Attribute-based access control
• Write a short description of your system to describe your approach and
reason(s) for choosing a specific access control model.
• Share your description (not your system) of your approach with your classmate
via the discussion page for this task.
• Read the way other students approached the problem to find out about other
possible solutions to the problem. 22