Information security:

Access Control
Lecture 10
 Term Report
•Choose a case study
•Apply Security Concepts:
For each case, students are expected to:
•Analyze the situation and identify potential security threats and
vulnerabilities.
•Review the ethical and legal implications, including compliance with laws and
regulations.
•Propose security policies that could address the issues in the case.
•Apply risk management techniques (e.g., risk assessment, risk mitigation).
•Design a secure architecture for the system (network, database, etc.) that
minimizes risks.
•Total marks : 25 (15 + 10)
 analysis.
•Threats and Vulnerabilities: (5 marks)
•Identify and discuss potential threats, vulnerabilities, and the impact
they could have on the system.
•Ethical and Legal Analysis: (5 marks)
•Evaluate the ethical and legal issues in the case, such as user privacy,
data protection, and adherence to laws and regulations.
__________________________Deadline: 21st
Oct_________________________________
__________________________Time: 8:30 AM
___________________________________
•Security Policies:
•Recommend security policies to mitigate identified risks and threats.
•Risk Management:
•Perform a risk assessment and propose risk management strategies
(e.g., risk avoidance, mitigation, transfer).
•Design of Security Architecture:
•Propose a secure architecture that incorporates appropriate security
controls and mechanisms (e.g., encryption, access control,
authentication).
•Conclusion:
 Recap

• Access Controls
• Identification, Authentication, Authorization, ACL, ACE,
Accountability
 Access Control Models

• Access control models allow verified users to access a

property while preventing unauthorized people from entering.
• Access control methods differ based on the user permissions
they grant.
• They can be acquired based on the organizational needs.
 Types of ACMs

• Discretionary access control (DAC),

• Mandatory access control (MAC),
• Role-based access control (RBAC),
• Rule-based access control (RuBac),
• and Attribute-based access control (ABAC).
 DAC
• The discretionary access control system is the least restrictive of
the access control models.
• It works based on a person’s discretion and allows the system
owner or administrator to have complete control over who has
access permissions throughout the security system.
• It often runs off common operating systems, such as Windows.
• It is generally easy to configure and control, using Access Control
Lists and group membership to determine access to certain
points.
• The benefit of Discretionary Access Control is that the system administrator
can easily and quickly configure access permissions, deciding who gets in and
where based on what they see fit.
• The downside is that this often gives too much authority to the access control
list administrator, who can pass access on to inappropriate users who
shouldn’t have access.
• It also leaves the system vulnerable to malware (such as Trojan horses), which
can infiltrate the system without the user’s knowledge, as the user’s
permissions are often inherited in other access control models on the
operating system.
 DAC

• In short, it defines a system in which any user granted access

permissions by an administrator can edit and share those
permissions with other members of an organization. This
means that once the end user has access to a location or
a digital system, they’re able to grant the same privileges to
any other person at their own personal discretion.
 Mandatory Access Control Model

• MAC is a security model where access to resources is

determined by the system's security policy, which is set by an
administrator. The access is based on labels or clearances
assigned to both subjects (users/processes) and objects
(files/resources).
• MAC ensures that data confidentiality and integrity are
enforced by restricting the subject's access to objects based
on predefined rules and classifications.
 Role-based

• The RBAC model assigns permissions based on job roles or

functions within an organization. Users are assigned to
specific roles such as "Administrator" or "Guest", and access
rights are associated with those roles.
• RBAC simplifies access management because permissions are
granted based on job requirements rather than individual
identities, making it easier to manage permissions in large
systems with many users while implementing the principle of
least privilege (POLP).
• Role-Based Access Control (RBAC) is widely implemented in
various systems and applications. For example, within the
operating system design as users are assigned a role such as
administrator (root) user, or guest account types. Another
example is an educational web application that uses roles for
controlling access to actions and resources.
 Rule-Based Access Control (RuBAC)

• The fourth common form of access control is Rule-Based Access Control – not
to be confused with Role-based.
• Rule-based Access Control allows system owners and administrators to set
rules and limitations on permissions, such as restricting access during certain
times of day, requiring a user to be in a certain location, or limiting approved
access on the device being used.
• Permissions can be determined based on the number of previous access
attempts, the last performed action, and the required action. This access
control model is good for enforcing accountability and controlling access to
certain facilities.
• It’s very beneficial in that permissions and rules are dynamic,
allowing the system administrator to customize them for any
number of situations and needs that may arise.
• Permissions can be determined using any combination of
criteria, allowing for countless configurations for almost any
number of unique situations.
 Attribute-based Access Control

• ABAC is a highly flexible access control model where access decisions are made
at runtime and are based on complex attributes and environmental conditions.
• ABAC considers a wide range of contexts, such as user identity, job title, location,
time of access, and resource sensitivity in a decision-making algorithm or
decision matrix.
• ABAC provides more fine-grained control and dynamic decision-making
compared to DAC, MAC, or RBAC.
• For example, while MAC and ABAC both include a subject/object model, ABAC
uses dynamic contextual conditions rather than static ones such as time of
access or resource sensitivity allowing more dynamic access control decisions.
Content-dependent access control
Access
Control Description Example Flexibility Granularity Scalability Complexity
Model
Users
Limited,
Discretionar control File/folder
Limited; Low; relies especially in
y Access access; permissions Relatively
controlled on user large
Control simple on a simple
by users discretion organization
(DAC) permissions computer
s
setup
Mandatory Central Government Medium; Moderate, Moderate,
Low; strictly
Access access security based on suitable for requires
controlled
Control controls on clearance security specific careful
by authority
(MAC) labels levels labels needs planning
Role-Based Access Employee Medium; Medium to Highly
Moderate,
Access assigned roles based on high; role- scalable;
especially in
Control based on determining predefined specific ideal for
role setup
(RBAC) user roles access roles permissions large orgs
Healthcare
Attribute- High; Highly
Access is data access High;
Based decisions scalable; High, due to
based on based on tailored to
Access based on accommodat policy
multiple role, specific
Control various es dynamic complexity
attributes location, attributes
(ABAC) attributes needs
time
Centralized and decentralized access
control
Network access control