Slide an toàn và hệ thống bảo mật thông tin chapter 8 access control
Bạn đang xem bản rút gọn của tài liệu. Xem và tải ngay bản đầy đủ của tài liệu tại đây (396.4 KB, 18 trang )
.c
om
cu
u
du
o
ng
th
an
co
ng
ACCESS CONTROL
CuuDuongThanCong.com
/>
.c
om
Contents
What is Access Control ?
2)
Four parts of access control
3)
Types of access control
4)
Formal Models of Access Control
cu
u
du
o
ng
th
an
co
ng
1)
CuuDuongThanCong.com
/>
.c
om
1. What is Access Control ?
Access control are methods used to restrict and allow access to certain
co
ng
items, such as automobiles, homes, computers, and even your smartphone.
th
an
Access control is the process of protecting a resource so that it is used
cu
u
du
o
ng
only by those allowed to use it.
CuuDuongThanCong.com
/>
.c
om
2. Four-Part Access Control
Identification: Who is asking to access the asset?
co
ng
Authentication: Can the requestor’s identity be verified?
th
an
Authorization: What, exactly, can the requestor access? And what can
du
o
ng
they do?
u
Accountability: How can actions be traced to an individual? We need to
cu
ensure that a person who accesses or makes changes to data or systems can
be identified
CuuDuongThanCong.com
/>
.c
om
Authorization Policies
The first step to controlling access is to create a policy that defines
co
ng
authorization rules.
th
an
Authorization is the process of deciding who has access to which
ng
computer and network resources:
du
o
Authorization policy is based on job roles
cu
u
Authorization policy is based on each individual user
CuuDuongThanCong.com
/>
.c
om
Methods and Guidelines for Identification
Identification Methods: username, smart card, Biometric (fingerprints,
co
ng
face, voice, …)
th
an
Identification Guidelines: To ensure that all actions carried out in a
cu
u
du
o
have a unique identifier
ng
computer system can be associated with a specific user, each user must
CuuDuongThanCong.com
/>
.c
om
Processes and Requirements for Authentication
Authentication Types: There are five types of authentication
co
ng
Knowledge: Something you know, such as a password, passphrase, or
an
personal identification number (PIN).
ng
th
Ownership: Something you have, such as a smart card, key, badge, or token.
du
o
Characteristics: Some attribute that is unique to you, such as your
cu
u
fingerprints, retina, or signature.
CuuDuongThanCong.com
/>
.c
om
Processes and Requirements for Authentication
Authentication Types:
co
ng
Location: Somewhere you are, such as your physical location when you
an
attempt to access a resource
du
o
u
cu
keyboard
ng
th
Action: Something you do or how you do it, such as the way you type on a
CuuDuongThanCong.com
/>
.c
om
Policies and Procedures for Accountability
Accountability is tracing an action to a person or process to know who
co
ng
made the changes to the system or data.
th
an
Log Files
cu
u
du
o
ng
Monitoring and Reviews
CuuDuongThanCong.com
/>
.c
om
2. Four-Part Access Control
These four parts are divided into two phases:
co
ng
The policy definition phase: This phase determines who has access and what
an
systems or resources they can use. The authorization definition process operates
th
in this phase.
du
o
ng
The policy enforcement phase: This phase grants or rejects requests for access
u
based on the authorizations defined in the first phase. The identification,
cu
authentication, authorization execution, and accountability processes operate in
this phase
CuuDuongThanCong.com
/>
.c
om
3. Types of Access Controls
Physical access controls: These control access to physical resources.
co
ng
They could include buildings, parking lots, and protected areas.
th
an
Logical access controls: These control access to a computer system or
ng
network. Your company probably requires that you enter a unique
cu
u
du
o
username and password to log on to your company computer
CuuDuongThanCong.com
/>
.c
om
4. Formal Models of Access Control
ng
Discretionary access control (DAC)
co
Mandatory access control (MAC)
th
cu
u
du
o
ng
Rule-based access control
an
Role-Based Access Control
CuuDuongThanCong.com
/>
.c
om
a. Discretionary Access Control (DAC)
Means of restricting access to objects based on the identity of subjects
co
ng
and/or groups to which they belong. The controls are discretionary in the
an
sense that a subject with certain access permission is capable of passing
ng
th
that permission (perhaps indirectly) on to any other subject.
u
cu
the users
du
o
In a DAC model, access is restricted based on the authorization granted to
CuuDuongThanCong.com
/>
.c
om
a. Discretionary Access Control (DAC)
In a DAC environment, the authorization system uses permission levels to
co
ng
determine what objects any subject can access. Permission levels can be
th
an
any of the following:
ng
User-based
Task-based
u
cu
Project-based
du
o
Job-based, group-based, or role-based access control (RBAC)
CuuDuongThanCong.com
/>
.c
om
b. Mandatory Access Control
In a mandatory access control (MAC) model, users do not have the
co
ng
discretion of determining who can access objects as in a DAC model.
th
an
Security labels are attached to all objects; thus, every file, directory, and
cu
u
du
o
ng
device has its own security label with its classification information
CuuDuongThanCong.com
/>
.c
om
c. Role-Based Access Control
A role-based access control (RBAC) model uses a centrally administrated
co
ng
set of controls to determine how subjects and objects interact.
du
o
ng
holds within the company.
th
an
This type of model lets access to resources be based on the role the user
cu
turnover
u
An RBAC model is the best system for a company that has high employee
CuuDuongThanCong.com
/>
.c
om
d. Rule-Based Access Control
Rule-based access control uses specific rules that indicate what can and
co
ng
cannot happen between a subject and an object.
th
an
“If the user’s ID matches the unique user ID value in the provided digital
cu
u
du
o
ng
certificate, then the user can gain access.”
CuuDuongThanCong.com
/>
.c
om
ng
co
an
th
ng
du
o
u
cu
CuuDuongThanCong.com
/>
