4.6 Access controls

Question 1

Access control

Answer 1

• Authorization– The process of ensuring only authorized rights are
  exercised– Policy enforcement– The process of determining rights– Policy definition
• Users receive rights based on – Access Control models– Different business needs or mission requirements

Question 2

Least privilege

Answer 2

• Rights and permissions should be set to the bare
  minimum– You only get exactly what’s needed to complete your
  objective
• All user accounts must be limited– Applications should run with minimal privileges
• Don’t allow users to run with administrative privileges– Limits the scope of malicious behavior

Question 3

Mandatory Access Control (MAC)

Answer 3

• The operating system limits the operation on an object– Based on security clearance levels
• Every object gets a label– Confidential, secret, top secret, etc.
• Labeling of objects uses predefined rules– The administrator decides who gets access to what
  security level– Users cannot change these settings

Question 4

Discretionary Access Control (DAC)

Answer 4

• Used in most operating systems– A familiar access control model
• You create a spreadsheet– As the owner, you control who has access– You can modify access at any time
• Very flexible access control– And very weak security

Question 5

Role-based access control (RBAC)

Answer 5

• You have a role in your organization– Manager, director, team lead, project manager
• Administrators provide access based on the role of the
  user– Rights are gained implicitly instead of explicitly
• In Windows, use Groups to provide role-based access
  control– You are in shipping and receiving, so you can use the
  shipping software– You are the manager, so you can review shipping logs

Question 6

Rule-based access control

Answer 6

• Generic term for following rules– Conditions other than who you are
• Access is determined through system-enforced rules– System administrators, not users
• The rule is associated with the object– System checks the ACLs for that object
• Rule examples– Lab network access is only available between 9 AM
  and 5 PM– Only Chrome browsers may complete this web form

Question 7

Attribute-based access control (ABAC)

Answer 7

• Users can have complex relationships to applications
  and data– Access may be based on many different criteria
• ABAC can consider many parameters– A “next generation” authorization model– Aware of context
• Combine and evaluate multiple parameters– Resource information, IP address, time of day, desired
  action, relationship to the data, etc.

Question 8

Time-of-day restrictions

Answer 8

• Almost all security devices include a time-of-day option– Restrict access during certain times or days of the
  week– Usually not the only access control
• Can be difficult to implement– Especially in a 24-hour environment
• Time-of-day restrictions– Training room network is inaccessible between
  midnight and 6 AM– Conference room access is limited after 8 PM– R&D databases are only after between 8 AM and 6 PM