Scribd Logo
Upload

Welcome to Scribd!

  • Authorization and Access Control

    Uploaded by

    KATHLENE CORPUS
    28 views4 pages

    Copyright

    © © All Rights Reserved

    Available Formats

    PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    28 views4 pages

    Authorization and Access Control

    Uploaded by

    KATHLENE CORPUS

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    of 4

    AUTHORIZATION AND

    ACCESS CONTROL

    Prof. Joseph Wilfred Dela Cruz

    Professor

    Corpus, Kathlene M.

    Students
    AUTHORIZATION AND ACCESS CONTROL

    Authorization Allows us to specify where the party should be allowed or denied


    access.

    Principle of Least Privilege We should only allow the bare minimum of access
    to a party to perform the functionality needed of it.

    Access Control

    • Allow access
    • Denying access
    • Limiting access
    • Revoking access

    Methods to implement access control

    • Referred to as “ackles”
    • Used to control access in the file systems and to control the flow of
    traffic in the networks.

    File Systems aCls

    • Read, write, and execute,


    • Rwxrwxrwx
    • User, group, and other ACLs

    Network aCls

    • Access controlled by the identifiers we use for network transactions, such


    as Internet Protocol (IP) addresses, Media Access Control (MAC)
    addresses, and ports.
    • The simplest forms of network-oriented is MAC address filtering.
    Capability-based security

    • Oriented around the use of a token that controls our access.


    • The right to access a resource is based entirely on possession of the
    token.

    Confused deputy problem

    • Common in systems that use ACLs.


    • Seen when the software with access to a resource has a greater level of
    permission to access the resource than the user who is controlling the
    software.

    Client-side attacks

    • Attacks that take advantage of weakness in applications that are running


    on the computer being operated directly by the user, often referred to
    as the client.

    CSRF (cross-site request forgery)

    • Attacks that misuse the authority of the browser on the user’s computer.

    Clickjacking

    • Also known as user interface addressing.

    Access Control Methodologies

    • Means by which we implement authorization and deny or allow access


    to parties, based on what resources we have determined they should be
    allowed access to.
    Access Control Models

    Access Control Models

    • Discretionary Access Control


    • Mandatory Access Control
    • Role-based Access Control
    • Attribute-based Access Control
    • Physical Access Controls

    Discretionary Access Control

    ➢ Model of access control bases on access being determined by the owner


    of the resource in question

    Mandatory Access Control

    ➢ Means by which we implement authorization and deny or allow access


    to parties, based on what resources we have determined they should be
    allowed access to.

    Role-based Access Control

    ➢ Based on the role the individual being granted access is performing.

    Attribute-based Access Control

    ➢ Logically based on attributed, CAPTHA a completely Automated Public


    Turing Test to Tell Humans and Computer Apart.

    Physical Access Controls

    ➢ Access control for individuals often revolves around controlling


    movement into and out of the building or facilities.

    You might also like