Default to No Access - all access controls should be based on the concept of starting with zero access, and building on top of that.
Authorization Creep - As employees work at a company over time and move from one department to another, they often are assigned more and more access rights and permissions.
Kerberos
Kerberos is an example of a single sign-on system for distributed environments, and is a de facto standard for heterogeneous networks.Kerberos uses symmetric key cryptography and provides end-to-end security. Although it allows the use of passwords for authentication, it was designed specifically to eliminate the need to transmit passwords over the network. Most Kerberos implementations work with shared secret keys.Main Components in Kerberos
Key Distribution Center (KDC) is the most important component within a Kerberos environment and it holds all users’ and services’ secret keys. It provides an authentication service, as well as key distribution functionality. The clients and services trust the integrity of the KDC, and this trust is the foundation of Kerberos security.The KDC provides security services to principals, which can be users, applications, or network services. The KDC must have an account for, and share a secret key with, each principal(for users,it's password).
A ticket is generated by the ticket granting service (TGS) on the KDC and given to a principal when that principal, let’s say a user, needs to authenticate to another principal, let’s say a print server. The ticket enables one principal to authenticate to another
principal.
A KDC provides security services for a set of principals. This set is called a realm in Kerberos. The KDC is the trusted authentication server for all users, applications, and services within a realm. One KDC can be responsible for one realm or several realms. Realms are used to allow an administrator to logically group resources and users.
The Kerberos Authentication Process
The user and the KDC share a secret key, while the service and the KDC share a different secret key. The user and the requested service do not share a symmetric key in the beginning. The user trusts the KDC because they share a secret key. They can encrypt and decrypt data they pass between each other, and thus have a protected communication path. Once the user authenticates to the service, they, too, will share a symmetric key (session key) that is used for authentication purposes.
Be sure you understand that a session key is different from a secret key. A secret key is shared between the KDC and a principal and is static in nature. A session key is shared between two principals and is generated when needed and destroyed after the session is completed.
Security Domains - A domain is a set of resources available to a subject. A security domain is where resources within this logical structure (domain) are working under the same security policy and managed by the same group.
Directory Services - A network service is a mechanism that identifies resources (printers, file servers, domain controllers, and peripheral devices) on a network. A network directory service contains information about these different resources, and the subjects that need to access them, and carries out access control activities. Network directory services provide users access to network resources transparently, meaning that users don’t need to know the exact location of the resources or the steps required to access them. The network directory services handle these issues for the user in the background. Some examples of directory services are Lightweight Directory Access Protocol (LDAP), Novell NetWare Directory Service (NDS), and Microsoft Active Directory (AD).
Examples of Single Sign-On Technologies
• Kerberos - Authentication protocol that uses a KDC and tickets, and is based on symmetric key cryptography
• SESAME - Authentication protocol that uses a PAS and PACs, and is based on symmetric and asymmetric cryptography
• Security domains - Resources working under the same security policy and managed by the same group
• Directory services - Technology that allows resources to be named in a standardized manner and access control to be maintained centrally
• Thin clients Terminals that rely upon a central server for access control, processing, and storage
Access Control Models
An access control model is a framework that dictates how subjects access objects. There are three main types of access control models: discretionary, mandatory, and role based.Discretionary Access Control - A system that uses discretionary access control (DAC) enables the owner of the resource to specify which subjects can access specific resources. This model is called discretionary because the control of access is based on the discretion of the owner.
Nondiscretionary Access Control states that access decisions are not made at the discretion of the user. Nondiscretionary access controls are put into place by an authoritative entity (usually a security administrator) with the goal of protecting the organization’s most critical assets.
Mandatory Access Control - In a mandatory access control (MAC) model, users do not have the discretion of determining who can access objects as in a DAC model. MAC model is much more structured and strict than the DAC model and is based on a security label system. Users are given a security clearance (secret, top secret,confidential, and so on), and data is classified in the same way. The clearance and classification data are stored in the security labels, which are bound to the specific subjects and objects. When the system makes a decision about fulfilling a request to access an object, it is based on the clearance of the subject, the classification of the object, and the
security policy of the system. The rules for how subjects access objects are made by the organization’s security policy, configured by the security administrator, enforced by the operating system, and supported by security technologies.
While MAC systems might seem an answer to all our security prayers, they have very limited user functionality, require a lot of administrative overhead, are very expensive, and are not user-friendly. DAC systems are general-purpose computers, while MAC systems serve a very specific purpose.
Role-Based Access Control
A role-based access control (RBAC) model uses a centrally administrated set of controls to determine how subjects and objects interact. The access control levels can be based upon the necessary operations and tasks a user needs to carry out to fulfill her
responsibilities without an organization. In an RBAC model, a role is defined in terms of the operations and tasks the role
will carry out, whereas a DAC model outlines which subjects can access what objects based upon the individual user identity.
An RBAC model is the best system for a company that has high employee turnover.
Access Control Models
The main characteristics of the three different access control models are important to understand.
• DAC Data owners decide who has access to resources, and ACLs are used to enforce these access decisions.
• MAC Operating systems enforce the system’s security policy through the use of security labels.
• RBAC Access decisions are based on each subject’s role and/or functional position.
Access Control Matrix
An access control matrix is a table of subjects and objects indicating what actions individual subjects can take upon individual objects.Capability Table specifies the access rights a certain subject possesses pertaining to specific objects. A capability table is different from an ACL because the subject is bound to the capability table, whereas the object is bound to the ACL.
Access Control Lists (ACLs) are used in several operating systems, applications, and router configurations. They are lists of subjects that are authorized to access a specific object, and they define what level of authorization is granted.
Content-Dependent Access Control - with content-dependent access control, access to objects is determined by the content within the object. Eg. email filer, web filter.
Context-Dependent Access Control - Context-dependent access control differs from content-dependent access control in that it makes access decisions based on the context of a collection of information rather than on the sensitivity of the data.A system that is using context-dependent access control “reviews the situation” and then makes a decision. For example, firewalls make context-based access decisions when they collect state information on a packet before allowing it into the network.
No comments:
Post a Comment