Verifies who you ARE
authentication
decides what youre ALLOWED to do
Access Control
AuthN
Authentication
AuthZ
Access Control
system-enforced rules
Mandatory Access Control
Users cannot change permissions
Mandatory Access Control
Military systems
Mandatory Access Control
Strict, centralized control
Mandatory Access Control
Owner controls access
Discretionary Access Control
Users can grant/revoke permissions
Discretionary Access Control
File sharing with a friend
Discretionary Access Control
Flexible but less secure
Discretionary Access Control
access based on roles
Role-based Access Control
Admin > full access
Manager > limited
Employee > basic
RBAC
Assign permissions to roles, not individuals
RBAC
access based on attributes
Attribute-based Access Control
User (department, role)
Resource (type, sensitivity)
ENvironment (time, location)
ABAC
very flexible, policy-based
ABAC
Allow access only if:
user = HR
time = working hours
location = office network
ABAC
Controls who gets what level of access
Privilege Management
Users get only what they need, nothing more
Least Privilege
Why is Privilege Management important
reduces risk of misuse or attacks
using physical or behavioral traits to verify identity
Biometrics
