Basic Terminology

• Object
— A passive entity that contains data or functionality
• Subject
— An active entity that requests access to an object or the
data within an object
• Access
— Flow of information between a Subject and an Object
• Access Control
— Security features that control how Subjects
communicate and interact with Objects
— They protect the systems and resources from
unauthorized access

2
Subjects vs. Objects

3
4 steps for a Subject to Access an Object

4
4-Steps for a Subject to Access an Object
• Identification
— Method of ensuring that a Subject is unique and recognized by
the system
— User name, user ID, account number, Certificate, etc.
• Authentication
— Verifying the identification information
— Password, Passphrase, Key, PIN value, biometric etc.
• Authorization
— Using criteria to allow the operations that subjects can carry
out on objects
• Accountability
— Audit logs and monitoring to track subject activities with
objects

5
Threats to Access Control
• Stop Authorized Access of Legitimate User
—Denial of Service (DoS)
• Unauthorized Access by Illegitimate User
—Shoulder Surfing, Tapping, Sniffing
—Spoofing, Intrusion, Replay Attacks
—Password Cracking
—Malicious Software, Buffer Overflows
—Backdoors, Help Desk Frauds
—Theft, Social Engineering, Data Mining
—Emanations, Data Remanence
—And many more

6
Digital Identity
• Traditionally, identity is taken as a user ID
that is mapped to an individual
• A Digital identity may be made up of
attributes, entitlements, and traits
—Attributes (department, role in company,
shift time, clearance, etc.)
—Entitlements (resources available to users,
authoritative rights in the company, etc.)
—Traits (biometric information, height, gender,
etc.)

7
Access Criteria
• Different types of criteria can be used:
—ID
—Role
—Group
—Physical or Logical Location
—Time of Day
—Transaction Type

8
Identification Requirements
• Important guidelines for issuing
identification values to users:
—Each value should be unique, for user
accountability.
—Standard naming scheme should be followed.
—Value should be non-descriptive of the
user’s position or tasks.
—Value should not be shared between users.

9
Authentication Factors
• Three general factors that can be used for
authentication:
• Something a person knows
— authentication by knowledge
— E.g. Password, PIN, Key
• Something a person has
— authentication by ownership
— E.g. Smart Card, ATM Card, USB Dongle, Mobile Phone
• Something a person is
— authentication by characteristic
— E.g. Biometric, Fingerprint, Face recognition

11
Multi-Factor Authentication
• Strong Authentication
—Use more than 1 authentication factors,
preferably 2
—Two-Factor Authentication
– Use at least 2 authentication factors
– E.g. ATM Card + PIN
—Three-Factor Authentication
– Use 3 authentication factors
– E.g. Smart Card + PIN + Biometric

12
Mutual Authentication
• Two communicating entities authenticate
to each other before passing data
• In majority of cases, only client/user
authentication is implemented
—This leads to server/service impersonation
attacks
• Server authentication is as important as
the client authentication

13
Access Control Layers
• Administrative Controls
—Policy and procedures, Personnel controls
—Supervisory structure
—Security-awareness training, Testing
• Physical Controls
—Network segregation, Perimeter security
—Computer controls, Work area separation
—Data backups, Cabling, Control zone
• Technical Controls
—System access, Network architecture & Access
—Encryption and protocols, Auditing
14
Access Control Models
• AC Model dictates how subjects access objects
• Uses AC technologies and security mechanisms

1. DAC (Discretionary Access Control)

— Data owners decide who has access to resources, ACLs
are used to enforce these access decisions.
2. RBAC (Role Based Access Control)
— Access decisions are based on each subject’s role and/or
functional position.
3. MAC (Mandatory Access Control)
— Operating systems enforce the system’s security policy
through the use of security labels.

15
Access Control Techniques
• Access Control List (ACL) Bound to an object
and indicates what subjects can access it and
what operations they can carry

• Capability Table Bound to a subject and

indicates what objects that subject can access
and what operations it can carry out

• Access Control Matrix Table of subjects and

objects that outlines their access relationships

16
Access Control Techniques
• Rule-based Access Restricts subjects’ access
attempts by predefined rules
—Content-based Access Bases access
decisions on the sensitivity of the data, not
solely on subject identity
—Context-based Access Bases access
decisions on the state of the situation, not
solely on identity or content sensitivity

• Restricted Interfaces Limit the user’s

environment within the system, thus limiting
access to objects

17
Access Control List (ACL) Example

ACL is bounded to an Object

18
ACL vs. Capability Table
Subject-1 Operation-1

Operation-2 Object
Subject-2
Operation-3

Subject-3

Operation-1 Object-1

Operation-2
Subject Object-2
Operation-3

CT is bounded to a Subject Object-3

19
Access Control Matrix (Example)

20
Password Management

Your Password is like Your Toothbrush;

You use it daily,

You don’t share it with your friends,
You change it periodically.

21
Questions ???