FIT2093 Chapter Notes - Chapter 4: Mandatory Access Control, Discretionary Access Control, System Resource
FIT2093 - Ch4 Notes
Access Control
•Prevention of unauthorised use of a resource, including the
prevention of use of a resource in an unauthorised manner
•NIST IR7298 defines: access control as the process of granting or
denying specific requests to obtain and use information and related
information processing services and enter specific physical facilities
•RFC4949 defines: access control as a process by which use of
system resources is regulated according to a security policy and is
permitted only by authorised entities (users, programs, processes,
or other systems) according to that policy
•Central element of computer security
•Implements a security policy that specifies who or what may have
access to each specific system resource and the type of access that
is permitted in each instance
Principle Objectives:
•Prevent unauthorised users from gaining access to resources
•To prevent legitimate users from accessing resources in an
unauthorised manner
•To enable legitimate users to access resources in an authorised
manner
!
Access Control Context:
•Authentication: verification that the credentials of a user or other
system entity are valid
•Authorisation: The granting of a right or permission to a system
entity to access a system resource (who is trusted for a given
purpose)
•Audit: An independent review and examination of system records
and activities in order to test for adequacy of system controls,
ensures compliance with established policy and operational
procedures, to detect breaches in security, and to recommend any
indicated changes in control, policy and procedures
!
Access Control Mechanism: mediates between a user and system
resources (e.g. applications, operating systems, firewalls, routers, files,
and databases)
•System must first authenticate an entity seeking access
find more resources at oneclass.com
find more resources at oneclass.com
Document Summary
Implements a security policy that speci es who or what may have access to each speci c system resource and the type of access that is permitted in each instance. Prevent unauthorised users from gaining access to resources. To prevent legitimate users from accessing resources in an unauthorised manner. To enable legitimate users to access resources in an authorised manner. Authentication: veri cation that the credentials of a user or other system entity are valid. Authorisation: the granting of a right or permission to a system entity to access a system resource (who is trusted for a given purpose) Access control mechanism: mediates between a user and system resources (e. g. applications, operating systems, rewalls, routers, les, and databases) System must rst authenticate an entity seeking access. Authentication function determines whether the user is permitted to access the system at all. Access control function then determines if the speci c requested access by this user is permitted.