ipl-logo

Understanding Access Control Models in Cyber Security

School
The University of Hong Kong**We aren't endorsed by this school
Course
COMP 3355
Subject
Computer Science
Date
Dec 11, 2024
Pages
15
Uploaded by CorporalScorpionPerson937
COMP3355 Cyber Security (2024 Fall)Access ControlAccess ControlChenxiong Qiancqian@cs.hku.hk
Background image
COMP3355 Cyber Security (2024 Fall)Access ControlOverviewAccess Control ModelsDACMACRBACABAC
Background image
COMP3355 Cyber Security (2024 Fall)Access ControlRole-Based Access ControlRole-based access control (RBAC) is a security model that manages user access to systems and resources based on their roles within an organization.
Background image
COMP3355 Cyber Security (2024 Fall)Access ControlRole-Based Access ControlAccess rights need to change as the responsibilities of users change.When a new user is authorized for a system, the appropriate rights for that user must be established.When a user changes job functions, some rights should be deleted, some maintained, and some added.
Background image
COMP3355 Cyber Security (2024 Fall)Access ControlRole-Based Access ControlUnlike access control policies that assign access rights to subjects, RBAC associates access rights with roles within an organization.A roleis a collection of job functions. E.g., roles within a course might include: student, teacher, teaching assistants, marker, invigilators, etc.
Background image
COMP3355 Cyber Security (2024 Fall)Access ControlRoles and TransactionsA subject hasA set of authorized roles, which the subject is allowed to fill at various time;E.g., the instructor can be teacher, marker, invigilatorsA set of active roles, which the subject currently occupies.Roles have an associated set of transactions, which are the activities that subjects in that role is permitted to carry outE.g., releasing assignments, grading, etc. Roles are hierarchicalE.g., the ”teacher” should have all the access rights that a TA has
Background image
COMP3355 Cyber Security (2024 Fall)Access ControlAccess Control Policy{subjects, access rights, objects}{roles, access rights, objects}subjects {authorized roles, active roles}
Background image
COMP3355 Cyber Security (2024 Fall)Access ControlPrimary Rules1.Role assignment: A subject can exercise a transaction only if the subject has been assigned a role.2.Role authorization: A subject's active role must be authorized for the subject. 3.Transaction authorization: A subject can exercise a transaction only if the transaction is authorized for the subject's active role.
Background image
COMP3355 Cyber Security (2024 Fall)Access ControlExampleInvigilationGrade HomeworkInvigilatorTAGrade Final ExamTeacherBob is a TA and serves as an invigilatorBob’s “TA” role is always activatedBob’s “invigilator” role is only activated during the examAfter the final exam, can Bob grade the exam paper?
Background image
COMP3355 Cyber Security (2024 Fall)Access ControlWhat are the differences with groups in Unix file system using DAC?A group is a set of users; a role is a set of access rights.A user is always a member of a group, whereas a subject may activate or deactivate the access rights associated with any of the subject’s roles.
Background image
COMP3355 Cyber Security (2024 Fall)Access ControlWhat are the differences with groups in Unix file system using DAC?E.g., Bob creates a new file, and he wants to allow Alice to read-write the file and allow Eve to read the file.DAC?RBAC?
Background image
COMP3355 Cyber Security (2024 Fall)Access ControlAttribute-Based Access ControlSometimes, a subject's authorization to perform a set of operations is determined by evaluating attributes associated with the subject, object, requested operations, and, in some cases, environment attributes.E.g., An employee can update the database between 9 am and 6 pmA guest can access the airport’s VIP lounge if his/her medallion’s status is platinum
Background image
COMP3355 Cyber Security (2024 Fall)Access ControlAttribute-Based Access ControlAttribute-based access control is a model evolved from RBAC.This model assigns a set of attributes to subjects, objects, and it also considers the environment attributesSubject (e.g., employee position, IP address, clearance level, etc.)Object (e.g., type, creator, sensitivity, required clearance level, etc.)Environment (e.g., time, day of the week, location, etc.)
Background image
COMP3355 Cyber Security (2024 Fall)Access ControlPolicyA set of rules allowing or restricting any action in the system; rules are “IF/THEN” statements based on attributes of any element (subject, object, environment)
Background image
COMP3355 Cyber Security (2024 Fall)Access ControlRBAC vs. ABACFlexibilityGranularityPerformance
Background image