Chao-Hsien Chu, Ph.D.College of Information Sciences and Technology

The Pennsylvania State UniversityUniversity Park, PA 16802

chu@ist.psu.edu

Access Control: Access Control: Part IPart I

LearningbyDoing

Theo

ry

Practi

ce

IST 515

• Security Architecture• Communication Network• Systems Development• Software Security• Database Security

•Application Security•Operations Security•Web Security•Computer forensics•Disaster recovery

• Laws & Regulations•Business Continuity

• Physical Security

•Access Control•Cryptography

• Security Planning• Security Policy• Security & Risk Management

•Vulnerabilities• Threats•Risks

Human Body AnalogueHuman Body Analogue

Security Policy

OrganizationalDesign

Asset Classificationand Control Access Control

Compliance

Personnel SecurityAwareness Education

Physical andEnvironmental Security

System Developmentand Maintenance

Communications &Operations Mgmt.

Business ContinuityManagement

Organizational

Operational

Secu

rity

Man

agem

ent

ObjectivesObjectives

Describe the access control concepts and methodologies.

Identify access control security technologies, tools and measures.

Know the potential risks, vulnerabilities, and exposures.

Describe the auditing mechanisms for analyzing behavior, use, and contents of the information systems.

ReadingsReadings1. Stallings, W. and Brown, L., Computer Security: Principles and

Practice, Prentice-Hall, 2008. Chapter 4. (Required).2. Tipton, H. and Henry, K. (Eds.), Official (ISC)2 Guide to the CISSP

CBK, Auerbach, 2007. Domain 2 (Required).3. Sandhu, R. S. and Samarati, P., “Access Control: Principles and

Practice,” IEEE Communication Magazine Sept. 1994, pp. 40-48.4. NIST, RBAC Case Studies.

http://csrc.nist.gov/groups/SNS/rbac/case_studies.html#health5. Schaad, A., Moffett, J. and Jacob, J., “The Role-Based Access

Control System of a European Bank: A Case Study and Discussion,” SACMAT 2001: 6th ACM Symposium on Access Control Models and Technologies, Chantilly, VA.

6. Evered, M. and Bögeholz, S., “A Case Study in Access Control Requirements for a Health Information System,” Australasian Information Security Workshop 2004 (AISW 2004), Dunedin, New Zealand.

Security PrinciplesSecurity Principles

Confidentiality prevents unauthorized disclosure of systems and information.

Integrity prevents unauthorized modifications of systems and information.

Availability prevents disruption of service and productivity.

Access Controls are the security features that control how users and systems communicate and interact with one another.

Context of Access ControlContext of Access Control

AuthorizationDatabase

AuthenticationFunction

AccessControl

Function

Auditing

User

SecurityAdministrator System

ResourcesAuthentication

AccessControl

Access Controls OverviewAccess Controls Overview

Controlling access to facilities, systems, services, resources, and data is critical to any security program.

Access control is the backbone (central element) of information security

Access controls (AC) are a collection of mechanisms that work together to protect the assets of the enterprise. They help protect against threats and vulnerabilities by reducing exposure to unauthorized activities and providing access to information and systems to only those who have been approved.

Access Controls OverviewAccess Controls Overview

AC enables management to:- Specify which users can access the system- Specify what resources they can access- Specify what operations they can perform- Provide individual accountability.

Access controls encompass all aspects and levels of an organization:- Facilities- Support systems- Information systems- Personnel – management, users, customers,

partners, etc.

Access Control ElementsAccess Control Elements

• Subject - entity that can access objects:- A process representing user/application- Often have 3 classes: owner, group, world

• Object - access controlled resources:- e.g. files, directories, records, programs etc.- Number/type depend on the environment

• Access right - ways in which subject accesses an object:- e.g. read, write, execute, delete, create, search

Example of Access PermissionsExample of Access Permissions

No Access/Null No access permission granted

Read (R) Read but make no changes

Write (W)Write to files; includes change capability

Execute (X) Execute a program

Delete (D) Delete file

Change (C)Read, write, execute and delete; may not change file permission

Full ControlAll abilities; including changing access control permission

Access Control RequirementsAccess Control Requirements

• Reliable input: All inputs to the access control system must be reliable.

• Support for fine and coarse specifications, allowing access to be regulated at the level of individual records in files, and individual fields within records.

• Least privilege. Access control should be implemented so that each entity is granted the minimum system resources and authorizations that the entity needs to do its work.

• Separation of duty. A practice of dividing the process in a system functions among different individuals so as to keep a single individual from subverting the process.

Access Control RequirementsAccess Control Requirements

• Open and closed policies. The typical class of access control policies are closed policies. However, in some applications, it may also be useful to allow an open policies for some classes of resources.

• Policy combinations and conflict resolution. An access control mechanism may apply multiple policies to a given class of resources. In case, if conflict exists, a conflict resolution procedure must be defined.

• Administrative policies. Administrative policies are needed to specify who can add, delete, or modify authorization rules.

• Dual control. In some cases, a task may require two or more individuals working in tandem.

Types of Access ControlsTypes of Access Controls

DiscretionaryAC Policy

MandatoryAC Policy

Role-basedAC Policy

Types of Access ControlsTypes of Access Controls

Discretionary access control (DAC): A system that uses discretionary access control allows the owner of the resource to determine who has access and what privileges they have. Access control is at the discretion of the owner.

Mandatory access control (MAC): The system applies controls based on privilege (or clearance) of a subject (or user) and the sensitivity (or classification) of an object (or data). This model is used in environments where information classification and confidentiality is very important.

Role-based access control (RBAC): Control access based on the roles (functions) that users have within the system and on rules stating what accesses are allowed to users in given roles.

Access Control TechniquesAccess Control Techniques

Access Control Matrix

Access Control List (ACL)

Capability Table

Content Dependent Access Control

Context Dependent Access Control

Constrained User Interfaces

Rule Based Access Control

Temporal (Time-based) Isolation

Access Control MatrixAccess Control Matrix

File 1 File 2 File 3 File 4

User AOwnReadWrite

OwnReadWrite

User B ReadOwnReadWrite

Write Read

User CReadWrite Read

OwnReadWrite

Sub

ject

s

Objects

• Is a table of subjects and objects indicating what access right each individual subject has to objects.

• A matrix is a data structure that programmers implement as table lookups that will be used and enforced by the operating system.

Access Control ListAccess Control List

AOwn

RW

B

R

C

RW

File 1 BOwn

RW

C

R

File 2

AOwn

RW

B

W

File 3 B

R

COwn

RW

File 4

• ACL is a list of subjects that are authorized to access a specific object and it define what levels of authorization is granted.

• It was decomposed by column from an access control matrix.

Capability ListsCapability Lists

File1Own

RW

File3Own

RW

User A File1

RW

File2

R

File4Own

RW

User C

File1

R

File2Own

RW

File3

W

File4

R

User B

• A capability table specifies the access rights a certain subject processes pertaining to specific objects. A capacity can be in the form of a token, ticket or key.

• It was decomposed by row from access control matrix.

Access Control ListAccess Control List

Mary:

UserMary Directory: Full control

UserBob Directory: Write

UserBruce Directory: Write

Printer 001: Execute

Bob:

UserMary Directory: Read

UserBob Directory: Full control

UserBruce Directory: Write

Printer 001: Execute

Bruce:

UserMary Directory: Null

UserBob Directory: Write

UserBruce Directory: Full control

Printer 001: Execute

Sally:

UserMary Directory: Null

UserBob Directory: Null

UserBruce Directory: Null

Printer 001: Null

ACL specifies a list of users who are allowed access to each object.

Subject Access Right Object

A Own File 1

A Read File 1

A Write File 1

A Own File 3

A Read File 3

A Write File 3

B Read File 1

B Own File 2

B Read File 2

B Write File 2

B Write File 3

B Read File 4

C Read File 1

C Write File 1

C Read File 2

C Own File 4

C Read File 4

C Write File 4

Authorization Table

Sorting

Subjects

=

Capacity

Tables

Sorting

Objects

=

ACLs

Extended Access Control MatrixExtended Access Control Matrix

Subjects Files ProcessesDisk

Drives

S1 S2 S3 F1 F2 P1 P2 D1 D2

S1 Control OwnerOwner

ControlRead*

Read

OwnerWakeup Wakeup Seek Owner

S2 Control Write* Execute Owner Seek*

S3 Control Write Stop

Su

bje

cts

Objects

*: Copy flag set

Content Dependent Access ControlContent Dependent Access Control

Access to an object is determined by the content within the object that related to that subject.

For example, a manager has access to a payroll database, but it will only be allow to access to the records that pertain to his/her own employees, not others.

A

B

Context -based Access ControlContext -based Access Control

Context-based access control differs from content-based access control in that it makes access decision based on the context of a collection of information rather than the content (sensitivity of data) within an object.

Firewalls make context-based access decisions when they collect state information on a packet before allowing it into the network.

For example, if no SYN packet has been received, firewalls will not allow the SYN/ACK packet to correlate the connection.

Constrained User InterfacesConstrained User Interfaces

• Restrict user’s access abilities by not allowing them to request certain types of access, functions, information or specific system resources.

• Three major types of restricted interfaces are:

– Menus and Shells. The screen only displays the menu options that the subject is allowed to access.

– Database Views. The system only allows the subject to view the database view s/he is allowed to see.

– Physically Constrained Interfaces. The system only provides certain key on a keypad or certain touch buttons on a screen that the subject is allowed to access.

Rule Based Access ControlRule Based Access Control

Uses specific rules that indicate what can and cannot happen between a subject and an object. Before a subject can access an object, it must meet a set of predefined rules.

For example, “if the user is accessing the system between Monday and Friday and between 8 AM and 5 PM, and if the user’s security clearance equals or dominates the object’s classification, then the user can access the object.”

Not necessarily identity based.

Traditionally, rule based access control has been used in MAC systems as an enforcement mechanism.

Many routers and firewalls use rules to determine which types of packets are allowed into a network or rejected.

Temporal (Time-based) Isolation

• Time based access controls are those mechanisms employed at a given time for a predetermined duration.

• If a request is made for access or privileged use of information or services not in the defined time window, the process is denied.

• For example, if the access control specified only process confidential data in the morning, then any request of processing confidential data in other times is denied, although it was requested by an authorized person.

Access Access Control Control

Function Function

UNIX File UNIX File ConceptsConcepts

• UNIX files administered using inodes– control structure with key info on file

• attributes, permissions of a single file

– may have several names for same inode– have inode table / list for all files on a disk

• copied to memory when disk mounted

• directories form a hierarchical tree– may contain files or other directories– are a file of names and inode numbers

UNIX File UNIX File Access ControlAccess Control

Owner Group Other

Role-Role-Based Based Access Access ControlControl

User ObjectRole

Many to one

One to

many

Many to one

One to

many

RBAC ModelsRBAC Models

Define Users to Roles RelationshipDefine Users to Roles Relationship

Roles

R1 R2 Rn

U1 X

U2 X

U3 X X

U4 X

U5 X

U6 X

Um X

Use

rs

…

…

(Many to Many)

Define Roles to Resources RelationshipDefine Roles to Resources Relationship

Objects

R1 R2 Rn F1 F2 P1 P2 D1 D2

R1 Control OwnerOwner

ControlRead*

Read

OwnerWakeup Wakeup Seek Owner

R2 Control Write* Execute Owner Seek*

Rn Control Write Stop

Rol

es…

(Many to Many)

*: Copy flag set

NIST RBAC ModelNIST RBAC Model

RBAC Administration for a BankRBAC Administration for a Bank

To be Continued

This is the end of part I of the lecture. Please continue to review part II.