Access control

From Free net encyclopedia

In security, specifically physical security, the term access control refers to the practice of restricting entrance to a property, a building, or a room to authorized persons. Physical access control can be achieved by a human; a guard, bouncer, or receptionist, through mechanical means such as locks and keys, or through technological means such as a card access system.

Contents 1 Computer security 1.1 Identification and authentication (I&A) 1.2 Authorization 1.3 Accountability 1.4 Access control Techniques 1.4.1 Discretionary access control 1.4.2 Mandatory access control 1.4.3 Role-Based Access Control 2 Telecommunication 3 Access Control in Public Policy 4 References

Computer security

Computer security access control includes authentication, authorization and audit. It also includes additional measures such as physical devices, including biometric scans and metal locks, hidden paths, digital signatures, encryption, social barriers, and monitoring by humans and automated systems. Authorization may be implemented using Role based access control, access control lists or a policy language such as XACML.

Access control is the ability to permit or deny the use of an object (a passive entity, such as a system or file) by a subject (an active entity, such as an individual or process).

Access control systems provide the essential services of identification and authentication (I&A), authorization, and accountability where identification and authentication determine who can log on to a system, authorization determines what an authenticated user can do, and accountability identifies what a user did.

Identification and authentication (I&A)

Identification and authentication (I&A) is a two-step process that determines who can log on to a system. Identification is how a user tells a system who he or she is (for example, by using a username). The identification component of an access control system is normally a relatively simple mechanism based on either Username or User ID. In the case of a system or process, identification is usually based on:

• Computer name
• Media Access Control (MAC) address
• Internet Protocol (IP) address
• Process ID (PID)

The only requirements for identification are that the identification:

• Must uniquely identify the user.
• Shouldn't identify that user's position or relative importance in an organization (such as labels like president or CEO).
• Should avoid using common or shared user accounts, such as root, admin, and sysadmin.
• Such accounts provide no accountability and are juicy targets for hackers.

Authentication is the process of verifying a user's claimed identity (for example, by comparing an entered password to the password stored on a system for a given username).

Authentication is based on at least one of these three factors:

• Something you know, such as a password or a personal identification number (PIN). This assumes that only the owner of the account knows the password or PIN needed to access the account.
• Something you have,such as a smart card or token. This assumes that only the owner of the account has the necessary smart card or token needed to unlock the account.
• Something you are, such as fingerprint, voice, retina, or iris characteristics.

Authorization

Authorization (or establishment) defines a user's rights and permissions on a system. After a user (or process) is authenticated, authorization determines what that user can do on the system.

Most modern operating systems define sets of permissions that are variations or extensions of three basic types of access:

• Read (R): The user can
  • Read file contents
  • List directory contents
• Write (W): The user can change the contents of a file or directory with these tasks:
  • Add
  • Create
  • Delete
  • Rename
• Execute (X): If the file is a program, the user can run the program. User can enter the directory if set.

These rights and permissions are implemented differently in systems based on discretionary access control (DAC) and mandatory access control (MAC).

Accountability

Access control Techniques

Access control techniques are generally categorized as either discretionary or mandatory. Understanding the differences between discretionary access control (DAC) and mandatory access control (MAC), as well as specific access control methods under each category, is critical for passing the Security+ exam.

Discretionary access control

Discretionary access control (DAC) is an access policy determined by the owner of a file (or other resource). The owner decides who is allowed access to the file and what privileges they have.

Two important concepts in DAC are

• File and data ownership: Every object in a system must have an owner. The access policy is determined by the owner of the resource (including files, directories, data, system resources, and devices). Theoretically, an object without an owner is left unprotected. Normally, the owner of a resource is the person who created the resource (such as a file or directory).
• Access rights and permissions: These are the controls that an owner can assign to individual users or groups for specific resources.

Discretionary access controls can be applied through the following techniques:

• Access control lists (ACLs) name the specific rights and permissions that are assigned to a subject for a given object. Access control lists provide a flexible method for applying discretionary access controls.
• Role-based access control assigns group membership based on organizational or functional roles. This strategy greatly simplifies the management of access rights and permissions:

Access rights and permissions for objects are assigned any group or, in addition to, individuals. Individuals may belong to one or many groups. Individuals can be designated to acquire cumulative permissions (every permission of any group they are in) or disqualified from any permission that isn't part of every group they are in.

Mandatory access control

Mandatory access control (MAC) is an access policy determined by the system, not the owner. MAC is used in multilevel systems that process highly sensitive data, such as classified government and military information. A multilevel system is a single computer system that handles multiple classification levels between subjects and objects.

• Sensitivity labels: In a MAC-based system, all subjects and objects must have labels assigned to them. A subject's sensitivity label specifies its level of trust. An object's sensitivity label specifies the level of trust required for access. In order to access a given object, the subject must have a sensitivity level equal to or higher than the requested object.
• Data import and export: Controlling the import of information from other systems and export to other systems (including printers) is a critical function of MAC-based systems, which must ensure that sensitivity labels are properly maintained and implemented so that sensitive information is appropriately protected at all times.

Two methods are commonly used for applying mandatory access control:

• Rule-based access controls:This type of control further defines specific conditions for access to a requested object. All MAC-based systems implement a simple form of rule-based access control to determine whether access should be granted or denied by matching:
  • An object's sensitivity label
  • A subject's sensitivity label
• Lattice-based access controls: These can be used for complex access control decisions involving multiple objects and/or subjects. A lattice model is a mathematical structure that defines greatest lower-bound and least upper-bound values for a pair of elements, such as a subject and an object.

Role-Based Access Control

In computer systems security Role-Based Access Control (RBAC) is an approach to restricting system access to authorized users. It is a newer and alternative approach to Mandatory Access Control (MAC) and Discretionary Access Control (DAC).

Telecommunication

In telecommunication, the term access control has the following meanings:

1. A service feature or technique used to permit or deny use of the components of a communication system.
2. A technique used to define or restrict the rights of individuals or application programs to obtain data from, or place data onto, a storage device.
3. The definition or restriction of the rights of individuals or application programs to obtain data from, or place data into, a storage device. There are several types of access control; for example Role Based Access Control (RBAC), Mandatory Access Control (MAC), and Discretionary Access Control (DAC).
4. The process of limiting access to the resources of an AIS to authorized users, programs, processes, or other systems.
5. That function performed by the resource controller that allocates system resources to satisfy user requests.

Access Control in Public Policy

In public policy, access control to restrict access to systems ("authorization") or to track or monitor behavior within systems ("accountability") is an implementation feature of using trusted systems for security or social control.

References

• U.S. Federal Standard 1037C
• U.S. MIL-STD-188
• U.S. National Information Systems Security Glossary
• Harris, Shon, All-in-one CISSP Exam Guide, Third Edition, McGraw Hill Osborne, Emeryvill, California, 2005`.

de:Zugriffskontrolle