UNIT 3 PART 2

Risk - Systems: Access Control Mechanisms, Flow and

Confinement Problem
What Are the Components of Access Control?
Access control is managed through several components:
1. Authentication
Authentication is the initial process of establishing the identity of a user. For example, when a
user signs in to their email service or online banking account with a username and password
combination, their identity has been authenticated. However, authentication alone is not
sufficient to protect organizations’ data.
2. Authorization
Authorization adds an extra layer of security to the authentication process. It specifies access
rights and privileges to resources to determine whether the user should be granted access to data
or make a specific transaction.
For example, an email service or online bank account can require users to provide two-factor
authentication (2FA), which is typically a combination of something they know (such as a
password), something they possess (such as a token), or something they are (like a biometric
verification). This information can also be verified through a 2FA mobile app or a thumbprint
scan on a smartphone.
3. Access
Once a user has completed the authentication and authorization steps, their identity will be
verified. This grants them access to the resource they are attempting to log in to.
4. Manage
Organizations can manage their access control system by adding and removing the authentication
and authorization of their users and systems. Managing these systems can become complex in
modern IT environments that comprise cloud services and on-premises systems.
5. Audit
Organizations can enforce the principle of least privilege through the access control audit
process. This enables them to gather data around user activity and analyze that information to
discover potential access violations.

Access Control Mechanisms

Access Control is a way of granting or denying access to a set of information or resources. The
exponential increase in data generation and maintenance has also brought unique challenges and
requirements for stringent privacy protection and security. Advances in networking and cloud
computing have increased collaboration between multiple users. As a result, this also makes
networks and systems vulnerable to the threat of attacks and data leaks. Data access to unwanted
entities can cause data security issues, monetary losses, and raises impending privacy concerns
for the organizations. Imposing access control has become a crucial part of data and information
security for these reasons.
Why Access Control is important and useful:

 Enables User Identification, Authentication, and Authorization

Access Control requires user identification and authentication to ensure it belongs to the
permitted set of users to request access. Access Control grants or limits user access to resources.

 Distinguishes real users from bots

Access Control can assess user access patterns to identify malicious bots and deny access to help
protect data privacy. Bots are often used to mimic human behavior and can perform automated
and sometimes harmful, tasks.

 Detects malicious activity

Anomalous user access behavior often indicates suspicious network activity. Access Control can
aid in the timely detection of security threats and prevent them.

 Aids in Intrusion Detection

Access Control helps detect anomalous user activity and helps safeguard systems from intrusion
and security breaches.

 Provides selective access to help maintain confidentiality

Restricting users that should not be accessing the information and resources keeps data
confidential, protected, and less prone to leakage.

Elements of Access Control

Access Control is commonly formulated for two conceptual entities: Subjects and Objects.
Elements of Access Control

Access Control Policy and Models

Access control policies are high-level requirements that specify how access is managed and who
may access information under what circumstances. International Organization for
Standardization (ISO) defines security standards that organizations must comply with to ensure
and execute data privacy and security. Access Control Lists implement these policies for a
system or network resource component.

Access Control Models provide a defined structure to implement access control policies.
Organizations can choose to implement one or a combination of the access control models based
on the custom security requirements and existing infrastructure.

The following are some of the common types of access control models:

Discretionary Access Control (DAC): The data owner decides the users’ selection and the
permissions to be granted to users that access the data.

 Access control of this type is simple to implement and maintain. Users get more
autonomy over the changes if they have access rights.
 Such approaches might run into conflicting user permissions and might not be as
secure as other approaches.
Mandatory Access Control (MAC): Organization’s administrator sets strict policies on
individual users and/or the data, resources, and information accessed by the users. Users cannot
add, alter, or remove any permissions.

 Such models can be used when central access policies are enforced, and it is easier
to compartmentalize resource access to a subset of users.
 However, this model might not be a requirement for an organization that depends
highly on collaboration and lacks management resources to implement the model.

Role-Based Access Control (RBAC): The system administrator decides the level of priority or
access given to users based on their role in the organization. The assigned permissions allow the
user limited access to resources or limited permissions to information. The users can perform
actions or access information based on the level of visibility granted by the RBAC.

 This approach is very flexible and makes it easy to maintain user access for well-
defined organizational hierarchies.
 The role and responsibility assigned to the users can pose a risk to overprivileged
users due to the complexity of the access assignment.

Attribute-based Access Control (ABAC): This is a context-based dynamic policy. The access
control is based on policies assigned to the users.

 Being attribute-based and dynamic, this approach is more targeted, robust, and
scalable.
 The implementation process is quite complicated and time-consuming.

Break-glass Access Control: Generally implemented in case of emergency, a user generally not
authorized is given access or allowed to create a new account which would not be permitted in
normal conditions.

 This approach can help prevent threats or mitigate damages in case of a security
emergency.
 Generally, this is used in emergencies and is not too secure or meant to be used for
long-term needs.

Rule-based Access Control: System Admin defines certain condition-based rules limiting
company resource access.

 Spatial Access Control: Access control conditions are location-based.

 Temporal Access Control: Access control conditions are based on the time of day
the access is requested.
 This approach serves great for custom and specific access requirements. It provides
more granular control and flexible options for access setup.
  To ensure reliable security, this approach demands extremely diligent designing of
rules.

Temporal Access Control

Time-based access control/temporal access control is a way of determining whether to grant

or deny access to a user based on the time of the day that the access was requested. It plays a
crucial role in the authorization of user access. It is used to control access to inbound or
outbound traffic access or control. Temporal access control can be for a defined time range
(absolute or periodic) or a custom time frame.

 Absolute: Define a particular date and time or time range when access is granted or
prohibited to a set of certain users.
 Periodic: Define access control for a certain time range that repeats after a certain period.

Firewall settings can define the temporal access control of a network and network devices for a
user or set of users. Permissions can be set and altered accordingly.

Based on Figure 1 above, the following are some scenarios/examples of time-based access
control;

 Selective User Access to Selective Network Devices:

o On December 3, 2022, 1-3 AM, User A has access to change the settings of
Router 1 but at the same time, User B has no permissions.
 Selective User Access to the entire network:
o On Tuesday 4-6 AM, no user has access to any network devices in the network.
 Selective User Access:
o For Saturday and Sunday, 10 AM- 6 PM, User B has permission to alter settings
for Router 2, but User B cannot shut down the system.
o When the system is down for maintenance, only the system admin will have
access to set and alter permissions for users.
 Selective Network Device Access:
o Router 1 cannot ping Router 2 every Thursday between 2-5 PM.
o Router 3 can ping Router 2 only on Nov 22, 2022, between 5-10 PM; otherwise,
all requests are directed towards Router 1.
 Detecting anomalous network activity:
o Temporal access control can help detect anomalous user activity and prevent
malicious attacks by blocking access based on access control.
 o Using Machine Learning and Network Analytics, it is possible to detect
anomalous, malicious, or suspicious network activity and can help prevent threats
like intrusion, DDOS attacks, data leakage, etc.
o For example, the usual login activity of User A is Monday- Friday, 8 AM – 9 PM.
o Set alert, add user authentication/verification, or block login access for all login
requests made from User A’s account outside general login hours.

The Confinement Problem

The confinement problem deals with preventing a process from taking disallowed actions.
Consider a client/server situation: the client sends a data request to the server; the server uses the
data, performs some function, and sends the results (data) back to the client. In this case the
confinement problem deals with preventing a server from leaking information that the user of
that service considers confidential.

Access control affects the function of the server in 2 ways

Goal of service provider 1. The server must ensure that the resources it accesses on behalf of the
client include only those resources that the client is authorized to access.

Goal of the service user 2. The server must ensure that it does not reveal the client’s data to any
other entity not authorized to see the client’s data.

Def: The confinement problem is the problem of preventing a server from leaking information
that the user of the service considers confidential.

Observations

A process that does not store information cannot leak it.

This implies that the process cannot do any computations because an analyst could
observe the flow of control and deduce information about the inputs.

A process that cannot be observed and cannot communicate with other processes cannot
leak information. This is called total isolation.

Total Isolation not practical because processes share

 CPU
 networks disk
 storage
unconfined processes can transmit information over shared resources How might a process do
this?

Def: A covert channel is a path of communication that was not designed to be used for
communication

e.g. process p is confined and cannot communicate with q p & q share a file system both have
read, create, delete privilege to the same directory

p creates file of length 0 or 1 bit

q reads the length and then deletes it

continue the process above until p creates a file called end when q knows that the message is
sent.

Note: If p creates a process q, then q must be similarly confined.

Def: The rule of transitive confinement states that if a confined process invokes a second
process, the second process must be as confined as the caller.

Confinement is a mechanism for enforcing the principle of least privilege. The problem is that
the confined process needs to transmit data to another process. The confinement needs to be on
the transmission, not on the data access. The confinement mechanism must distinguish between
transmission of authorized data and the transmission of unauthorized data. This presents a
dilemma in that modern computers are designed to share resources and yet by the act of sharing
they create channels of communications along which information can be leaked.

Even time can be used to transmit information.

e.g. One process can read the time by checking the system clock or counting the number of
instructions executed.

A second process can write the time by executing a set number of instructions and stopping