Information Security

CS-497

Dr. Saif Ur Rehman

Access Control
 Contents

 Access Control

 Access Control Implementation

 Components of Access Control

 Access Control List – ACL

 Access Control List Types

 Access Control Policies

 Types of Access Control Policies

 Access control
 It is a data security process that enables organizations to manage
who is authorized to access corporate data and resources.

OR

 Access control is a security strategy that controls who or what can

view or utilize resources in a computer system.
 Access control
 In its simplest form, access control involves identifying a user based
on their credentials and then authorizing the appropriate level of
access once they are authenticated. Passwords, pins, security
tokens—and even biometric scans—are all credentials commonly
used to identify and authenticate a user.

 It is a fundamental security concept that reduces risk to the company

or organization.

 Secure access control uses policies that verify users are who they
claim to be and ensures appropriate control access levels are granted
to users.
 Access Control Implementation
 Implementing access control is a crucial component of web
application security, ensuring only the right users have the right level
of access to the right resources.

 The process is critical to helping organizations avoid data

breaches and fighting attack vectors, such as a buffer overflow
attack, KRACK attack, on-path attack, or phishing attack.
 Access Control Implementation
Data Breaches - A data breach is an event that results in confidential, private,
protected, or sensitive information being exposed to a person not authorized to
access it.

attack vectors - Method of achieving unauthorized network access to launch a

cyber attack.

KRACK attack - Key reinstallation attacks (KRACK) are a type of cyberattack

that exploit a vulnerability in WPA2 for the purpose of stealing data transmitted
over networks

Phishing Attacks - refers to an attempt to steal sensitive information, typically

in the form of usernames, passwords, credit card numbers, bank account
information or other important data in order to utilize or sell the stolen
information
 Components of Access Control
 Authentication
 Authorization
 Access
 Manage
 Audit
 Components of Access Control
 Authentication
– Authentication is the initial process of establishing the
identity of a user.
– For example, when a user signs in to their email
service or online banking account with a username and
password combination, their identity has been
authenticated.
– However, authentication alone is not sufficient to
protect organizations’ data.
 Components of Access Control
 Authorization
– Adds an extra layer of security to the authentication process. It
specifies access rights and privileges to resources to determine
whether the user should be granted access to data or make a
specific transaction.
– For example, an email service or online bank account can require
users to provide two-factor authentication (2FA), which is
typically a combination of something they know (such as a
password), something they possess (such as a token), or
something they are (like a biometric verification).
– This information can also be verified through a 2FA mobile app or
a thumbprint scan on a smartphone.
 Components of Access Control
 Access
– Once a user has completed the authentication and
authorization steps, their identity will be verified.

– This grants them access to the resource they are attempting to log
in to.
 Components of Access Control
 Manage
– Organizations can manage their access control system by adding

and removing the authentication and authorization of their users

and systems.

– Managing these systems can become complex in modern IT

environments that comprise cloud services and on-premises

systems.
 Components of Access Control
 Audit
– Organizations can enforce the principle of least
privilege through the access control audit process.

– This enables them to gather data around user activity and analyze
that information to discover potential access violations.
 Access Control List - ACL
 It is a list of rules that specifies which users or systems are granted or
denied access to a particular object or system resource.

 Access control lists are also installed in routers or switches, where they
act as filters, managing which traffic can access the network.

 ACLs are also built into network interfaces and operating systems
(OSes), including Linux and Windows.

 ACL is used for various reasons

– Traffic flow control

– Restricted network traffic for better network performance

– A level of security for network access specifying which areas of the

server/network/service can be accessed by a user and which cannot

– Granular monitoring of the traffic exiting and entering the system

 Access Control List Types
 File system ACLs

– Manage access to files and directories. They give OSes the

instructions that establish user access permissions for the system
and their privileges once the system has been accessed.

 Networking ACLs

– Manage network access by providing instructions to network

switches and routers that specify the types of traffic that are
allowed to interface with the network. These ACLs also specify
user permissions once inside the network. The network
administrator predefines the networking ACL rules. In this way,
they function similar to a firewall.
 Access Control List Types
 Standard ACLs

– Block or allow an entire protocol suite using source IP addresses.

 Extended ACLs

– Block or allow network traffic based on a more differentiated set of

characteristics that includes source and destination IP
addresses and port numbers, as opposed to just source address.
 Database Security
 Database is an essential element to any application in use

 Database security refers to the range of tools, controls

and measures designed to establish and preserve
database confidentiality, integrity and availability.
Confidentiality is the element that’s compromised in most
data breaches.
 Database Security
 Database is an essential element to any application in use

 Database security refers to the range of tools, controls

and measures designed to establish and preserve
database confidentiality, integrity and availability.
Confidentiality is the element that’s compromised in most
data breaches.
 Database Security
 Database security must address and protect the following:
– The data in the database.

– The database management system (DBMS).

– Any associated applications.

– The physical database server or the virtual database server and

the underlying hardware.

– The computing or network infrastructure that is used to access the

database.
 Database Security
 Protect Sensitive Data from
– Unauthorized disclosure
– Unauthorized modification
– Denial of service attacks ( To overload a website or network, with the aim of
degrading its performance or even making it completely inaccessible.)

 Security Controls
– Security Policy
– Access control models
– Integrity protection
– Privacy problems
– Fault tolerance and recovery
– Auditing and intrusion detection
 Access Control Policies
 Sets of policies, instructions, and restrictions that are in
place which specify who can access your data, when they
can do so, and up to which level.

 These policies need to be implemented accordingly at all

levels of the organization.

 Help define the standards of data security and data

governance for organizations.

 They set up the level of access to sensitive information for

users based on roles, policies, or rules.
 Access Control Policies
 Access control policies need to be applied for all people
accessing data in the organization, including data
consumers, data producers, and other data stakeholders.

 These individuals may include your employees, partners,

contractors, or interns.
 Purpose of Access Control Policies
 These policies help you ensure that you meet regulatory
compliance requirements.

 They reduce security risks, as they define restrictions

according to a risk assessment of business value and
impact.

 They make it easy to identify potential causes of any

failures or attacks, as the standards are already laid out
and distributed across the organization.
 Types of Access Control Policies
 Discretionary Access Control (DAC)

 Mandatory Access Control (MAC)

 Role-Based Access Control (RBAC)

 Types of Access Control Policies
 Discretionary Access Control (DAC)
– Flexible policy in which the resource owner decides who can
access it.

– Users can grant or revoke access rights to others.

– While DAC is easy to implement and offers flexibility, it can be

less secure.

– The risk comes from users potentially giving access without

proper oversight.

– DAC is commonly used in environments where ease of use and

flexibility are more important than strict security.
 Types of Access Control Policies
 Discretionary Access Control (DAC)
– DAC decentralizes security decisions, allowing administrators and
resource owners to give access to users at specified levels.

– It uses ACLs (access control lists), which define at what level to

give users permission to a particular resource.
 Types of Access Control Policies
 Discretionary Access Control (DAC) - Pros
– DAC is simple to use, and as long as users and roles are listed
correctly, it’s easy to access resources.

– Since access control is decentralized, administrators or owners

can easily add or remove permissions. Owners and users
(depending on their privileges) can control access to their data,
which gives them the ability to read, make changes, or delete
files.
 Types of Access Control Policies
 Discretionary Access Control (DAC) - Cons
– Because of its simplicity and flexibility, DAC can pose a security
risk to large organizations, businesses handling sensitive data, or
a combination of these.

– Assigning permissions to individual users is a time-consuming

task for large enterprises, and mistakes made by users given
improper permissions can be detrimental when dealing with
important files.
 Types of Access Control Policies
 Mandatory Access Control (MAC)

– Strict policy in which a central authority controls access rights.

Administrators decide which users can access specific resources,

and users cannot change these permissions.

– This ensures a high level of security. MAC is often used in

government and military settings where protecting classified

information is critical.

– It prevents unauthorized users from accessing sensitive data.

 Types of Access Control Policies
 Mandatory Access Control (MAC) -- Pros
– High-level data protection With MAC, one can be sure that their most
confidential data is well protected and leaves no room for any leakage.

– Centralized Information: Once data is set in a category it cannot be de-

categorized by anyone other than the head administrator. This makes the
whole system centralized and under the control of only one authority.

– Privacy: Data is set manually by an administrator. No one other than admin

can make changes in category or list of users' accesses to any category. It
can be updated only by admin.
 Types of Access Control Policies
 Mandatory Access Control (MAC) -- Cons
– Careful Setting-Up Process: MAC must be set up with good care otherwise
it will make working confused, because sometimes a piece of information
needs to be shared among co-workers in the same organization but MAC
restricts anyone to do so.

– Regular Update Required: It requires regular updating when new data is

added or old data is deleted. The administration is required to put some
consideration into the MAC system and ACL list now and then.

– Lack of Flexibility: MAC system is not operationally flexible. It is not an easy

task to initially input all data and create an ACL that won’t create any trouble
later.
 Types of Access Control Policies
 Role-Based Access Control (RBAC) - Role-based security
– Mechanism that restricts system access involving setting
permissions and privileges to enable access to authorized users.
– Most large organizations use role-based access control to provide
their employees with varying levels of access based on their roles
and responsibilities.
– This protects sensitive data and ensures employees can only
access information and perform actions they need to do their jobs.
 Types of Access Control Policies
 Role-Based Access Control (RBAC) – Working
– User – an individual with a unique identifier (UID) that has system access
– Role – a named job function (indicates the level of authority)
– Permission – equivalent to access rights
– Session – a period of working time during which a user utilizes
permissions of the roles assigned to them
– Object – a system resource that requires permission to access
– Operation –any action in the protected network
 Types of Access Control Policies
 Role-Based Access Control (RBAC) - Role-based security
 Types of Access Control Policies
 Role-Based Access Control (RBAC) - Role-based security
 Types of Access Control Policies
 Role-Based Access Control (RBAC) – Pros
– Increased efficiency: reducing both the amount of work and error
rate not only makes the process of access control much easier but
also increases efficiency within the organisation with no need for
manual modifications, error handling, and individual access
permission requests.

– Transparency: the access permissions are clear and easy to

understand for the users since they are based on their roles and
they know what to expect.

– Security: the perfect balance between ease-of-use and security,

RBAC systems prevent you from giving more permissions than
needed.
 Types of Access Control Policies
 Role-Based Access Control (RBAC) – Cons
– Labour-intensive setup: translating an organizational hierarchy into
an access control model requires a lot of work and can be a bit time-
consuming and labour-intensive to set up.

– Temporary permissions: assigning users temporary access

permissions can be easy to forget to revoke later on when compared
to assigning permissions individually.

– Application: it is not the best solution for small companies since it

can be difficult to create and maintain roles, which is why it is used
only when there are a certain number of roles and users. Even in
large companies with several employees and roles, it may be difficult
to set up and you may end up creating 100 different groups.
 Self-Study (Further)
 Difference between firewall and access control list?
 Key Components of an Access Control List
 Common Use Cases for Access Control Lists
 How ACLs work
 Advantages of using an access control list
 RBAC vs. ACL