Module 8 Security Technology: Access Controls, Firewalls, and VPNs

Introduction to Access Controls

  • Technical controls are crucial for enforcing policies in IT functions without direct human oversight.
  • Effective technical controls help balance information availability with confidentiality and integrity.
  • Access controls manage permissions and privileges a subject (user/system) has on an object (resource).

Access Control

  • Access control selectively determines who can use a resource and how.
  • Types of Access Control:
    • Mandatory Access Controls (MACs): Enforce a structured data classification scheme.
    • Discretionary Access Controls (DACs): Implemented at the data user's discretion.
    • Nondiscretionary Controls: Implemented by a central authority.

Lattice-Based Access Control (LBAC)

  • LBAC assigns users a matrix of authorizations for specific access areas.
  • Role-Based Access Controls (RBACs): Tied to a user’s job duties.
  • Task-Based Access Controls (TBACs): Linked to specific responsibilities.
  • Attribute-Based Access Controls (ABACs): Control object use based on user or system attributes.

Access Control Mechanisms

  • Four fundamental functions:
    • Identification: Claiming to be a system user.
    • Authentication: Proving identity as a system user.
    • Authorization: Defining system permissions.
    • Accountability: Tracking and monitoring system use.

Identification

  • Identification validates and verifies a purported identity.
  • Identifiers can be composite (e.g., department codes + random numbers).
  • Organizations often use a unique piece of information (full name, initial and surname).

Authentication

  • Authentication validates and verifies an entity's claimed identity.
  • Authentication Factors:
    • Something you know (e.g., password).
    • Something you have (e.g., smart card).
    • Something you are (e.g., biometric).

Authorization

  • Authorization matches an authenticated entity to information assets and access levels.
  • Authorization Methods:
    • Individual user authorization.
    • Group membership authorization.
    • Authorization across multiple systems.
  • Authorization credentials (tickets) are issued by an authenticator and honored by systems within the authentication domain.

Accountability

  • Accountability (auditability) ensures actions on a system can be traced to an authenticated identity.
  • Achieved through system logs, database journals, and auditing of records.
  • System logs record specific information and have many uses.

Biometrics

  • Biometrics uses measurable human traits to authenticate identity.
  • Truly unique biometrics: fingerprints, retina/iris scans, and DNA.
  • Evaluated by:
    • False Reject Rate (FRR).
    • False Accept Rate (FAR).
    • Crossover Error Rate (CER).
  • Reliable biometric systems can be intrusive.

Ranking of Biometric Effectiveness and Acceptance

  • Table comparing biometrics (Face, Fingerprint, Iris, Retina, DNA, etc.) across Universality, Uniqueness, Permanence, Collectability, Performance, Acceptability and Circumvention.

Knowledge Check Activity 1

  • Question: The effectiveness of biometric-based controls is measured with the _, where the rate of false rejections equals the rate of false acceptances?
  • Answer: Crossover error rate
  • The crossover error rate (CER) is a common measure of accuracy for a biometric system.

Access Control Architecture Models

  • Illustrate access control implementations.
  • Trusted Computing Base (TCB):
    • Part of DoD Rainbow Series.
    • Enforces security policy.
    • Challenges: Covert channels (storage and timing).

Access Control Architecture Models

  • ITSEC: International criteria for evaluating computer systems.
  • Common Criteria: Successor to TCSEC and ITSEC.
  • Bell-LaPadula Confidentiality Model:
    • State machine reference model.
      • -